mschap direct-to-Winbind different behaviour
Hi folks, I've been investigating switching my mschap authentications from ntlm_auth to use direct Winbind connections with libwbclient. It works fine for user authentications against AD but does not work for machine authentications against the same. The direct Winbind method returns an error from AD. Can anyone explain this? FreeRADIUS 3.1.x built from git Samba 4.2.3 from CentOS 7 Here's my mschap config: mschap eduroammschap { # Either: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}} --challenge=%{eduroammschap:Challenge} --nt-response=%{eduroammschap:NT-Response} " # Or: winbind_username = "%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}" winbind_domain = "%{eduroammschap:NT-Domain}" pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } allow_retry = no retry_msg = "Verify username and re-enter your password" } Debug using ntlm_auth: (7) Auth-Type eduroamlioneap { (7) eduroamlioneap - Peer sent packet with EAP method MSCHAPv2 (26) (7) eduroamlioneap - Calling submodule eap_mschapv2 to process data (7) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/eduroamlion-inner (7) eap_mschapv2 - Auth-Type MS-CHAP { (7) eduroammschap - Creating challenge hash with username: MONITOR899307$ (7) eduroammschap - Client is using MS-CHAPv2 (7) eduroammschap - Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}} --challenge=%{eduroammschap:Challenge} --nt-response=%{eduroammschap:NT-Response} : (7) eduroammschap - EXPAND --username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}} (7) eduroammschap - --> --username=MONITOR899307$ (7) eduroammschap - EXPAND --challenge=%{eduroammschap:Challenge} (7) eduroammschap - Creating challenge hash with username: MONITOR899307$ (7) eduroammschap - --> --challenge=d6341cfb2d2e480e (7) eduroammschap - EXPAND --nt-response=%{eduroammschap:NT-Response} (7) eduroammschap - --> --nt-response=843e30991be16db3f688bff168572cb202bf0582b0713189 (7) eduroammschap - Program returned code (0) and output 'NT_KEY: 4B6BB21FE18F7D003EFD4D39CFC5939A' (7) eduroammschap - Adding MS-CHAPv2 MPPE keys (7) eduroammschap (ok) Debug using direct Winbind: (27) Auth-Type eduroamlioneap { (27) eduroamlioneap - Peer sent packet with EAP method MSCHAPv2 (26) (27) eduroamlioneap - Calling submodule eap_mschapv2 to process data (27) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/eduroamlion-inner (27) eap_mschapv2 - Auth-Type MS-CHAP { (27) eduroammschap - Creating challenge hash with username: MONITOR899307$ (27) eduroammschap - Client is using MS-CHAPv2 (27) eduroammschap - EXPAND %{%{Stripped-User-Name}:-%{eduroammschap:User-Name}} (27) eduroammschap - --> MONITOR899307$ (27) eduroammschap - EXPAND %{eduroammschap:NT-Domain} (27) eduroammschap - --> UOB (27) eduroammschap - Reserved connection (1) (27) eduroammschap - sending authentication request user='MONITOR899307$' domain='UOB' (27) eduroammschap - Released connection (1) (27) eduroammschap - ERROR: No logon workstation trust account [0xC0000199] (27) eduroammschap - ERROR: Password has expired. User should retry authentication (27) eduroammschap (reject) Thanks, Jonathan -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol
hi, the ntlm_auth doesnt appear to be using a domain but the winbind method is.... alan
On 08/03/16 13:23, A.L.M.Buxey@lboro.ac.uk wrote:
hi,
the ntlm_auth doesnt appear to be using a domain but the winbind method is....
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes. I spotted this just after hitting send. I tried commenting winbind_domain and repeating the test. It warns that the domain is not present but will continue anyway, and then runs into the same error as before. So I don't think it is this. Well spotted, though :) -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol
On Tue, Mar 08, 2016 at 01:27:10PM +0000, Jonathan Gazeley wrote:
Yes. I spotted this just after hitting send. I tried commenting winbind_domain and repeating the test. It warns that the domain is not present but will continue anyway,
Yes, it's just a warning to prompt people who might have forgotten to set it. Nothing more.
and then runs into the same error as before. So I don't think it is this.
I never had computer auth in mind when writing that, and never tested it, so looks like you might be the first one :) I'd assumed (wrongly it seems) that people doing computer auth would just use EAP-TLS. It looks like the error is discussed in https://technet.microsoft.com/en-us/library/jj852275.aspx ntlm_auth uses essentially the same calls internally, so I'd have to check to see if it is setting something that the FreeRADIUS code isn't. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Tue, Mar 08, 2016 at 01:39:50PM +0000, Matthew Newton wrote:
and then runs into the same error as before. So I don't think it is this.
ntlm_auth uses essentially the same calls internally, so I'd have to check to see if it is setting something that the FreeRADIUS code isn't.
Can you try the attached patch and see if it helps? (Entirely untested here...) Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mar 8, 2016, at 8:57 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Can you try the attached patch and see if it helps? (Entirely untested here...)
Use inline text. The mailing list strips most attachments because people were posting screenshots of a terminal window with the debug output. Alan DeKok.
On Tue, Mar 08, 2016 at 08:58:44AM -0500, Alan DeKok wrote:
On Mar 8, 2016, at 8:57 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Can you try the attached patch and see if it helps? (Entirely untested here...)
Use inline text. The mailing list strips most attachments
Hmm - OK, thanks. Thought patches were allowed through.
because people were posting screenshots of a terminal window with the debug output.
Yeah, the reasons are clear :) Matthew
From 9743d4f6a435fdfb62e26f1734f3142cf5b20db8 Mon Sep 17 00:00:00 2001 From: Matthew Newton <mcn4@leicester.ac.uk> Date: Tue, 8 Mar 2016 13:52:14 +0000 Subject: [PATCH] update wbcAuthenticateUserEx params
--- src/modules/rlm_mschap/auth_wbclient.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/modules/rlm_mschap/auth_wbclient.c b/src/modules/rlm_mschap/auth_wbclient.c index 1c8981d..f71cb6a 100644 --- a/src/modules/rlm_mschap/auth_wbclient.c +++ b/src/modules/rlm_mschap/auth_wbclient.c @@ -111,7 +111,9 @@ int do_auth_wbclient(rlm_mschap_t *inst, REQUEST *request, memcpy(authparams.password.response.challenge, challenge, sizeof(authparams.password.response.challenge)); - authparams.parameter_control |= WBC_MSV1_0_ALLOW_MSVCHAPV2; + authparams.parameter_control |= WBC_MSV1_0_ALLOW_MSVCHAPV2 | + WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | + WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT; /* * Send auth request across to winbind -- 2.1.4 -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 08/03/16 13:57, Matthew Newton wrote:
On Tue, Mar 08, 2016 at 01:39:50PM +0000, Matthew Newton wrote:
and then runs into the same error as before. So I don't think it is this.
ntlm_auth uses essentially the same calls internally, so I'd have to check to see if it is setting something that the FreeRADIUS code isn't.
Can you try the attached patch and see if it helps? (Entirely untested here...)
Great! This works and fixes the problem we were seeing. Congrats on your patching-by-inspection :) Will this patch make it into git? Thanks, Jonathan -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol
On Tue, Mar 08, 2016 at 02:58:50PM +0000, Jonathan Gazeley wrote:
Great! This works and fixes the problem we were seeing. Congrats on your patching-by-inspection :)
Cool.
Will this patch make it into git?
I'll do a PR. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mar 8, 2016, at 9:58 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Great! This works and fixes the problem we were seeing. Congrats on your patching-by-inspection :)
Will this patch make it into git?
It's in the v3.0.x branch. Thanks to Matthew for the patch. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Jonathan Gazeley -
Matthew Newton