Hi,
I'm using AuthBy NTLM to authenticate Active Directory users from a linux
Radiator instance. When an authentication fails, ntlm_auth seems to give a
useful error message in the "Authentication-Error" attribute which would be
helpful for distinguishing different types of problems. This attribute is
clearly visible both in the DEBUG output and in a WARNING log message that is
generated by the module, but I can't figure out how to reference it afterward
to do other things with it (such as include it in my AuthLog FailureFormat,
store it in a database where it can assist our help desk in troubleshooting,
return it as the reject reason, etc). Is there any way to get at this value
short of modifying the module?
Below are sample debug output snippets from two failed ntlm_auth login
attempts. In both cases the AuthBy NTLM reject reason is simply "AuthBy NTLM
Password check failed" which is not nearly as helpful in troubleshooting as the
Authentication-Error message ("Wrong Password" vs "No such user") would be.
Note also that unfortunately the WARNING message doesn't include the username,
so even that wouldn't be terribly helpful in a production environment with lots
of requests.
Tue Oct 5 18:55:09 2010: DEBUG: Radius::AuthNTLM looks for match with dmrz
[dmrz]
Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute Request-LanMan-Session-Key:
Yes
Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute LANMAN-Challenge:
551ad887cef366ce
Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute NT-Response:
ef76db2128d03a9789133c333175ac5aaad6acedd8c17f44
Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute NT-Domain:: VUlVQw==
Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute Username:: ZG1yeg==
Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: .
Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: Authenticated: No
Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: Authentication-Error:
Wrong Password
Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: .
Tue Oct 5 18:55:09 2010: WARNING: NTLM Could not authenticate user: Wrong
Password
Tue Oct 5 18:55:09 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password
check failed: dmrz [dmrz]
Tue Oct 5 18:55:09 2010: DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM
Password check failed
Tue Oct 5 18:55:09 2010: INFO: Access rejected for dmrz: AuthBy NTLM Password
check failed
vs
Tue Oct 5 18:55:38 2010: DEBUG: Radius::AuthNTLM looks for match with
bogususer [bogususer]
Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute Request-LanMan-Session-Key:
Yes
Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute LANMAN-Challenge:
f706118f18863992
Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute NT-Response:
3667e0f1e6a08365d587d54f8a7889357f36e94da008e8cf
Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute NT-Domain:: VUlVQw==
Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute Username:: Ym9ndXN1c2Vy
Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: .
Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: Authenticated: No
Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: Authentication-Error: No
such user
Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: .
Tue Oct 5 18:55:38 2010: WARNING: NTLM Could not authenticate user: No such
user
Tue Oct 5 18:55:38 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password
check failed: bogususer [bogususer]
Tue Oct 5 18:55:38 2010: DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM
Password check failed
Tue Oct 5 18:55:38 2010: INFO: Access rejected for bogususer: AuthBy NTLM
Password check failed
Thanks,
David
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
