Bug 42535 - Support domain\username format for radius
Support domain\username format for radius
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.2
Other Windows 8.1
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Sönke Schwardt-Krummrich
Jürn Brodersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-29 17:07 CEST by firedragon
Modified: 2018-12-05 14:39 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017112721000421, 2017112921000051
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description firedragon 2016-09-29 17:07:47 CEST
If possible allow the format of domain\username for RADIUS authentication so that windows can be configured to auto send the username and also it is possible to join the network with the machine account.
Comment 1 Benjamin Kurschies 2017-10-17 13:18:06 CEST
I've got similar problems but was able to solve it quite easily...

1. in /etc/freeradius/proxy.conf I added the following line at the bottom:
realm <NT DOMAIN NAME> {
}

2. in /etc/freeradius/sites-available/default I added this:
...
authorize {
  # some comments...
  preprocess

  # NEW
  ntdomain

  # more comments...
  chap
...


everything else is default, so it should be easy to modify the template(s) and create this entries automatically.

P.S. I'm not a radius expoert, I just read some blogs and made some "try & error" sessions.
Comment 2 Michel Smidt univentionstaff 2017-11-28 14:12:36 CET
Customer asked for it.
Already fixed in UCS@school RADIUS package: Bug #44603
Comment 3 Stefan Gohmann univentionstaff 2017-12-12 22:08:11 CET
@Sönke, can you attach the patch from Bug #44955 to this issue?
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2017-12-13 15:15:47 CET
(In reply to Stefan Gohmann from comment #3)
> @Sönke, can you attach the patch from Bug #44955 to this issue?

Quite simple... the given username is modified until it fits for the LDAP search.

The patch wouldn't help here. I think parseUsername() in 
git/ucs/services/univention-radius/usr/share/pyshared/univention/networkaccess.py
has to be modified. Something like this:


--- a/services/univention-radius/usr/share/pyshared/univention/networkaccess.py
+++ b/services/univention-radius/usr/share/pyshared/univention/networkaccess.py
@@ -262,6 +262,9 @@ DISALLOWED_SAMBA_ACCOUNT_FLAGS = frozenset((SAMBA_ACCOUNT_FLAG_DISABLED, SAMBA_A
 def parseUsername(username):
 	'''convert username from host/-format to $-format if required'''
 	if not username.startswith('host/'):
+		if username.count('\\') == 1:
+			# seems to be in format DOMAIN\USERNAME
+			username = username.split('\\', 1)[1]
 		return username
 	username = username.split('/', 1)[1]  # remove host/
 	username = username.split('.', 1)[0]  # remove right of '.'
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2018-11-27 14:02:00 CET
This requires some more investigation.

The flag "ntdomain" mentioned in comment 1 is already part of 
sites-available/default. If the realms are added to 
/etc/freeradius/3.0/proxy.conf, the authentication works sometimes.

"sometimes" because the success depends on the username.
Currently it looks like freeradius is converting the user "NSTX\bwce6f7qcj" to "NSTX\010wce6f7qcj" when the ntlm_auth_helper is called. It even gets worse if the username starts with a "n" → "\n" → newline.

In such cases, the authentication fails constantly. If the username starts with a "u", there is no problem with authentication.

I added a test script ucs-test/45_radius/03_username_with_ntdomain that is currently disabled, because it would fail randomly due to the random usernames.

The patch in comment #4 is not required. So if this quoting problem is fixed,
the bug would be (nearly) solved.
Bonus would be, that the realm is automatically written to proxy.conf.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-11-28 14:54:56 CET
(In reply to Sönke Schwardt-Krummrich from comment #5)
> This requires some more investigation.

Next day, new attempt...

> The flag "ntdomain" mentioned in comment 1 is already part of 
> sites-available/default. If the realms are added to 
> /etc/freeradius/3.0/proxy.conf, the authentication works sometimes.
> 
> "sometimes" because the success depends on the username.
> Currently it looks like freeradius is converting the user "NSTX\bwce6f7qcj"
> to "NSTX\010wce6f7qcj" when the ntlm_auth_helper is called. It even gets
> worse if the username starts with a "n" → "\n" → newline.

radtest and radclient have problems at least with backslashes and are trying to 
quote or interpret them → the username becomes garbage.

The testscript 03_username_with_ntdomain has been changed accordingly and is now using eapol_test.
 
> The patch in comment #4 is not required. 
This is still the case.

> Bonus would be, that the realm is automatically written to proxy.conf.
There is now a new UCR template proxy.conf that contains a realm entry for the NETBIOS domain (stored in UCRV windows/domain). The original proxy.conf is diverted to proxy.conf.debian.

d5ba83e3e6 Bug #42535: Merge branch 'sschwardt/42535/4.3/radius-auth' into 4.3-2
00ffa3361a Bug #42535: add changelog entry
77471aca25 Bug #42535: reimplement 03_username_with_ntdomain to circumvent freeradius quoting issues
5fc4a69417 Bug #42535: add advisory
5e98c20ea3 Bug #42535: add changelog entry
539df6009b Bug #42535: add new UCR template for proxy.conf but also include proxy.conf.debian

Package: univention-radius
Version: 5.0.1-1A~4.3.0.201811281453
Branch: ucs_4.3-0
Scope: errata4.3-2

Package: ucs-test
Version: 8.0.28-237A~4.3.0.201811281454
Branch: ucs_4.3-0
Scope: errata4.3-2
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2018-11-29 15:17:01 CET
893da68b5c Bug #42535: fixed whitespace typo

Package: univention-radius
Version: 5.0.1-2A~4.3.0.201811291515
Branch: ucs_4.3-0
Scope: errata4.3-2

Advisory has been updated.
Comment 8 Jürn Brodersen univentionstaff 2018-11-29 16:49:22 CET
I fixed a small bug in the proxy.conf template:
[4.3-2 9e041adcbe] Bug #42535: Fix missing comment on new line
[4.3-2 be329db6dc] Bug #42535: YAML

Tests are looking good -> OK
YAML -> OK

Package: univention-radius
Version: 5.0.1-3A~4.3.0.201811291625
Branch: ucs_4.3-0
Scope: errata4.3-2
Comment 9 Arvid Requate univentionstaff 2018-12-05 14:39:04 CET
<http://errata.software-univention.de/ucs/4.3/361.html>