From hvn at open.com.au Tue Oct 1 17:04:43 2024 From: hvn at open.com.au (Heikki Vatiainen) Date: Tue, 1 Oct 2024 20:04:43 +0300 Subject: [RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade In-Reply-To: References: <0d6f24bc-d93d-4cfa-b3ef-239f95ea7d69@open.com.au> <8a4a89be-a7eb-4cba-85db-25b06722780c@open.com.au> Message-ID: <6449a2ef-ddb6-45f4-a3ac-005979b88318@open.com.au> On 23.9.2024 0.29, Jethro Binks via radiator wrote: > I managed to run Radiator-4.17 on the new host for the backend EAP auth part and there is no difference in behaviour. > > I also upgraded the samba pkg to 4.19.8 in the hope that that fixed something in ntlm_auth but no change there either. > > I went back to my original tests. > > mschap-test -c succeeds > > Eapol_test using a non-realm identity="username" succeeds > > Eapol_test using realm identity="username at strath.ac.uk" fails NT_STATUS_WRONG_PASSWORD I experimented with Ubuntu 24.04 (had it readily available) which comes with Samba 4.19.5. I did a fresh installation of Samba utils with winbind the only daemon (no smbd or nmbd). Edits to /etc/samba/smb.conf were minimal: - Set 'realm' value to what Windows Server Manager shows as domain. That is, using format 'dev.example.com' and not the short workgroup name 'DEV'. - Set 'workgroup' value to DEV. - set 'server role' to 'member server'. Then run 'sudo net ads join -S servername -U administrator' and restart winbind. Testing with AuthBy NTLM directly EAP-MSCHAP-V2, MSCHAP, MSCHAPv2 and PAP works with short 'username' and long 'username at dev.example.com' format. Test with PEAP/EAP-MSCHAP-V2 also works similarly. Tests were done with with goodies/ntlm.cfg and goodies/ntlm_eap_peap.cfg with only one change: enable '--allow-mschapv2' ntlm_auth parameter. After testing authentication, I did things such as - sudo net cache list - sudo net cache samlogon list - sudo net cache flush - sudo net cache samlogon delete SID I was unable to make it behave differently with 'username' and 'username at dev.example.com' formats. It just worked. Radiator is 4.29. Looking at smb.conf documentation, 'ntlm auth = ...' looks promising, but it only talks about smbd. Setting it to different correct values changed nothing. Changing it to 'foobar' didn't allow winbind to start, which indicates the parameter is read. -- Heikki Vatiainen Radiator Software, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software From Stefan.Paetow at jisc.ac.uk Thu Oct 17 15:23:16 2024 From: Stefan.Paetow at jisc.ac.uk (Stefan Paetow) Date: Thu, 17 Oct 2024 15:23:16 +0000 Subject: [RADIATOR] Turning off Gossip INFO messages Message-ID: <96A3644E-61C9-40D8-9F34-8292099A48BF@jisc.ac.uk> Hi, We?ve switched Gossip on to try and reduce the number of events that cause us to stop sending traffic to the RADIUS hosts of our members. Now we see our Radiator log littered with these messages (one per Farm instance, so in a 64 instance farm, 63 times): 00000000 Thu Oct 17 15:15:46 2024 648885: INFO: AuthRADIUS : Gossip tells that Host [redacted IP address]:1812 is responding again to [radiator host].33' 00000000 Thu Oct 17 15:16:34 2024 101268: INFO: AuthRADIUS : Gossipping that Host [redacted IPv6 address] port 1812 was marked down 00000000 Thu Oct 17 15:16:34 2024 102948: INFO: AuthRADIUS : Host [redacted IPv6 address] now has 1 consecutive failures over MaxFailedGraceTime seconds. Backing off for 180 seconds Can this be turned off, or at least be turned to just a single line like this: 00000000 Thu Oct 17 15:15:46 2024 648885: INFO: AuthRADIUS : Gossip tells that Host [redacted IP address]:1812 is responding again to [radiator host].[instance id]' 00000000 Thu Oct 17 15:16:34 2024 101268: INFO: AuthRADIUS : Gossipping that Host [redacted IPv6 address] port 1812 was marked down Or am I missing something? With kind regards Stefan Paetow Federated Roaming Technical Specialist eduroam(UK), Jisc email/teams: stefan.paetow at jisc.ac.uk gpg: 0x3FCE5142 For eduroam support, please contact the eduroam team via help at jisc.ac.uk and mark it for eduroam?s attention. On Mondays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer). jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc?s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800. -------------- next part -------------- An HTML attachment was scrubbed... URL: