NT-Domain parsing issue

Ryan Bair ryandbair at gmail.com
Sat Dec 28 23:20:13 CET 2019


I ran into an issue where AD computer authentication was failing using
PEAP-MS-CHAPv2. Eventually I determined the root of the issue was that
NT-Domain wasn't being parsed out of the User-Name (SPN style) incorrectly.

Here's a link to the offending code:
https://github.com/FreeRADIUS/freeradius-server/blob/bba9954201b3f874e492bc11422836d064bbbff0/src/modules/rlm_mschap/rlm_mschap.c#L479

There's an assumption that the first component of the domain name is the
(legacy) short name of the domain. This is certainly a common configuration
but not something that can be relied upon.

I believe a more correct behavior here would be to take everything after
the host and pass that along as the NT-Domain value. For instance
"host\machine.domain.tld" would be parsed as domain of "domain" today but
I'm proposing this should be "domain.tld" instead. There's certainly some
risk of breakage here, but as far as I know any Samba related program will
accept either the short name or the DNS name of the domain interchangeably.


More information about the Freeradius-Devel mailing list