A little follow-up to this. I found things were not quite as consistent (or not in the same way) as I thought.
It seems to be that the act of switching between testing the monolithic and the frontend/backend is what causes problems. I suspect it is an interaction between the two ntlm_auth processes (one spawned from each Radiator) and the winbindd socket. I will try and look into it further later, but if anyone has come across anything like this or knows more about the ntlm_auth/winbindd interaction I'd be interested in your comments. Jethro. On Wed, 29 Oct 2014, Jethro R Binks wrote: > Hi, > > I have been following David Zych's recent work with interest: > > https://www.mail-archive.com/[email protected]/msg18963.html > > and wanted to implement something similar here, but I've hit a stumbling > block that I cannot get past. Maybe it will be blindingly obvious to someone > else ... > > Essentially, I currently have a monolithic Radiator process that I want > to split out and proxy to more backend authentications processes. To that > end, I configured up a backend Radiator process with the NTLM bits, and in > the front-end added some clauses to proxy certain queries (those with my > username). > > I'm testing with eapol_test, and against the real monolithic Radiator > servers it is fine. The inner authentication bits look like this: > > <AuthBy GROUP> > # There used to be other things here, and an AuthbyPolicy > ContinueUntilAcceptOrChallenge > Identifier ITSAuthEAPInner > AuthBy ITSAuthEAPInnerNTLM > </AuthBy> > > <AuthBy NTLM> > Identifier ITSAuthEAPInnerNTLM > NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf > --helper-protocol=ntlm-server-1 > DefaultDomain DS.STRATH.AC.UK > EAPType MSCHAP-V2 > UsernameMatchesWithoutRealm > </AuthBy> > > However, if I change it (on the same host) to look like this in the > front-end, modelled > after David's examples: > > <AuthBy GROUP> > # There used to be other things here, and an AuthbyPolicy > ContinueUntilAcceptOrChallenge > Identifier ITSAuthEAPInnerJRB > AuthBy BackendProxy > </AuthBy> > > <AuthBy ROUNDROBIN> > Identifier BackendProxy > Include %D/secret.backend.conf > RetryTimeout 3 > Retries 0 > MaxTargetHosts 2 > FailureBackoffTime 1 > StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout > AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3 > ReplyTimeoutHook file:"%D/hooks/replytimeout" > <Host 127.0.0.1> > AuthPort %{GlobalVar:Backendworker1Port} > </Host> > IgnoreAccounting > </AuthBy> > > and then in the backend: > > <Handler Client-Identifier=frontend> > Identifier frontend > AuthBy ITSAuthEAPInnerNTLMbackend > </Handler> > > <AuthBy NTLM> > Identifier ITSAuthEAPInnerNTLMbackend > NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf > --helper-protocol=ntlm-server-1 > DefaultDomain DS.STRATH.AC.UK > EAPType MSCHAP-V2 > UsernameMatchesWithoutRealm > </AuthBy> > > I always get a password failure from ntlm_auth when going through Radiator. > > I can run ntlm_auth OK at the command line and do plain authentication on the > same host: > > ntlm_auth --username=ras99101 > password: > NT_STATUS_OK: Success (0x0) > > I can also run David's script in > http://www.open.com.au/pipermail/radiator/2011-November/017709.html > and get successful ntlm authentication: > > ./radius-test > Invoking ntlm_auth --helper-protocol=ntlm-server-1 < ntlmtest.query > > -- Contents of query file -- > Username: ras99101 > NT-Domain: DS.STRATH.AC.UK > LANMAN-Challenge: 0000000000000000 > NT-Response: d4be0aa521b02f12d066fcdfe2d88c04f9b7bbc19cf05df0 > . > -- Output -- > Authenticated: Yes > . > -- Done -- > > > Here are debug logs showing the two transactions, interspersed with some > winbindd debugging (I've slightly mangled Challenge/Response/LANMAN output). > > This one was OK via the old monolithic route: > > Wed Oct 29 16:50:46 2014: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1 ', Identifier 'eap-inner-peap' > Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101 > Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101 > Wed Oct 29 16:50:46 2014: DEBUG: Deleting session for ras99101, , > Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthGROUP: > ITSAuthEAPInner > Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthNTLM: > ITSAuthEAPInnerNTLM > Wed Oct 29 16:50:46 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26 > Wed Oct 29 16:50:46 2014: DEBUG: Response type 26 > Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM looks for match with > ras99101 [ras99101] > Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM ACCEPT: : ras99101 > [ras99101] > Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-User-Session-Key: > Yes > Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute > Request-LanMan-Session-Key: Yes > Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute LANMAN-Challenge: > bda8fa68138ee574 > Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Response: > 8d04f4250f887d8fb72e1d4c9451f36926f0bb3f2a8178fe > Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Domain:: > RFMuU1RSQVRILkFDLlVL > Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE= > [2014/10/29 16:50:46.190790, 3, pid=76290] [80304]: pam auth crap domain: > [DS.STRATH.AC.UK] user: ras99101 > [2014/10/29 16:50:46.190965, 4, pid=76291] child daemon request 14 > [2014/10/29 16:50:46.191041, 3, pid=76291] [76290]: pam auth crap domain: > DS.STRATH.AC.UK user: ras99101 > [2014/10/29 16:50:46.198343, 5, pid=76291] NTLM CRAP authentication for > user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_OK (PAM: 0) > [2014/10/29 16:50:46.198426, 4, pid=76291] Finished processing child > request 14 > Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: Authenticated: Yes > Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: LANMAN-Session-Key: > B7BF79EA25BFD6F0 > Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: User-Session-Key: > 8B7FEA71FF24E1ECDAA6433999F42FEE > Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: . > Wed Oct 29 16:50:46 2014: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: > Success > Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthGROUP:ITSAuthEAPInner > ITSAuthEAPInnerNTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success > Wed Oct 29 16:50:46 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP > V2 Challenge: Success > Wed Oct 29 16:50:46 2014: DEBUG: Access challenged for ras99101: EAP MSCHAP > V2 Challenge: Success > > > > This one was a failure via the backend proxy: > > Wed Oct 29 16:51:53 2014: DEBUG: Handling request with Handler > 'Client-Identifier=frontend', Identifier 'frontend' > Wed Oct 29 16:51:53 2014: DEBUG: Deleting session for ras99101, 127.0.0.1, > Wed Oct 29 16:51:53 2014: DEBUG: Handling with Radius::AuthNTLM: > ITSAuthEAPInnerNTLMbackend > Wed Oct 29 16:51:53 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26 > Wed Oct 29 16:51:53 2014: DEBUG: Response type 26 > Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM looks for match with > [ras99101] > Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM ACCEPT: : [ras99101] > Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-User-Session-Key: > Yes > Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute > Request-LanMan-Session-Key: Yes > Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute LANMAN-Challenge: > 499d16055416b67b > Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Response: > acedbcb10e6427538561caa910fd1299d0f5f9d8e289846e > Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Domain:: > RFMuU1RSQVRILkFDLlVL > Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE= > Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: . > [2014/10/29 16:51:53.895378, 3, pid=76290] [76149]: pam auth crap domain: > [DS.STRATH.AC.UK] user: ras99101 > [2014/10/29 16:51:53.895832, 4, pid=76291] child daemon request 14 > [2014/10/29 16:51:53.895957, 3, pid=76291] [76290]: pam auth crap domain: > DS.STRATH.AC.UK user: ras99101 > [2014/10/29 16:51:53.922474, 2, pid=76291] NTLM CRAP authentication for > user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_WRONG_PASSWORD (PAM: 9) > [2014/10/29 16:51:53.922547, 4, pid=76291] Finished processing child > request 14 > Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authenticated: No > Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authentication-Error: > Wrong Password > Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: . > Wed Oct 29 16:51:53 2014: WARNING: NTLM Could not authenticate user > 'ras99101': Wrong Password > Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508 > Wed Oct 29 16:51:53 2014: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication > failure > Wed Oct 29 16:51:53 2014: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 > Authentication failure > Wed Oct 29 16:51:53 2014: INFO: Access rejected for ras99101: EAP MSCHAP-V2 > Authentication failure > > Radiator-4.13 in all instances. > > The only thing I can see anomalous is: > > Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508 > > Anyone any ideas? > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
