Univention Bugzilla – Bug 44918
Add logging to ucs-school-ntlm-auth
Last modified: 2017-10-05 16:43:39 CEST
Debugging of ucs-school-ntlm-auth is hard since there is no feedback other than success/failed. So we need some kind of logging for support/professional service/development.
A new UCR variable has been added to specify a logging file name for the auth helper ucs-school-ntlm-auth: freeradius/conf/auth-type/mschap/debugfn ucr set freeradius/conf/auth-type/mschap/debugfn=/tmp/mschap.log invoke-rc.d freeradius restart The debugging output should help to identify - in which WLAN groups the user is member of - if WLAN is enabled for the group with highest priority - if the sambaNTPassword value could be fetched - if the user is disabled via sambaAcctFlags - if the password is wrong (→ none of the above errors) It is not intended to use this logging feature for continuous logging (too much output, no automatic permission handling for the logfile). ucs-school-radius-802.1x.yaml: r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory ucs-school-radius-802.1x (5.0.1-1): r81033 | Bug #44918: revamp debugging output r81031 | Bug #44918: add UCR variable for enabling debugging of NTLM auth helper r81029 | Bug #44918: switch from @%@BCWARNING=@%@ to @%@UCRWARNING=@%@ r81028 | Bug #44918: fixed typo in README r81027 | Bug #44918: updated copyright r80753 | Bug #44918: add some basic logging for debugging Package: ucs-school-radius-802.1x Version: 5.0.1-1.17.201707111320 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2 Help for QA: ---[eapol_test.conf]--- network={ key_mgmt=WPA-EAP eap=PEAP identity="norbert1" anonymous_identity="anonymous" password="univention" phase2="autheap=MSCHAPV2" } -----[cut]-------------- # eapol_test -c eappol_test.conf -s testing123 # eapol_test -c eappol_test.conf -s testing123 -M 11:22:33:44:55:66 The user "norbert1" should exist and should (not) be member of a class/workgroup with assigned internet rule. Within the internet rule WLAN may be enabled/disabled. "testing123" is the default password in /etc/freeradius/clients.conf for communication between accesspoint and freeradius.
REOPEN: + parser.add_option('--debug-stderr', dest='debug_stderr', action='store_true', default=False) + parser.add_option('--debug-fn', dest='debug_fn') → I think the first is unnecessary because one could just to --debug-fn=/dev/stderr. → I think a better name than --debug-fn would be --logfile. + helper_cmd += ' --debug-fn=%s' % (debug_fn,) → Missing shell escaping. + if True not in [wlanEnabled for (grpname, priority, wlanEnabled, ) in matchingGroups if priority == maxPriority]: → This should be better: if not any(True for (grpname, priority, wlanEnabled, ) in matchingGroups if priority == maxPriority and wlanEnabled):
usr/bin/ucs-school-ntlm-auth|104 col 27 error| E226 missing whitespace around arithmetic operator
The tests are also failing because of the following change: r81033 - groups = [groupInfo[group] for group in groups if group in groupInfo] - if not groups: + matchingGroups = [[group]+list(groupInfo[group]) for group in groups if group in groupInfo] + if not matchingGroups: … - (maxPriority, _, ) = max(groups) + (_, maxPriority, _, ) = max(matchingGroups) This gives different results now depending on the group name. >>> max([('b', 1, None), ('a', 2, None)]) ('b', 1, None) Hotfix: diff --git a/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth b/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth index 26af9a5..5f04fff 100644 --- a/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth +++ b/ucs-school-radius-802.1x/usr/bin/ucs-school-ntlm-auth @@ -101,7 +101,7 @@ def getNTPasswordHash(username, stationId): » if groups is None: » » debug('getNTPasswordHash: user not found in any relevant group - access denied') » » return None -» matchingGroups = [[group]+list(groupInfo[group]) for group in groups if group in groupInfo] +» matchingGroups = [list(groupInfo[group]) + [group] for group in groups if group in groupInfo] » if not matchingGroups: » » debug('getNTPasswordHash: user not found in any WLAN enabled group - access denied') » » debug('getNTPasswordHash: user groups=%r' % (groups,))
(In reply to Florian Best from comment #2) > REOPEN: > + parser.add_option('--debug-stderr', dest='debug_stderr', > action='store_true', default=False) > + parser.add_option('--debug-fn', dest='debug_fn') > > → I think the first is unnecessary because one could just to > --debug-fn=/dev/stderr. → DONE > → I think a better name than --debug-fn would be --logfile. → DONE > + helper_cmd += ' --debug-fn=%s' % (debug_fn,) > → Missing shell escaping. → fixed > + if True not in [wlanEnabled for (grpname, priority, wlanEnabled, ) in > matchingGroups if priority == maxPriority]: > → This should be better: > if not any(True for (grpname, priority, wlanEnabled, ) in matchingGroups if > priority == maxPriority and wlanEnabled): → DONE (In reply to Florian Best from comment #4) > The tests are also failing because of the following change: > - (maxPriority, _, ) = max(groups) > + (_, maxPriority, _, ) = max(matchingGroups) You are right. Fixed via maxPriority = max(matchingGroups, key=lambda x: x[1]) r81545 | Bug #44918: updated advisory r81544 | Bug #44918: several fixes r81543 | Bug #44918: update changelog entry r81542 | Bug #44918: escape filename if neccessary Package: ucs-school-radius-802.1x Version: 5.0.1-2.18.201707281735 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2
Why is this still set to REOPENED?
The UCR variable has been renamed to freeradius/conf/auth-type/mschap/authhelper-logfile
OK: Latest changes fix old behavior OK: renaming UCR variable OK: YAML (except version number)
Had to reopen this bug: the maxPriority comparison was wrong ucs-school-radius-802.1x (5.0.1-4): 1a37973be6 | Bug #44918: added changelog entry 467ff6beca | Bug #44918: renamed maxPriority to maxPriorityGroup 660378a472 | Bug #44918: fixed comparison in ucs-school-ntlm-auth Package: ucs-school-radius-802.1x Version: 5.0.1-4.20.201709081518 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2
ucs-school-radius-802.1x.yaml: 5cd0c6bf67 | Bug #44918: advisory update
Looks good now.
UCS@school 4.1 R2 v13 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html If this error occurs again, please clone this bug.