+++ This bug was initially created as a clone of Bug #44603 +++ Windows clients (win7 & win10) send "host/FQDN" as machine account if they try to access WPA2-Enterprise networks. Currently the ucs-school-ntlm-auth which we use in our radius server to authenticate users and machines only can handle usernames (e.g. michel) or machine accounts (e.g. client$). Unfortunately as mentioned above the windows clients send the kerberos principle to auth and therfore fail currently. The attached patch contains some debug statements. A debug facility for ucs-school-ntlm-auth would be very neat.
The code is now able to handle kerberos principal names of hosts: "host/win0815.mydomain.example.com" is automatically converted to "win0815$" for the LDAP lookup. The principal has to start with "host/". All other kerberos principals are left untouched during lookup. Patches have been ported from UCS@school 4.1R2 to UCS@school 4.2 (unfortunately with bug numbers of 4.1R2). ucs-school-radius-802.1x (6.0.1-1): r82473 | Bug #44603: always add $ sign for host accounts r82472 | Bug #44603: add handling of kerberos principals Package: ucs-school-radius-802.1x Version: 6.0.1-1A~4.2.0.201708242117 Branch: ucs_4.2-0 Scope: ucs-school-4.2
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566' --logfile /dev/stdout | grep username2 2017-08-13 09:48:49 [21329] getNTPasswordHash: username2='foo$bar$' stationId='112233445566' root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foobar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566' --logfile /dev/stdout | grep username2 2017-08-13 09:49:05 [21337] getNTPasswordHash: username2='foobar$' stationId='112233445566'
OK: machine account works OK: YAML
UCS@school 4.2 v3 has been released. http://docs.software-univention.de/changelog-ucsschool-4.2v3-de.html If this error occurs again, please clone this bug.