[RADIATOR] Troubles trying to proxy NTLM
Jethro R Binks
jethro.binks at strath.ac.uk
Wed Oct 29 12:05:23 CDT 2014
Hi,
I have been following David Zych's recent work with interest:
https://www.mail-archive.com/radiator@open.com.au/msg18963.html
and wanted to implement something similar here, but I've hit a stumbling
block that I cannot get past. Maybe it will be blindingly obvious to someone
else ...
Essentially, I currently have a monolithic Radiator process that I want
to split out and proxy to more backend authentications processes. To that
end, I configured up a backend Radiator process with the NTLM bits, and in
the front-end added some clauses to proxy certain queries (those with my
username).
I'm testing with eapol_test, and against the real monolithic Radiator
servers it is fine. The inner authentication bits look like this:
<AuthBy GROUP>
# There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
Identifier ITSAuthEAPInner
AuthBy ITSAuthEAPInnerNTLM
</AuthBy>
<AuthBy NTLM>
Identifier ITSAuthEAPInnerNTLM
NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
DefaultDomain DS.STRATH.AC.UK
EAPType MSCHAP-V2
UsernameMatchesWithoutRealm
</AuthBy>
However, if I change it (on the same host) to look like this in the front-end, modelled
after David's examples:
<AuthBy GROUP>
# There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
Identifier ITSAuthEAPInnerJRB
AuthBy BackendProxy
</AuthBy>
<AuthBy ROUNDROBIN>
Identifier BackendProxy
Include %D/secret.backend.conf
RetryTimeout 3
Retries 0
MaxTargetHosts 2
FailureBackoffTime 1
StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout
AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3
ReplyTimeoutHook file:"%D/hooks/replytimeout"
<Host 127.0.0.1>
AuthPort %{GlobalVar:Backendworker1Port}
</Host>
IgnoreAccounting
</AuthBy>
and then in the backend:
<Handler Client-Identifier=frontend>
Identifier frontend
AuthBy ITSAuthEAPInnerNTLMbackend
</Handler>
<AuthBy NTLM>
Identifier ITSAuthEAPInnerNTLMbackend
NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
DefaultDomain DS.STRATH.AC.UK
EAPType MSCHAP-V2
UsernameMatchesWithoutRealm
</AuthBy>
I always get a password failure from ntlm_auth when going through Radiator.
I can run ntlm_auth OK at the command line and do plain authentication on the same host:
ntlm_auth --username=ras99101
password:
NT_STATUS_OK: Success (0x0)
I can also run David's script in
http://www.open.com.au/pipermail/radiator/2011-November/017709.html
and get successful ntlm authentication:
./radius-test
Invoking ntlm_auth --helper-protocol=ntlm-server-1 < ntlmtest.query
-- Contents of query file --
Username: ras99101
NT-Domain: DS.STRATH.AC.UK
LANMAN-Challenge: 0000000000000000
NT-Response: d4be0aa521b02f12d066fcdfe2d88c04f9b7bbc19cf05df0
.
-- Output --
Authenticated: Yes
.
-- Done --
Here are debug logs showing the two transactions, interspersed with some
winbindd debugging (I've slightly mangled Challenge/Response/LANMAN output).
This one was OK via the old monolithic route:
Wed Oct 29 16:50:46 2014: DEBUG: Handling request with Handler 'TunnelledByPEAP=1 ', Identifier 'eap-inner-peap'
Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101
Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101
Wed Oct 29 16:50:46 2014: DEBUG: Deleting session for ras99101, ,
Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthGROUP: ITSAuthEAPInner
Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLM
Wed Oct 29 16:50:46 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26
Wed Oct 29 16:50:46 2014: DEBUG: Response type 26
Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM looks for match with ras99101 [ras99101]
Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM ACCEPT: : ras99101 [ras99101]
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute LANMAN-Challenge: bda8fa68138ee574
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Response: 8d04f4250f887d8fb72e1d4c9451f36926f0bb3f2a8178fe
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE=
[2014/10/29 16:50:46.190790, 3, pid=76290] [80304]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101
[2014/10/29 16:50:46.190965, 4, pid=76291] child daemon request 14
[2014/10/29 16:50:46.191041, 3, pid=76291] [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101
[2014/10/29 16:50:46.198343, 5, pid=76291] NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_OK (PAM: 0)
[2014/10/29 16:50:46.198426, 4, pid=76291] Finished processing child request 14
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: Authenticated: Yes
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: LANMAN-Session-Key: B7BF79EA25BFD6F0
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: User-Session-Key: 8B7FEA71FF24E1ECDAA6433999F42FEE
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: .
Wed Oct 29 16:50:46 2014: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthGROUP:ITSAuthEAPInner ITSAuthEAPInnerNTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Wed Oct 29 16:50:46 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Wed Oct 29 16:50:46 2014: DEBUG: Access challenged for ras99101: EAP MSCHAP V2 Challenge: Success
This one was a failure via the backend proxy:
Wed Oct 29 16:51:53 2014: DEBUG: Handling request with Handler 'Client-Identifier=frontend', Identifier 'frontend'
Wed Oct 29 16:51:53 2014: DEBUG: Deleting session for ras99101, 127.0.0.1,
Wed Oct 29 16:51:53 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLMbackend
Wed Oct 29 16:51:53 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26
Wed Oct 29 16:51:53 2014: DEBUG: Response type 26
Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM looks for match with [ras99101]
Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM ACCEPT: : [ras99101]
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute LANMAN-Challenge: 499d16055416b67b
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Response: acedbcb10e6427538561caa910fd1299d0f5f9d8e289846e
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE=
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: .
[2014/10/29 16:51:53.895378, 3, pid=76290] [76149]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101
[2014/10/29 16:51:53.895832, 4, pid=76291] child daemon request 14
[2014/10/29 16:51:53.895957, 3, pid=76291] [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101
[2014/10/29 16:51:53.922474, 2, pid=76291] NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_WRONG_PASSWORD (PAM: 9)
[2014/10/29 16:51:53.922547, 4, pid=76291] Finished processing child request 14
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authenticated: No
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authentication-Error: Wrong Password
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: .
Wed Oct 29 16:51:53 2014: WARNING: NTLM Could not authenticate user 'ras99101': Wrong Password
Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508
Wed Oct 29 16:51:53 2014: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Wed Oct 29 16:51:53 2014: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure
Wed Oct 29 16:51:53 2014: INFO: Access rejected for ras99101: EAP MSCHAP-V2 Authentication failure
Radiator-4.13 in all instances.
The only thing I can see anomalous is:
Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508
Anyone any ideas?
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
More information about the radiator
mailing list