[RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade

Jethro Binks jethro.binks at strath.ac.uk
Thu Sep 12 21:29:08 UTC 2024 

I have made some further progress analysing this.

I replaced NtlmAuthProg with a shell script that captures the input stream into a file, and then runs the original ntlm_auth with the same params.

This permitted me to capture the input to ntlm_auth under different scenarios.  As shown below with some (consistent) redaction – I have checked the username cleartext password and domain all base64-decode correctly where they appear.

Test using my eapol_test method; This fails in the now expected way:

Request-User-Session-Key: Yes
NT-Domain:: SoMeChAracTeRsHeRe
Username:: OthErCharS
Request-LanMan-Session-Key: Yes
LANMAN-Challenge: e838f407e1fa6e4b
NT-Response: e5500f12023e2432f80f9be6650ac44bc9acc2f3f3797991
.

Then I made the changes you suggested to use radpwtst, first with PAP which worked:

Password:: B64EncPassWD==
Username:: OthErCharS
NT-Domain:: SoMeChAracTeRsHeRe
.

Then with radpwtst -mschapv2, it also works:

Request-LanMan-Session-Key: Yes
NT-Domain:: SoMeChAracTeRsHeRe
Request-User-Session-Key: Yes
Username:: OthErCharS
NT-Response: abcb3e701bb9c999c16d5fe84d5eceb1d61f4ab4bd68e5ca
LANMAN-Challenge: a00f45140ebf8500
.

The only material difference I see is in the ordering, but if I re-run it seems the order is pretty random anyway.

If I take the output of my failed eapol_test and feed into ntlm_auth:

 # ntlm_auth --configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 --option='log level=10' < /tmp/d2
Got 'Request-User-Session-Key: Yes' from squid (length: 29).
Got 'NT-Domain:: SoMeChAracTeRsHeRe' from squid (length: ..).
Got 'Username:: OthErCharS' from squid (length: ..).
Got 'Request-LanMan-Session-Key: Yes' from squid (length: 31).
Got 'LANMAN-Challenge: e838f407e1fa6e4b' from squid (length: 34).
Got 'NT-Response: e5500f12023e2432f80f9be6650ac44bc9acc2f3f3797991' from squid (length: 61).
Got '.' from squid (length: 1).
Authenticated: No
Authentication-Error: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
.

[2024/09/12 22:16:02.668326,  2, pid=2356]   NTLM CRAP authentication for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_WRONG_PASSWORD

I can do the same with the PAP test input, feeding it to ntlm_auth.  It works when correct as above, if I change a character in the password it's a similar failure:

Got 'Password:: BrokenB64EncPassWD==' from squid (length: ..).
Got 'Username:: OthErCharS' from squid (length: ..).
Got 'NT-Domain:: SoMeChAracTeRsHeRe' from squid (length: ..).
Got '.' from squid (length: 1).
NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)
Authenticated: No
.


I am rather at a loss here now.  It seems to boil down to something about the LANMAN-Challenge and NT-Response parts since that's all that's functionally different given these input streams to ntlm_auth (their values shown above are obfuscated), but I don't know how to look deeper.

For your other questions:

> ​You did mention that the OS that runs Radiator is also a new one. Could it be that the samba config is different enough to cause the change in behaviour?

Mildly, as the samba version was also greater so some adjustments were made (upgrading samba always throws in changes).  But the above tests are all against the same running samba on the new server.  They key setting maybe "ntlm auth = mschapv2-and-ntlmv2-only" which was unstated (removing it doesn't seem to make a different to the results).

>  I'm not sure how old Radiator you were using, this in a long time.

Don't tell everyone, it was Radiator-4.17.  Darn you made me admit it ...

Jethro.


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

Jethro R Binks, Network Manager,

Information Services Directorate, University Of Strathclyde, Glasgow, UK


The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.

________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen via radiator <radiator at lists.open.com.au>
Sent: 06 September 2024 4:35 PM
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade

On 27.8.2024 19.53, Jethro Binks via radiator wrote:

> I re-tested adding --allow-mschapv2 to NtlmAuthProg but it made no
> difference; I think I've tried that with and without before but wasn't
> consistent in what I wrote in my email.

Let's ignore this. That is, it's good to have enabled and it's not
what's causing problems in your case.

> As a cross-check, I also tested the same eapol_test config against a
> Radiator server that I did not upgrade yet, and that was fine.
>
> The (inner) username (identity) being supplied is generally of the form
> username at strath.ac.uk, however the directory is
> SUBDOMAIN.STRATH.AC.UK so I effectively have:
>
> <AuthBy NTLM>
>      Identifier      ITSAuthEAPInnerNTLMbackend
>      NtlmAuthProg /usr/local/bin/ntlm_auth --allow-mschapv2 --
> configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 --
> option="log level=0"
>      DefaultDomain SUBDOMAIN.STRATH.AC.UK
>      EAPType MSCHAP-V2
>      UsernameMatchesWithoutRealm
> </AuthBy>
>
> The intention being that UsernameMatchesWithoutRealm strips
> @strath.ac.uk supplied in the identity, and I think DefaultDomain was
> there to add the AD domain in.  This seems to work for clients that
> supply a realm-less inner identity (including if I change my eapol_test
> config to a realmless identity="username") , but I suspect DefaultDomain
> is actually redundant here, since Samba knows what the domain is anyway.

That's correct. The @realm part is removed and since there's no DOMAIN\
in the username, DefaultDomain is pushed to ntlm_auth.

In case you'd need a more powerful method to alter the username just
before it's written to ntlm_auth, there's a hook for this in AuthBy NTLM:

https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#NtlmRewriteHook_AuthByNTLM

One option could be to:
- leave Domain and DefaultDomain unset
- possibly enable UsernameMatchesWithoutRealm to remove @realm part
- use NtlmRewriteHook to append @subdomain.strath.ac.uk to the realmless
username

The hook runs after UsernameMatchesWithoutRealm and after the optional
UsernameFormat has been applied to the username. The next thing that
happens after the hook is I/O with ntlm_auth. By default UsernameFormat
does not change the username.

I've also looked at the changes in AuthBy NTLM, and I don't see anything
that would change the request processing flow. For example,
LANMAN-Challenge is calculated from the username without DOMAIN\ part
and this is done before UsernameMatchesWithoutRealm is applied. I'm not
sure how old Radiator you were using, this in a long time. I also think
it can't really be changed or then it would break MSCHAPv2.

You did mention that the OS that runs Radiator is also a new one. Could
it be that the samba config is different enough to cause the change in
behaviour?

> I've now added Domain SUBDOMAIN.STRATH.AC.UK explicitly too to the
> AuthBy, and the samba logs seem to show the right thing being tested:
>
> [2024/08/27 17:38:10.340352,  2, pid=2356]   NTLM CRAP authentication
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned
> NT_STATUS_WRONG_PASSWORD
>
> I can test the Domain param is being used by changing it, and now I can get:
>
> [2024/08/27 17:42:18.767691,  2, pid=2356]   NTLM CRAP authentication
> for user [NONSENSE.STRATH.AC.UK]\[username] returned NT_STATUS_NO_SUCH_USER
>
> So I am still puzzled, even when forcing use of Domain, what is
> different between running ntlm_auth on the CLI, and ntlm_auth through
> Radiator.

If you configure a Handler for non-EAP requests and use the same AuthBy
NTLM with it, you could test with radpwtst. It allows testing with, for
example, PAP and MSCHAPv2. This would be closest way to compare
ntlm_auth via CLI and ntlm_auth via Radiator.

> Here's a samba line generated using my same test script sending to the
> non-upgraded working server:
>
> [2024/08/27 17:46:05.053600,  5, pid=6371]   NTLM CRAP authentication
> for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_OK

--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20240912/2bf474f9/attachment-0001.html>

More information about the radiator mailing list