rlm_exec with ntlm_auth broken in 3.0.2+git??

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Feb 10 10:40:40 CET 2014


On 10 Feb 2014, at 08:31, peter.geiser at id.unibe.ch wrote:

> Is ntlm_auth with clear text password broken in FR 3.0.2+git?
> 
> Modul Config:
> #
> exec ntlm_auth {
> 	wait = yes
> 	program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> }
> 
> 
> Debug output:
> 
> Found Auth-Type = ntlm_auth
> (0) # Executing group from file /etc/freeradius/sites-enabled/ntlm
> (0)  Auth-Type ntlm_auth {
> (0) ntlm_auth : Executing: /usr/bin/ntlm_auth --request-nt-key
> ‹domain=DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}
> (0) ntlm_auth : 	expand: "--username=%{mschap:User-Name}" ->
> '--username=testuser'
> (0) ntlm_auth : 	expand: "--password=%{User-Password}" ->
> '--password=TEST1234'
> (0) ERROR: ntlm_auth : Failed parsing output from: /usr/bin/ntlm_auth
> --request-nt-key ‹domain=DOMAIN --username=%{mschap:User-Name}
> --password=%{User-Password}: Expecting operator
> (0) ERROR: ntlm_auth : Program returned code (0) and output 'NT_STATUS_OK:
> Success (0x0)'
> (0)   [ntlm_auth] = fail
> (0)  } # Auth-Type ntlm_auth = fail
> (0) Failed to authenticate the user.
> 
> 
> 
> Authentication seems to be ok but FR can¹t parse the return values.

Thanks for the bug report.

FreeRADIUS shouldn't be *trying* to parse the return vales, that's the issue.
The state of the output_pairs config item wasn't being represented in the call
to radius_exec_program, so it was assuming the program would return AVP strings
or nothing.

This issue was exposed by a previous fix to radius_exec_program.

I've pushed a fix to both branches.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140210/01eb1245/attachment.pgp>


More information about the Freeradius-Users mailing list