<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Hi Heikki,</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I re-tested adding --allow-mschapv2 to NtlmAuthProg but it made no difference; I think I've tried that with and without before but wasn't consistent in what I wrote in my email.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
As a cross-check, I also tested the same eapol_test config against a Radiator server that I did not upgrade yet, and that was fine.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
The (inner) username (identity) being supplied is generally of the form username@strath.ac.uk, however the directory is SUBDOMAIN.STRATH.AC.UK so I effectively have:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<AuthBy NTLM></div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Identifier ITSAuthEAPInnerNTLMbackend</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
NtlmAuthProg /usr/local/bin/ntlm_auth --allow-mschapv2 --configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 --option="log level=0"</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
DefaultDomain SUBDOMAIN.STRATH.AC.UK</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
EAPType MSCHAP-V2</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
UsernameMatchesWithoutRealm</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
</AuthBy></div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
The intention being that UsernameMatchesWithoutRealm strips @strath.ac.uk supplied in the identity, and I think DefaultDomain was there to add the AD domain in. This seems to work for clients that supply a realm-less inner identity (including if I change my
eapol_test config to a realmless <span style="font-family: "Lucida Console", Monaco, monospace;">
identity="username"</span>) , but I suspect DefaultDomain is actually redundant here, since Samba knows what the domain is anyway.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I've now added Domain SUBDOMAIN.STRATH.AC.UK explicitly too to the AuthBy, and the samba logs seem to show the right thing being tested:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
[2024/08/27 17:38:10.340352, 2, pid=2356] NTLM CRAP authentication for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_WRONG_PASSWORD<br>
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
I can test the Domain param is being used by changing it, and now I can get:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
[2024/08/27 17:42:18.767691, 2, pid=2356] NTLM CRAP authentication for user [NONSENSE.STRATH.AC.UK]\[username] returned NT_STATUS_NO_SUCH_USER<br>
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
So I am still puzzled, even when forcing use of Domain, what is different between running ntlm_auth on the CLI, and ntlm_auth through Radiator.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Here's a samba line generated using my same test script sending to the non-upgraded working server:</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
[2024/08/27 17:46:05.053600, 5, pid=6371] NTLM CRAP authentication for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_OK</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
Jethro.</div>
<div class="elementToProof" style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<p><span style="font-family: "Segoe UI", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">. . . . . . . . . . . . . . . . . . . . . . . . . </span></p>
<p><span style="font-family: "Segoe UI", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">J</span><span style="font-family: "segoe ui", "helvetica neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">ethro
R Binks, Network Manager, </span></p>
<p><span style="font-family: "segoe ui", "helvetica neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Information Services Directorate, University Of Strathclyde, Glasgow, UK</span></p>
<p><span style="font-family: "Segoe UI", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);"><br>
</span></p>
<p><span style="font-family: "segoe ui", "helvetica neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.</span></p>
</div>
<div id="appendonsend"></div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style="display: inline-block; width: 98%;">
<div id="divRplyFwdMsg" dir="ltr"><span style="font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen via radiator <radiator@lists.open.com.au><br>
<b>Sent:</b> 15 August 2024 3:16 PM<br>
<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: [RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade</span>
<div> </div>
</div>
<div class="elementToProof" style="font-size: 11pt;">On 31.7.2024 22.56, Jethro Binks via radiator wrote:<br>
<br>
> or via an mschap_test perl script that generates the challenge stuff and<br>
> feeds to helper-protocol=ntlm-server-1:<br>
><br>
> $ ./mschap-test -c<br>
> Enter AD account username (no domain or realm) to probe: testuser<br>
> Enter domain: mydomain<br>
> Enter password for mydomain\testuser:<br>
> Invoking ntlm_auth --configfile=/usr/local/etc/smb4.conf --allow-<br>
> mschapv2 --helper-protocol=ntlm-server-1 --option='log level=0' <<br>
> ntlmtest.query<br>
<br>
The script adds '--allow-mschapv2' to ntlm_auth parameters. I'd first<br>
check that ntlm_auth that Radiator launches uses the same flag.<br>
<br>
There's more about the flag here:<br>
<a href="https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#Domain_AuthByNTLM-3" id="OWA719c9c3f-047b-235e-3d3e-069daa773871" class="OWAAutoLink" data-auth="NotApplicable">https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#Domain_AuthByNTLM-3</a><br>
<br>
> Now perhaps my use of eapol_test is wrong, it's been a long time, but I<br>
> seem to get the same result if I let some real user traffic in. If the<br>
> supplicant is configured with a realm on the inner auth, then they fail<br>
> auth, and for the rare ones who have no realm specified there, it works<br>
> (I think - it's hard to do this for long as it is disruptive).<br>
<br>
The username that ntlm_auth sends should be one that allows the AD to<br>
find the user record.<br>
<br>
Maybe you could try without DefaultDomain AuthBy NTLM parameter or set<br>
the Windows domain directly with Domain to something that works.<br>
<br>
But I'd do that after --allows-mschapv2 flag to see that's not a<br>
problem. This flag and Domain and DefaultDomain are for different<br>
reasons, but I'd change just one thing at the time.<br>
<br>
Thanks,<br>
Heikki<br>
<br>
_______________________________________________<br>
radiator mailing list<br>
radiator@lists.open.com.au<br>
<a href="https://lists.open.com.au/mailman/listinfo/radiator" id="OWAfb44a048-656f-05e2-838f-c4e8c746199d" class="OWAAutoLink" data-auth="NotApplicable">https://lists.open.com.au/mailman/listinfo/radiator</a></div>
</body>
</html>