Bug 44955 - (4.2) Not possible to use machine account which windows clients send to auth at the radius server
(4.2) Not possible to use machine account which windows clients send to auth ...
Product: UCS@school
Classification: Unclassified
Component: Radius
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 v3
Assigned To: Sönke Schwardt-Krummrich
Florian Best
Depends on: 44603
  Show dependency treegraph
Reported: 2017-07-07 16:12 CEST by Sönke Schwardt-Krummrich
Modified: 2017-09-12 13:17 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-07-07 16:12:20 CEST
+++ This bug was initially created as a clone of Bug #44603 +++

Windows clients (win7 & win10) send "host/FQDN" as machine account if they try to access WPA2-Enterprise networks.
Currently the ucs-school-ntlm-auth which we use in our radius server to authenticate users and machines only can handle usernames (e.g. michel) or machine accounts (e.g. client$). Unfortunately as mentioned above the windows clients send the kerberos principle to auth and therfore fail currently.

The attached patch contains some debug statements. A debug facility for ucs-school-ntlm-auth would be very neat.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2017-08-24 21:27:57 CEST
The code is now able to handle kerberos principal names of hosts:
"host/win0815.mydomain.example.com" is automatically converted to "win0815$" for the LDAP lookup.
The principal has to start with "host/". All other kerberos principals are left untouched during lookup.

Patches have been ported from UCS@school 4.1R2 to UCS@school 4.2 (unfortunately with bug numbers of 4.1R2).

ucs-school-radius-802.1x (6.0.1-1):
r82473 | Bug #44603: always add $ sign for host accounts
r82472 | Bug #44603: add handling of kerberos principals

Package: ucs-school-radius-802.1x
Version: 6.0.1-1A~
Branch: ucs_4.2-0
Scope: ucs-school-4.2
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-08-30 17:06:33 CEST
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566' --logfile /dev/stdout | grep username2
2017-08-13 09:48:49 [21329] getNTPasswordHash: username2='foo$bar$'  stationId='112233445566'

root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foobar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566' --logfile /dev/stdout | grep username2
2017-08-13 09:49:05 [21337] getNTPasswordHash: username2='foobar$'  stationId='112233445566'
Comment 3 Florian Best univentionstaff 2017-08-31 10:53:39 CEST
OK: machine account works
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2017-09-12 13:17:19 CEST
UCS@school 4.2 v3 has been released.


If this error occurs again, please clone this bug.