On 23.9.2024 0.29, Jethro Binks via radiator wrote:
I managed to run Radiator-4.17 on the new host for the backend EAP auth part
and there is no difference in behaviour.
I also upgraded the samba pkg to 4.19.8 in the hope that that fixed something
in ntlm_auth but no change there either.
I went back to my original tests.
mschap-test -c succeeds
Eapol_test using a non-realm identity="username" succeeds
Eapol_test using realm identity="username at strath.ac.uk" fails
NT_STATUS_WRONG_PASSWORD
I experimented with Ubuntu 24.04 (had it readily available) which comes
with Samba 4.19.5. I did a fresh installation of Samba utils with
winbind the only daemon (no smbd or nmbd).
Edits to /etc/samba/smb.conf were minimal:
- Set 'realm' value to what Windows Server Manager shows as domain. That
is, using format 'dev.example.com' and not the short workgroup name 'DEV'.
- Set 'workgroup' value to DEV.
- set 'server role' to 'member server'.
Then run 'sudo net ads join -S servername -U administrator' and restart
winbind.
Testing with AuthBy NTLM directly EAP-MSCHAP-V2, MSCHAP, MSCHAPv2 and
PAP works with short 'username' and long '[email protected]'
format. Test with PEAP/EAP-MSCHAP-V2 also works similarly. Tests were
done with with goodies/ntlm.cfg and goodies/ntlm_eap_peap.cfg with only
one change: enable '--allow-mschapv2' ntlm_auth parameter.
After testing authentication, I did things such as
- sudo net cache list
- sudo net cache samlogon list
- sudo net cache flush
- sudo net cache samlogon delete SID
I was unable to make it behave differently with 'username' and
'[email protected]' formats. It just worked. Radiator is 4.29.
Looking at smb.conf documentation, 'ntlm auth = ...' looks promising,
but it only talks about smbd. Setting it to different correct values
changed nothing. Changing it to 'foobar' didn't allow winbind to start,
which indicates the parameter is read.
--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
