ntlm_auth and machine authentication (workaround)

Thu Oct 20 05:00:30 CEST 2005

After spending a fair bit of time searching list archives and google results,
I've managed to make ntlm_auth work for both users and machine accounts.

This fix requires patching of Samba (thanks go to Mike McCauley of OSC/Radiator
for the howto on the fix and to Matthew Alexander for pointing it out in
samba's lists).  This patch may break Samba for other purposes, as I have only
tested it to verify ntlm_auth can do both user and account challenge/response
authentication for MSCHAPv2 for PEAP.

The second part to the fix is an ntlm_auth wrapper that deals with DOMAIN\\user
format usernames and translates WinXP "host/" machine names to NT machine
usernames.

---BEGIN /usr/local/bin/ntlm_auth_hack---
#!/usr/bin/perl

my $ARGS = join(" ", at ARGV);
if ($ARGS =~ m{--username=host/\S+}) {
        $ARGS =~ s{--username=host/([^\s.]+)\S+}{--username $1\$};
} else {
        $ARGS =~ s{--username=([^\\]+)\\\\}{--domain=$1 --username=};
}
system("/usr/local/bin/ntlm_auth", split(" ", $ARGS));
---END /usr/local/bin/ntlm_auth_hack---

And so the example is somewhere other than my head, The following returns the
appropriate attributes to a Cisco AP to assign a particular vlan, in this case,
vlan-266, when doing EAP.

# Assign a VLAN to any user from this station
DEFAULT         Calling-Station-Id == "1234.1234.1234"
        Framed-Type = Framed,
        Tunnel-Type:1 = VLAN,
        Tunnel-Medium-Type:1 = IEEE-802,
        Tunnel-Private-Group-ID:1 = 100

And another fun one:

# Assign a particular VLAN to a user from a particular station
DOMAIN\\user  Calling-Station-Id == "1234.1234.1234"
        Framed-Type = Framed,
        Tunnel-Type:1 = VLAN,
        Tunnel-Medium-Type:1 = IEEE-802,
        Tunnel-Private-Group-ID:1 = 200

Naturally the DEFAULT should come after the specific user match.

begin 644 cli_netlogon.c.patch
M+2TM(&]R:6<O<V%M8F$M,RXP+C(P8B]S;W5R8V4O<G!C7V-L:65N="]C;&E?
M;F5T;&]G;VXN8PE7960 at 3V-T(#$R(#$W.C`S.C(S(#(P,#4**RLK('!A=&-H
M960O<V%M8F$M,RXP+C(P8B]S;W5R8V4O<G!C7V-L:65N="]C;&E?;F5T;&]G
M;VXN8PE4:'4 at 3V-T(#(P(#`R.C,Y.C(W(#(P,#4*0$`@+38Y.2PW("LV.3DL
M-R!`0`H@("`@("`@("`@("`@("`@(%--0DY496YC<GEP="AP87-S=V]R9"P@
M8VAA;"P@;&]C86Q?;G1?<F5S<&]N<V4I.PH@"B`@("`@("`@("`@("`@("`@
M:6YI=%]I9%]I;F9O,B at F8W1R+F%U=&@N:60R+"!L<%]W;W)K9W)O=7`H*2P@
M"BT@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`P+"`O*B!P87)A;5]C
M=')L("HO"BL@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`P>#@P,"P@
M+RH@<&%R86U?8W1R;"`J+PH@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@,'AD96%D+"`P>&)E968L("\J($Q5240_("HO"B`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("!U<V5R;F%M92P at 8VQI+3YC;&YT7VYA;65?<VQA
M<V at L(&-H86PL"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!L;V-A
M;%]L;5]R97-P;VYS92P@,C0L(&QO8V%L7VYT7W)E<W!O;G-E+"`R-"D["D!`
M("TX,#`L-R`K.#`P+#<@0$`*("`@("`@("`@8W1R+G-W:71C:%]V86QU92`]
M($Y%5%],3T=/3E]465!%.PH@"B`):6YI=%]I9%]I;F9O,B at F8W1R+F%U=&@N
M:60R+"!D;VUA:6XL"BT)"2`@("`@(#`L("\J('!A<F%M7V-T<FP@*B\**PD)
M("`@("`@,'@X,#`L("\J('!A<F%M7V-T<FP@*B\*(`D)("`@("`@,'AD96%D
M+"`P>&)E968L("\J($Q5240_("HO"B`)"2`@("`@('5S97)N86UE+"!W;W)K
M<W1A=&EO;E]N86UE7W-L87-H+"`H8V]N<W0@=6-H87(J*6-H86PL"B`)"2`@
M("`@(&QM7W)E<W!O;G-E+F1A=&$L(&QM7W)E<W!O;G-E+FQE;F=T:"P@;G1?
D<F5S<&]N<V4N9&%T82P@;G1?<F5S<&]N<V4N;&5N9W1H*3L*
`
end