rlm_exec with ntlm_auth broken in 3.0.2+git??
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Feb 10 10:40:40 CET 2014
On 10 Feb 2014, at 08:31, peter.geiser at id.unibe.ch wrote:
> Is ntlm_auth with clear text password broken in FR 3.0.2+git?
>
> Modul Config:
> #
> exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> }
>
>
> Debug output:
>
> Found Auth-Type = ntlm_auth
> (0) # Executing group from file /etc/freeradius/sites-enabled/ntlm
> (0) Auth-Type ntlm_auth {
> (0) ntlm_auth : Executing: /usr/bin/ntlm_auth --request-nt-key
> ‹domain=DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}
> (0) ntlm_auth : expand: "--username=%{mschap:User-Name}" ->
> '--username=testuser'
> (0) ntlm_auth : expand: "--password=%{User-Password}" ->
> '--password=TEST1234'
> (0) ERROR: ntlm_auth : Failed parsing output from: /usr/bin/ntlm_auth
> --request-nt-key ‹domain=DOMAIN --username=%{mschap:User-Name}
> --password=%{User-Password}: Expecting operator
> (0) ERROR: ntlm_auth : Program returned code (0) and output 'NT_STATUS_OK:
> Success (0x0)'
> (0) [ntlm_auth] = fail
> (0) } # Auth-Type ntlm_auth = fail
> (0) Failed to authenticate the user.
>
>
>
> Authentication seems to be ok but FR can¹t parse the return values.
Thanks for the bug report.
FreeRADIUS shouldn't be *trying* to parse the return vales, that's the issue.
The state of the output_pairs config item wasn't being represented in the call
to radius_exec_program, so it was assuming the program would return AVP strings
or nothing.
This issue was exposed by a previous fix to radius_exec_program.
I've pushed a fix to both branches.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140210/01eb1245/attachment.pgp>
More information about the Freeradius-Users
mailing list