I'm configuring a new deployment using the libwbclient integration. Can I authenticate users supplying plain-text passwords (e.g. TTLS/PAP) using the libwbclient integration, or do I need to configure a fallback to ntlm_auth for such requests? Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Fri, Oct 14, 2016 at 02:06:48PM +0000, Adam Bishop wrote:
I'm configuring a new deployment using the libwbclient integration.
Can I authenticate users supplying plain-text passwords (e.g. TTLS/PAP) using the libwbclient integration, or do I need to configure a fallback to ntlm_auth for such requests?
With 3.0, no - use ntlm_auth. With 3.1 / 4.0, you can use the rlm_winbind module for this. Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
As Matthew already replied. I'm afraid that I'm somewhat responsible for that feature being present ;) alan
On 14 Oct 2016, at 15:13, Matthew Newton <mcn4@leicester.ac.uk> wrote:
With 3.0, no - use ntlm_auth.
All up and working - two quick question about the libwb integration: (197) mschap: ERROR: No such user [0xC0000064] (197) mschap: ERROR: Password has expired. User should retry authentication Is "password expired" expected when a non-existent user is submitted? (197) mschap: Creating challenge hash with username: radtest@dev.ja.net (197) mschap: Client is using MS-CHAPv2 (197) mschap: EXPAND %{mschap:User-Name} (197) mschap: --> radtest@dev.ja.net (197) mschap: ERROR: No NT-Domain was found in the User-Name Do I need to be splitting the username manually here, or should it be figuring that out automatically? Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Errors are interesting However for realms locally handled you should be using the stripped-user-name in the module not the mschap:user-name (That attribute is automatically populated by realm module when entry is in proxy.conf..... can't wait for future implementation when v4 comes around ;) ) alan
On Mon, Oct 17, 2016 at 01:27:42PM +0000, Adam Bishop wrote:
On 14 Oct 2016, at 15:13, Matthew Newton <mcn4@leicester.ac.uk> wrote:
With 3.0, no - use ntlm_auth.
All up and working - two quick question about the libwb integration:
(197) mschap: ERROR: No such user [0xC0000064]
0xC0000064 is "No such user", so that is correct (this error comes directly from Samba)
(197) mschap: ERROR: Password has expired. User should retry authentication
That shouldn't happen. What version / git hash?
Is "password expired" expected when a non-existent user is submitted?
No
(197) mschap: Creating challenge hash with username: radtest@dev.ja.net (197) mschap: Client is using MS-CHAPv2 (197) mschap: EXPAND %{mschap:User-Name} (197) mschap: --> radtest@dev.ja.net (197) mschap: ERROR: No NT-Domain was found in the User-Name
Do I need to be splitting the username manually here, or should it be figuring that out automatically?
I usually split manually and not rely on the %{mschap: magic. But whatever works really. MSCHAP usernames can be weird. The magic should work with domain\username style IIRC. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mon, Oct 17, 2016 at 09:55:49AM -0400, Alan DeKok wrote:
On Oct 17, 2016, at 9:48 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
(197) mschap: ERROR: Password has expired. User should retry authentication
That shouldn't happen.
IIRC, there was a patch post 3.0.12 which fixed that.
Hmm, maybe a couple of things then. As auth_wbclient was setting rcode to -648 for statuses other than NT_STATUS_PASSWORD_EXPIRED or NT_STATUS_PASSWORD_MUST_CHANGE. Should definitely be sorted now anyway. Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 17 Oct 2016, at 15:09, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Should definitely be sorted now anyway.
Looks good to me. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On 17 Oct 2016, at 14:48, Matthew Newton <mcn4@leicester.ac.uk> wrote:
0xC0000064 is "No such user", so that is correct (this error comes directly from Samba)
Yup, that bit's correct - it's definitely a non-existent user.
(197) mschap: ERROR: Password has expired. User should retry authentication
That shouldn't happen.
What version / git hash?
v3.0.13, 86f87ddc102eaf82b70fc531d948276f3271a416 - checking the changeling I've just noticed Alan put in a fix for a suspiciously similar sounding issue the day after. I'll rebuild and see if it still happens.
I usually split manually and not rely on the %{mschap: magic. But whatever works really. MSCHAP usernames can be weird. The magic should work with domain\username style IIRC.
I figured that would be the case - just thought I'd check before changing the defaults. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Mon, Oct 17, 2016 at 01:56:59PM +0000, Adam Bishop wrote:
On 17 Oct 2016, at 14:48, Matthew Newton <mcn4@leicester.ac.uk> wrote:
0xC0000064 is "No such user", so that is correct (this error comes directly from Samba)
Yup, that bit's correct - it's definitely a non-existent user.
(197) mschap: ERROR: Password has expired. User should retry authentication
That shouldn't happen.
What version / git hash?
v3.0.13, 86f87ddc102eaf82b70fc531d948276f3271a416 - checking the changeling I've just noticed Alan put in a fix for a suspiciously similar sounding issue the day after.
I'll rebuild and see if it still happens.
Dunno what I was smoking when I wrote that. I've pushed a fix to 3.1/4.0. Still trying to get github to accept pushes to 3.0; it'll turn up there in a bit if I can beat it into submission. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
I usually split manually and not rely on the %{mschap: magic. But whatever works really. MSCHAP usernames can be weird. The magic should work with domain\username style IIRC.
anything can come through the mschap channel - because its unde the user control... wierd prefixes, wrong domains etc....so I dont use/trust mschap:domain nor do i use/trust the mschap:user-name - its my stripped-user-name :) alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Adam Bishop -
Alan Buxey -
Alan DeKok -
Matthew Newton