[RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade

Heikki Vatiainen hvn at open.com.au
Fri Sep 6 15:35:19 UTC 2024 

On 27.8.2024 19.53, Jethro Binks via radiator wrote:

> I re-tested adding --allow-mschapv2 to NtlmAuthProg but it made no 
> difference; I think I've tried that with and without before but wasn't 
> consistent in what I wrote in my email.

Let's ignore this. That is, it's good to have enabled and it's not 
what's causing problems in your case.

> As a cross-check, I also tested the same eapol_test config against a 
> Radiator server that I did not upgrade yet, and that was fine.
> 
> The (inner) username (identity) being supplied is generally of the form 
> username at strath.ac.uk, however the directory is 
> SUBDOMAIN.STRATH.AC.UK so I effectively have:
> 
> <AuthBy NTLM>
>      Identifier      ITSAuthEAPInnerNTLMbackend
>      NtlmAuthProg /usr/local/bin/ntlm_auth --allow-mschapv2 -- 
> configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 -- 
> option="log level=0"
>      DefaultDomain SUBDOMAIN.STRATH.AC.UK
>      EAPType MSCHAP-V2
>      UsernameMatchesWithoutRealm
> </AuthBy>
> 
> The intention being that UsernameMatchesWithoutRealm strips 
> @strath.ac.uk supplied in the identity, and I think DefaultDomain was 
> there to add the AD domain in.  This seems to work for clients that 
> supply a realm-less inner identity (including if I change my eapol_test 
> config to a realmless identity="username") , but I suspect DefaultDomain 
> is actually redundant here, since Samba knows what the domain is anyway.

That's correct. The @realm part is removed and since there's no DOMAIN\ 
in the username, DefaultDomain is pushed to ntlm_auth.

In case you'd need a more powerful method to alter the username just 
before it's written to ntlm_auth, there's a hook for this in AuthBy NTLM:

https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#NtlmRewriteHook_AuthByNTLM

One option could be to:
- leave Domain and DefaultDomain unset
- possibly enable UsernameMatchesWithoutRealm to remove @realm part
- use NtlmRewriteHook to append @subdomain.strath.ac.uk to the realmless 
username

The hook runs after UsernameMatchesWithoutRealm and after the optional 
UsernameFormat has been applied to the username. The next thing that 
happens after the hook is I/O with ntlm_auth. By default UsernameFormat 
does not change the username.

I've also looked at the changes in AuthBy NTLM, and I don't see anything 
that would change the request processing flow. For example, 
LANMAN-Challenge is calculated from the username without DOMAIN\ part 
and this is done before UsernameMatchesWithoutRealm is applied. I'm not 
sure how old Radiator you were using, this in a long time. I also think 
it can't really be changed or then it would break MSCHAPv2.

You did mention that the OS that runs Radiator is also a new one. Could 
it be that the samba config is different enough to cause the change in 
behaviour?

> I've now added Domain SUBDOMAIN.STRATH.AC.UK explicitly too to the 
> AuthBy, and the samba logs seem to show the right thing being tested:
> 
> [2024/08/27 17:38:10.340352,  2, pid=2356]   NTLM CRAP authentication 
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned 
> NT_STATUS_WRONG_PASSWORD
> 
> I can test the Domain param is being used by changing it, and now I can get:
> 
> [2024/08/27 17:42:18.767691,  2, pid=2356]   NTLM CRAP authentication 
> for user [NONSENSE.STRATH.AC.UK]\[username] returned NT_STATUS_NO_SUCH_USER
> 
> So I am still puzzled, even when forcing use of Domain, what is 
> different between running ntlm_auth on the CLI, and ntlm_auth through 
> Radiator.

If you configure a Handler for non-EAP requests and use the same AuthBy 
NTLM with it, you could test with radpwtst. It allows testing with, for 
example, PAP and MSCHAPv2. This would be closest way to compare 
ntlm_auth via CLI and ntlm_auth via Radiator.

> Here's a samba line generated using my same test script sending to the 
> non-upgraded working server:
> 
> [2024/08/27 17:46:05.053600,  5, pid=6371]   NTLM CRAP authentication 
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_OK

-- 
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list