Bug 49499 - univention-radius-check-access can't handle empty sambaNTPassword in user object
univention-radius-check-access can't handle empty sambaNTPassword in user object
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.4
Other Linux
: P5 normal with 1 vote (vote)
: UCS 4.4-1-errata
Assigned To: Jürn Brodersen
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-16 18:29 CEST by Valentin Heidelberger
Modified: 2019-08-22 15:30 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2019-05-16 18:29:07 CEST
If for some reason the attribute sambaNTPassword can't be read from a given user object, univention-radius-check-access fails with the following traceback. Regardless of the reason why the attribute is not present/can't be read it should detect this and put out a warning. 

Traceback (most recent call last):
  File "/usr/bin/univention-radius-check-access", line 66, in <module>
    sys.exit(main())
  File "/usr/bin/univention-radius-check-access", line 55, in main
    networkAccess.getNTPasswordHash()
  File "/usr/lib/pymodules/python2.7/univention/radius/networkaccess.py", line 235, in getNTPasswordHash
    return result[0][1]['sambaNTPassword'][0].decode('hex')
KeyError: 'sambaNTPassword'
Comment 1 Jürn Brodersen univentionstaff 2019-05-17 09:59:40 CEST
Do you know why "sambaNTPassword" was empty?
I would like to give a hint as what an admin can do to resolve this, as well as a warning. I guess asking the user to reset the password would help.
Comment 2 Arne 2019-08-13 20:39:22 CEST
Got the same error over here. I did an `univention-ldapsearch uid=USER` and the  sambaNTPassword attribute is: NO PASSWORD********************* in the result for every user. 
Also found the sambaAcctFlags: [U          ] on theses account.
I don't if its interesting, but in line 229++ it is used for warning outputs.
Comment 3 Arne 2019-08-15 19:48:54 CEST
After some research i've found out that freeradius server setting the sambaNTPassword attribute with the password hash from auth request.
Tested the ntlm auth with test command: 
 ntlm_auth --request-nt-key --domain=MY.DOMAIN --username=TESTUSER --password=TESTPASSWORD 
and got:
pm_process() returned Yes
NT_STATUS_OK: The operation completed successfully. (0x0)

Then i tried to test radius but got and error in eap sub module?
radtest -t mschap TESTUSER TESTPASSWORD localhost 0 testing123  -x
Sent Access-Request Id 23 from 0.0.0.0:46716 to 127.0.0.1:1812 length 139
	User-Name = "TESTUSER"
	MS-CHAP-Password = "TESTPASSWORD"
	NAS-IP-Address = 50.100.200.14
	NAS-Port = 0
	Message-Authenticator = 0x00
	Framed-Protocol = PPP
	Cleartext-Password = "TESTPASSWORD"
	MS-CHAP-Challenge = 0x04a1f8a51c413f51
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f469a398c991e3308c16d3073df38744bf235231630ce347
Received Access-Reject Id 23 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
	MS-CHAP-Error = "\000E=691 R=1 C=dd296208bd54383a V=2"
(0) -: Expected Access-Accept got Access-Reject
Then i've done usermod -a -G winbindd_priv freerad for the windbind socket permission error i found in a forum.

The log output wrote run freeradius -X (debug mode)
(20) Received Access-Request Id 23 from 127.0.0.1:46716 to 127.0.0.1:1812 length 139
(20)   User-Name = "TESTUSER"
(20)   NAS-IP-Address = 50.100.200.14
(20)   NAS-Port = 0
(20)   Message-Authenticator = 0x040ebb7bc5520a03f300eea3588107c8
(20)   Framed-Protocol = PPP
(20)   MS-CHAP-Challenge = 0x04a1f8a51c413f51
(20)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f469a398c991e3308c16d3073df38744bf235231630ce347
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(20)   authorize {
(20)     policy filter_username {
(20)       if (&User-Name) {
(20)       if (&User-Name)  -> TRUE
(20)       if (&User-Name)  {
(20)         if (&User-Name =~ / /) {
(20)         if (&User-Name =~ / /)  -> FALSE
(20)         if (&User-Name =~ /@[^@]*@/ ) {
(20)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(20)         if (&User-Name =~ /\.\./ ) {
(20)         if (&User-Name =~ /\.\./ )  -> FALSE
(20)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(20)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(20)         if (&User-Name =~ /\.$/)  {
(20)         if (&User-Name =~ /\.$/)   -> FALSE
(20)         if (&User-Name =~ /@\./)  {
(20)         if (&User-Name =~ /@\./)   -> FALSE
(20)       } # if (&User-Name)  = notfound
(20)     } # policy filter_username = notfound
(20)     [preprocess] = ok
(20)     [chap] = noop
(20) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(20)     [mschap] = ok
(20) ntdomain: Checking for prefix before "\"
(20) ntdomain: No '\' in User-Name = "TESTUSER", looking up realm NULL
(20) ntdomain: No such realm "NULL"
(20)     [ntdomain] = noop
(20) eap: No EAP-Message, not doing EAP
(20)     [eap] = noop
(20) files: users: Matched entry DEFAULT at line 181
(20)     [files] = ok
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 65 seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 65 seconds
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 65 seconds
rlm_ldap (ldap): Reserved connection (0)
(20) ldap: EXPAND (uid=%{mschap:User-Name:-%{User-Name}})
(20) ldap:    --> (uid=TESTUSER)
(20) ldap: Performing search in "dc=fefp,dc=de" with filter "(uid=TESTUSER)", scope "sub"
(20) ldap: Waiting for search result...
(20) ldap: User object found at DN "uid=TESTUSER,cn=users,dc=fefp,dc=de"
(20) ldap: Processing user attributes
(20) ldap: control:Password-With-Header += '{KINIT}'
(20) ldap: control:NT-Password := 0x4e4f2050415353574f52442a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 6 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (7), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://dateiserver.fefp.de:7389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(20)     [ldap] = updated
(20)     [expiration] = noop
(20)     [logintime] = noop
(20) pap: Unknown header {{KINIT}} in Password-With-Header, re-writing to Cleartext-Password
(20) pap: Removing &control:Password-With-Header
(20) pap: WARNING: Auth-Type already set.  Not setting to PAP
(20)     [pap] = noop
(20)   } # authorize = updated
(20) Found Auth-Type = MS-CHAP
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20)   Auth-Type MS-CHAP {
(20) mschap: WARNING: NT-Password has not been normalized by the 'pap' module (likely still in hex format).  Authentication may fail
(20) mschap: Found Cleartext-Password, hashing to create NT-Password
(20) mschap: Found Cleartext-Password, hashing to create LM-Password
(20) mschap: Client is using MS-CHAPv1 with NT-Password
(20) mschap: Executing: /usr/bin/univention-radius-ntlm-auth-suidwrapper --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --station-id=%{outer.request:Calling-Station-Id}:
(20) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(20) mschap:    --> --username=TESTUSER
(20) mschap: mschap1: 04
(20) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(20) mschap:    --> --challenge=04a1f8a51c413f51
(20) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(20) mschap:    --> --nt-response=f469a398c991e3308c16d3073df38744bf235231630ce347
(20) mschap: EXPAND --station-id=%{outer.request:Calling-Station-Id}
(20) mschap:    --> --station-id=
(20) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(20) mschap: External script failed
(20) mschap: ERROR: External script says: Logon failure (0xc000006d)
(20) mschap: ERROR: MS-CHAP2-Response is incorrect
(20)     [mschap] = reject
(20)   } # Auth-Type MS-CHAP = reject
(20) Failed to authenticate the user
(20) Login incorrect (mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'): [TESTUSER/<via Auth-Type = MS-CHAP>] (from client localhost port 0)
(20) Using Post-Auth-Type Reject
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20)   Post-Auth-Type REJECT {
(20) attr_filter.access_reject: EXPAND %{User-Name}
(20) attr_filter.access_reject:    --> TESTUSER
(20) attr_filter.access_reject: Matched entry DEFAULT at line 11
(20)     [attr_filter.access_reject] = updated
(20)     [eap] = noop
(20)     policy remove_reply_message_if_eap {
(20)       if (&reply:EAP-Message && &reply:Reply-Message) {
(20)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(20)       else {
(20)         [noop] = noop
(20)       } # else = noop
(20)     } # policy remove_reply_message_if_eap = noop
(20)   } # Post-Auth-Type REJECT = updated

Does anybody know where to look at?
Comment 4 Jürn Brodersen univentionstaff 2019-08-19 16:16:31 CEST
(In reply to Arne from comment #3)
> After some research i've found out that freeradius server setting the
> sambaNTPassword attribute with the password hash from auth request.
> Tested the ntlm auth with test command: 
>  ntlm_auth --request-nt-key --domain=MY.DOMAIN --username=TESTUSER
> --password=TESTPASSWORD 
> and got:
> pm_process() returned Yes
> NT_STATUS_OK: The operation completed successfully. (0x0)

Please note that we are using our own ntlm auth helper. Users need to be explicitly allowed to use radius authentication.
See https://docs.software-univention.de/manual-4.4.html#ip-config:radius:configuration:allowed-users

You can use the "univention-radius-check-access" to check if the user is allowed to use radius authentication.
For more debugging you can set "ucr set freeradius/auth/helper/ntlm/debug=4" and check /var/log/univention/radius_ntlm_auth.log

The "NO PASSWORD*********************" seems to be set by the ad-connector app. As to why that got set I'm not sure. I think that question is better suited for help.univention.de
thanks
Comment 5 Jürn Brodersen univentionstaff 2019-08-19 16:25:27 CEST
[4.4-1 4d1838b44a] Bug #49499: Improve warning for missing sambaNTpassword

successful build
Package: univention-radius
Version: 6.0.2-11A~4.4.0.201908191534
Branch: ucs_4.4-0-errata4.4-1
Scope: errata4.4-1
Comment 6 Valentin Heidelberger univentionstaff 2019-08-19 18:52:37 CEST
(In reply to Jürn Brodersen from comment #1)
> Do you know why "sambaNTPassword" was empty?
> I would like to give a hint as what an admin can do to resolve this, as well
> as a warning. I guess asking the user to reset the password would help.

Sorry for the late answer. A customer uses memberservers instead of educative slaves for radius auth at their school sites. The memberserver is just not allowed to read the sambaNTPassword directly. I added an ACL allowing the memberserver to read the attribute to the school slave's slapd.conf to make it work.
Comment 7 Arvid Requate univentionstaff 2019-08-20 16:12:48 CEST
Verifed:
* Code review and check with flake8 and mypy
* General functional test (ucs-test-radius & eapol_test)
* Advisory
Comment 8 Arvid Requate univentionstaff 2019-08-22 15:30:03 CEST
<http://errata.software-univention.de/ucs/4.4/237.html>