On 27.8.2024 19.53, Jethro Binks via radiator wrote:
I re-tested adding --allow-mschapv2 to NtlmAuthProg but it made no
difference; I think I've tried that with and without before but wasn't
consistent in what I wrote in my email.
Let's ignore this. That is, it's good to have enabled and it's not
what's causing problems in your case.
As a cross-check, I also tested the same eapol_test config against a
Radiator server that I did not upgrade yet, and that was fine.
The (inner) username (identity) being supplied is generally of the form
[email protected], however the directory is
SUBDOMAIN.STRATH.AC.UK so I effectively have:
<AuthBy NTLM>
Identifier ITSAuthEAPInnerNTLMbackend
NtlmAuthProg /usr/local/bin/ntlm_auth --allow-mschapv2 --
configfile=/usr/local/etc/smb4.conf --helper-protocol=ntlm-server-1 --
option="log level=0"
DefaultDomain SUBDOMAIN.STRATH.AC.UK
EAPType MSCHAP-V2
UsernameMatchesWithoutRealm
</AuthBy>
The intention being that UsernameMatchesWithoutRealm strips
@strath.ac.uk supplied in the identity, and I think DefaultDomain was
there to add the AD domain in. This seems to work for clients that
supply a realm-less inner identity (including if I change my eapol_test
config to a realmless identity="username") , but I suspect DefaultDomain
is actually redundant here, since Samba knows what the domain is anyway.
That's correct. The @realm part is removed and since there's no DOMAIN\
in the username, DefaultDomain is pushed to ntlm_auth.
In case you'd need a more powerful method to alter the username just
before it's written to ntlm_auth, there's a hook for this in AuthBy NTLM:
https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#NtlmRewriteHook_AuthByNTLM
One option could be to:
- leave Domain and DefaultDomain unset
- possibly enable UsernameMatchesWithoutRealm to remove @realm part
- use NtlmRewriteHook to append @subdomain.strath.ac.uk to the realmless
username
The hook runs after UsernameMatchesWithoutRealm and after the optional
UsernameFormat has been applied to the username. The next thing that
happens after the hook is I/O with ntlm_auth. By default UsernameFormat
does not change the username.
I've also looked at the changes in AuthBy NTLM, and I don't see anything
that would change the request processing flow. For example,
LANMAN-Challenge is calculated from the username without DOMAIN\ part
and this is done before UsernameMatchesWithoutRealm is applied. I'm not
sure how old Radiator you were using, this in a long time. I also think
it can't really be changed or then it would break MSCHAPv2.
You did mention that the OS that runs Radiator is also a new one. Could
it be that the samba config is different enough to cause the change in
behaviour?
I've now added Domain SUBDOMAIN.STRATH.AC.UK explicitly too to the
AuthBy, and the samba logs seem to show the right thing being tested:
[2024/08/27 17:38:10.340352, 2, pid=2356] NTLM CRAP authentication
for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned
NT_STATUS_WRONG_PASSWORD
I can test the Domain param is being used by changing it, and now I can get:
[2024/08/27 17:42:18.767691, 2, pid=2356] NTLM CRAP authentication
for user [NONSENSE.STRATH.AC.UK]\[username] returned NT_STATUS_NO_SUCH_USER
So I am still puzzled, even when forcing use of Domain, what is
different between running ntlm_auth on the CLI, and ntlm_auth through
Radiator.
If you configure a Handler for non-EAP requests and use the same AuthBy
NTLM with it, you could test with radpwtst. It allows testing with, for
example, PAP and MSCHAPv2. This would be closest way to compare
ntlm_auth via CLI and ntlm_auth via Radiator.
Here's a samba line generated using my same test script sending to the
non-upgraded working server:
[2024/08/27 17:46:05.053600, 5, pid=6371] NTLM CRAP authentication
for user [SUBDOMAIN.STRATH.AC.UK]\[username] returned NT_STATUS_OK
--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
