rlm_exec with ntlm_auth broken in 3.0.2+git??

peter.geiser at id.unibe.ch peter.geiser at id.unibe.ch
Mon Feb 10 11:03:09 CET 2014 

Thanks Arran for ultimate fast patching! :-)
The new Version is already productive here and works fine.

- Peter


Am 10.02.14 10:40 schrieb "Arran Cudbard-Bell" unter
<a.cudbardb at freeradius.org>:

>
>On 10 Feb 2014, at 08:31, peter.geiser at id.unibe.ch wrote:
>
>> Is ntlm_auth with clear text password broken in FR 3.0.2+git?
>> 
>> Modul Config:
>> #
>> exec ntlm_auth {
>> 	wait = yes
>> 	program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN
>> --username=%{mschap:User-Name} --password=%{User-Password}"
>> }
>> 
>> 
>> Debug output:
>> 
>> Found Auth-Type = ntlm_auth
>> (0) # Executing group from file /etc/freeradius/sites-enabled/ntlm
>> (0)  Auth-Type ntlm_auth {
>> (0) ntlm_auth : Executing: /usr/bin/ntlm_auth --request-nt-key
>> ‹domain=DOMAIN --username=%{mschap:User-Name}
>>--password=%{User-Password}
>> (0) ntlm_auth : 	expand: "--username=%{mschap:User-Name}" ->
>> '--username=testuser'
>> (0) ntlm_auth : 	expand: "--password=%{User-Password}" ->
>> '--password=TEST1234'
>> (0) ERROR: ntlm_auth : Failed parsing output from: /usr/bin/ntlm_auth
>> --request-nt-key ‹domain=DOMAIN --username=%{mschap:User-Name}
>> --password=%{User-Password}: Expecting operator
>> (0) ERROR: ntlm_auth : Program returned code (0) and output
>>'NT_STATUS_OK:
>> Success (0x0)'
>> (0)   [ntlm_auth] = fail
>> (0)  } # Auth-Type ntlm_auth = fail
>> (0) Failed to authenticate the user.
>> 
>> 
>> 
>> Authentication seems to be ok but FR can¹t parse the return values.
>
>Thanks for the bug report.
>
>FreeRADIUS shouldn't be *trying* to parse the return vales, that's the
>issue.
>The state of the output_pairs config item wasn't being represented in the
>call
>to radius_exec_program, so it was assuming the program would return AVP
>strings
>or nothing.
>
>This issue was exposed by a previous fix to radius_exec_program.
>
>I've pushed a fix to both branches.
>
>Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>FreeRADIUS Development Team
>
>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5047 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140210/c434d888/attachment-0001.bin>

More information about the Freeradius-Users mailing list