[RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade

Heikki Vatiainen hvn at open.com.au
Tue Oct 1 17:04:43 UTC 2024 

On 23.9.2024 0.29, Jethro Binks via radiator wrote:

> I managed to run Radiator-4.17 on the new host for the backend EAP auth part and there is no difference in behaviour.
> 
> I also upgraded the samba pkg to 4.19.8 in the hope that that fixed something in ntlm_auth but no change there either.
> 
> I went back to my original tests.
> 
> mschap-test -c succeeds
> 
> Eapol_test using a non-realm identity="username" succeeds
> 
> Eapol_test using realm identity="username at strath.ac.uk" fails NT_STATUS_WRONG_PASSWORD

I experimented with Ubuntu 24.04 (had it readily available) which comes 
with Samba 4.19.5. I did a fresh installation of Samba utils with 
winbind the only daemon (no smbd or nmbd).

Edits to /etc/samba/smb.conf were minimal:
- Set 'realm' value to what Windows Server Manager shows as domain. That 
is, using format 'dev.example.com' and not the short workgroup name 'DEV'.
- Set 'workgroup' value to DEV.
- set 'server role' to 'member server'.

Then run 'sudo net ads join -S servername -U administrator' and restart 
winbind.

Testing with AuthBy NTLM directly EAP-MSCHAP-V2, MSCHAP, MSCHAPv2 and 
PAP works with short 'username' and long 'username at dev.example.com' 
format. Test with PEAP/EAP-MSCHAP-V2 also works similarly. Tests were 
done with with goodies/ntlm.cfg and goodies/ntlm_eap_peap.cfg with only 
one change: enable '--allow-mschapv2' ntlm_auth parameter.

After testing authentication, I did things such as
- sudo net cache list
- sudo net cache samlogon list
- sudo net cache flush
- sudo net cache samlogon delete SID

I was unable to make it behave differently with 'username' and 
'username at dev.example.com' formats. It just worked. Radiator is 4.29.

Looking at smb.conf documentation, 'ntlm auth = ...' looks promising, 
but it only talks about smbd. Setting it to different correct values 
changed nothing. Changing it to 'foobar' didn't allow winbind to start, 
which indicates the parameter is read.


-- 
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list