[RADIATOR] Troubles trying to proxy NTLM
Jethro R Binks
jethro.binks at strath.ac.uk
Thu Oct 30 04:39:37 CDT 2014
A little follow-up to this. I found things were not quite as consistent
(or not in the same way) as I thought.
It seems to be that the act of switching between testing the monolithic
and the frontend/backend is what causes problems. I suspect it is an
interaction between the two ntlm_auth processes (one spawned from each
Radiator) and the winbindd socket.
I will try and look into it further later, but if anyone has come across
anything like this or knows more about the ntlm_auth/winbindd interaction
I'd be interested in your comments.
Jethro.
On Wed, 29 Oct 2014, Jethro R Binks wrote:
> Hi,
>
> I have been following David Zych's recent work with interest:
>
> https://www.mail-archive.com/radiator@open.com.au/msg18963.html
>
> and wanted to implement something similar here, but I've hit a stumbling
> block that I cannot get past. Maybe it will be blindingly obvious to someone
> else ...
>
> Essentially, I currently have a monolithic Radiator process that I want
> to split out and proxy to more backend authentications processes. To that
> end, I configured up a backend Radiator process with the NTLM bits, and in
> the front-end added some clauses to proxy certain queries (those with my
> username).
>
> I'm testing with eapol_test, and against the real monolithic Radiator
> servers it is fine. The inner authentication bits look like this:
>
> <AuthBy GROUP>
> # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
> Identifier ITSAuthEAPInner
> AuthBy ITSAuthEAPInnerNTLM
> </AuthBy>
>
> <AuthBy NTLM>
> Identifier ITSAuthEAPInnerNTLM
> NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
> DefaultDomain DS.STRATH.AC.UK
> EAPType MSCHAP-V2
> UsernameMatchesWithoutRealm
> </AuthBy>
>
> However, if I change it (on the same host) to look like this in the front-end, modelled
> after David's examples:
>
> <AuthBy GROUP>
> # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
> Identifier ITSAuthEAPInnerJRB
> AuthBy BackendProxy
> </AuthBy>
>
> <AuthBy ROUNDROBIN>
> Identifier BackendProxy
> Include %D/secret.backend.conf
> RetryTimeout 3
> Retries 0
> MaxTargetHosts 2
> FailureBackoffTime 1
> StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout
> AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3
> ReplyTimeoutHook file:"%D/hooks/replytimeout"
> <Host 127.0.0.1>
> AuthPort %{GlobalVar:Backendworker1Port}
> </Host>
> IgnoreAccounting
> </AuthBy>
>
> and then in the backend:
>
> <Handler Client-Identifier=frontend>
> Identifier frontend
> AuthBy ITSAuthEAPInnerNTLMbackend
> </Handler>
>
> <AuthBy NTLM>
> Identifier ITSAuthEAPInnerNTLMbackend
> NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
> DefaultDomain DS.STRATH.AC.UK
> EAPType MSCHAP-V2
> UsernameMatchesWithoutRealm
> </AuthBy>
>
> I always get a password failure from ntlm_auth when going through Radiator.
>
> I can run ntlm_auth OK at the command line and do plain authentication on the same host:
>
> ntlm_auth --username=ras99101
> password:
> NT_STATUS_OK: Success (0x0)
>
> I can also run David's script in
> http://www.open.com.au/pipermail/radiator/2011-November/017709.html
> and get successful ntlm authentication:
>
> ./radius-test
> Invoking ntlm_auth --helper-protocol=ntlm-server-1 < ntlmtest.query
>
> -- Contents of query file --
> Username: ras99101
> NT-Domain: DS.STRATH.AC.UK
> LANMAN-Challenge: 0000000000000000
> NT-Response: d4be0aa521b02f12d066fcdfe2d88c04f9b7bbc19cf05df0
> .
> -- Output --
> Authenticated: Yes
> .
> -- Done --
>
>
> Here are debug logs showing the two transactions, interspersed with some
> winbindd debugging (I've slightly mangled Challenge/Response/LANMAN output).
>
> This one was OK via the old monolithic route:
>
> Wed Oct 29 16:50:46 2014: DEBUG: Handling request with Handler 'TunnelledByPEAP=1 ', Identifier 'eap-inner-peap'
> Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101
> Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101
> Wed Oct 29 16:50:46 2014: DEBUG: Deleting session for ras99101, ,
> Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthGROUP: ITSAuthEAPInner
> Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLM
> Wed Oct 29 16:50:46 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26
> Wed Oct 29 16:50:46 2014: DEBUG: Response type 26
> Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM looks for match with ras99101 [ras99101]
> Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM ACCEPT: : ras99101 [ras99101]
> Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes
> Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute LANMAN-Challenge: bda8fa68138ee574
> Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Response: 8d04f4250f887d8fb72e1d4c9451f36926f0bb3f2a8178fe
> Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL
> Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE=
> [2014/10/29 16:50:46.190790, 3, pid=76290] [80304]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101
> [2014/10/29 16:50:46.190965, 4, pid=76291] child daemon request 14
> [2014/10/29 16:50:46.191041, 3, pid=76291] [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101
> [2014/10/29 16:50:46.198343, 5, pid=76291] NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_OK (PAM: 0)
> [2014/10/29 16:50:46.198426, 4, pid=76291] Finished processing child request 14
> Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: Authenticated: Yes
> Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: LANMAN-Session-Key: B7BF79EA25BFD6F0
> Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: User-Session-Key: 8B7FEA71FF24E1ECDAA6433999F42FEE
> Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: .
> Wed Oct 29 16:50:46 2014: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthGROUP:ITSAuthEAPInner ITSAuthEAPInnerNTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
> Wed Oct 29 16:50:46 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
> Wed Oct 29 16:50:46 2014: DEBUG: Access challenged for ras99101: EAP MSCHAP V2 Challenge: Success
>
>
>
> This one was a failure via the backend proxy:
>
> Wed Oct 29 16:51:53 2014: DEBUG: Handling request with Handler 'Client-Identifier=frontend', Identifier 'frontend'
> Wed Oct 29 16:51:53 2014: DEBUG: Deleting session for ras99101, 127.0.0.1,
> Wed Oct 29 16:51:53 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLMbackend
> Wed Oct 29 16:51:53 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26
> Wed Oct 29 16:51:53 2014: DEBUG: Response type 26
> Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM looks for match with [ras99101]
> Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM ACCEPT: : [ras99101]
> Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes
> Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute LANMAN-Challenge: 499d16055416b67b
> Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Response: acedbcb10e6427538561caa910fd1299d0f5f9d8e289846e
> Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL
> Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE=
> Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: .
> [2014/10/29 16:51:53.895378, 3, pid=76290] [76149]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101
> [2014/10/29 16:51:53.895832, 4, pid=76291] child daemon request 14
> [2014/10/29 16:51:53.895957, 3, pid=76291] [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101
> [2014/10/29 16:51:53.922474, 2, pid=76291] NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_WRONG_PASSWORD (PAM: 9)
> [2014/10/29 16:51:53.922547, 4, pid=76291] Finished processing child request 14
> Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authenticated: No
> Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authentication-Error: Wrong Password
> Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: .
> Wed Oct 29 16:51:53 2014: WARNING: NTLM Could not authenticate user 'ras99101': Wrong Password
> Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508
> Wed Oct 29 16:51:53 2014: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Wed Oct 29 16:51:53 2014: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure
> Wed Oct 29 16:51:53 2014: INFO: Access rejected for ras99101: EAP MSCHAP-V2 Authentication failure
>
> Radiator-4.13 in all instances.
>
> The only thing I can see anomalous is:
>
> Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508
>
> Anyone any ideas?
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks, Network Manager,
> Information Services Directorate, University Of Strathclyde, Glasgow, UK
>
> The University of Strathclyde is a charitable body, registered in
> Scotland, number SC015263.
>
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
More information about the radiator
mailing list