Univention Bugzilla – Bug 44603
Not possible to use machine account which windows clients send to auth at the radius server
Last modified: 2017-09-12 13:18:20 CEST
Created attachment 8851 [details] Patch to handle kerberos principle in ucs-school-ntlm-auth. Windows clients (win7 & win10) send "host/FQDN" as machine account if they try to access WPA2-Enterprise networks. Currently the ucs-school-ntlm-auth which we use in our radius server to authenticate users and machines only can handle usernames (e.g. michel) or machine accounts (e.g. client$). Unfortunately as mentioned above the windows clients send the kerberos principle to auth and therfore fail currently. The attached patch contains some debug statements. A debug facility for ucs-school-ntlm-auth would be very neat.
Created attachment 8856 [details] handle kerberos principal in "username" appropriately
ucs-school-radius-802.1x.yaml: r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory ucs-school-radius-802.1x (5.0.1-1): r80751 | Bug #44603: add handling of kerberos principals The code is now able to handle kerberos principal names of hosts: "host/win0815.mydomain.example.com" is automatically converted to "win0815$" for the LDAP lookup. The principal has to start with "host/". All other kerberos principals are left untouched during lookup. Package: ucs-school-radius-802.1x Version: 5.0.1-1.17.201707111320 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2
Looks good principally. But is the following behavior OK?: # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foobar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2 2016-11-18 16:27:05 [26889] getNTPasswordHash: username2='foobar$' stationId='112233445566' → correct # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2 2016-11-18 16:27:03 [26885] getNTPasswordHash: username2='foo$bar' stationId='112233445566' → if the hostname/username of a machine contains a "$" (not at the end) it cannot authenticate.
It looks like a bug to me. The code reads like the following: + if '$' not in username: + username += '$' The test should look at the last character only. However, the '$' character is not allowed in host names. Therefore, his case shouldn't happen and I'd actually expected the authentication to fail.
You are right, this does not make any sense. The $ character is now always added if the username initially starts with "host/". r81540 | Bug #44603: always add $ sign for host accounts (In reply to Florian Best from comment #3) > # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key > --username='host/foo$bar.domain' --challenge=00 --nt-response=00 > --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2 > 2016-11-18 16:27:03 [26885] getNTPasswordHash: username2='foo$bar' > stationId='112233445566' > → if the hostname/username of a machine contains a "$" (not at the end) it > cannot authenticate. This is not solely a problem of the code but also that there is no computer account with uid=foo$bar in LDAP ;-)
Package: ucs-school-radius-802.1x Version: 5.0.1-2.18.201707281735 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2
OK: latest changes /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --logfile /dev/stdout | grep username2 2017-07-25 15:38:14 [1263] getNTPasswordHash: username2='foo$bar$' stationId='112233445566'
UCS@school 4.1 R2 v13 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html If this error occurs again, please clone this bug.