[RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade
Heikki Vatiainen
hvn at open.com.au
Fri Sep 6 15:35:19 UTC 2024
On 27.8.2024 19.53, Jethro Binks via radiator wrote:
> I re-tested adding --allow-mschapv2 to NtlmAuthProg but it made no
> difference; I think I've tried that with and without before but wasn't
> consistent in what I wrote in my email.
Let's ignore this. That is, it's good to have enabled and it's not
what's causing problems in your case.
> As a cross-check, I also tested the same eapol_test config against a
> Radiator server that I did not upgrade yet, and that was fine.
>
> The (inner) username (identity) being supplied is generally of the form
> username at strath.ac.uk, however the directory is
> SUBDOMAIN.STRATH.AC.UK so I effectively have:
>
> <AuthBy NTLM>
> Identifier ITSAuthEAPInnerNTLMbackend
> NtlmAuthProg /usr/local/bin/ntlm_auth --allow-mschapv2 --
> configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 --
> option="log level=0"
> DefaultDomain SUBDOMAIN.STRATH.AC.UK
> EAPType MSCHAP-V2
> UsernameMatchesWithoutRealm
> </AuthBy>
>
> The intention being that UsernameMatchesWithoutRealm strips
> @strath.ac.uk supplied in the identity, and I think DefaultDomain was
> there to add the AD domain in. This seems to work for clients that
> supply a realm-less inner identity (including if I change my eapol_test
> config to a realmless identity="username") , but I suspect DefaultDomain
> is actually redundant here, since Samba knows what the domain is anyway.
That's correct. The @realm part is removed and since there's no DOMAIN\
in the username, DefaultDomain is pushed to ntlm_auth.
In case you'd need a more powerful method to alter the username just
before it's written to ntlm_auth, there's a hook for this in AuthBy NTLM:
https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#NtlmRewriteHook_AuthByNTLM
One option could be to:
- leave Domain and DefaultDomain unset
- possibly enable UsernameMatchesWithoutRealm to remove @realm part
- use NtlmRewriteHook to append @subdomain.strath.ac.uk to the realmless
username
The hook runs after UsernameMatchesWithoutRealm and after the optional
UsernameFormat has been applied to the username. The next thing that
happens after the hook is I/O with ntlm_auth. By default UsernameFormat
does not change the username.
I've also looked at the changes in AuthBy NTLM, and I don't see anything
that would change the request processing flow. For example,
LANMAN-Challenge is calculated from the username without DOMAIN\ part
and this is done before UsernameMatchesWithoutRealm is applied. I'm not
sure how old Radiator you were using, this in a long time. I also think
it can't really be changed or then it would break MSCHAPv2.
You did mention that the OS that runs Radiator is also a new one. Could
it be that the samba config is different enough to cause the change in
behaviour?
> I've now added Domain SUBDOMAIN.STRATH.AC.UK explicitly too to the
> AuthBy, and the samba logs seem to show the right thing being tested:
>
> [2024/08/27 17:38:10.340352, 2, pid=2356] NTLM CRAP authentication
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned
> NT_STATUS_WRONG_PASSWORD
>
> I can test the Domain param is being used by changing it, and now I can get:
>
> [2024/08/27 17:42:18.767691, 2, pid=2356] NTLM CRAP authentication
> for user [NONSENSE.STRATH.AC.UK]\[username] returned NT_STATUS_NO_SUCH_USER
>
> So I am still puzzled, even when forcing use of Domain, what is
> different between running ntlm_auth on the CLI, and ntlm_auth through
> Radiator.
If you configure a Handler for non-EAP requests and use the same AuthBy
NTLM with it, you could test with radpwtst. It allows testing with, for
example, PAP and MSCHAPv2. This would be closest way to compare
ntlm_auth via CLI and ntlm_auth via Radiator.
> Here's a samba line generated using my same test script sending to the
> non-upgraded working server:
>
> [2024/08/27 17:46:05.053600, 5, pid=6371] NTLM CRAP authentication
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_OK
--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list