Univention Bugzilla – Full Text Bug Listing |
Summary: | Support domain\username format for radius | ||
---|---|---|---|
Product: | UCS | Reporter: | firedragon |
Component: | Radius | Assignee: | Sönke Schwardt-Krummrich <schwardt> |
Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
Severity: | normal | ||
Priority: | P5 | CC: | benjamin, best, gohmann, michelsmidt, schwardt, stoeckigt |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Windows 8.1 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 2: Improvement: Would be a product improvement |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.114 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017112721000421, 2017112921000051 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 50303 |
Description
firedragon
2016-09-29 17:07:47 CEST
I've got similar problems but was able to solve it quite easily... 1. in /etc/freeradius/proxy.conf I added the following line at the bottom: realm <NT DOMAIN NAME> { } 2. in /etc/freeradius/sites-available/default I added this: ... authorize { # some comments... preprocess # NEW ntdomain # more comments... chap ... everything else is default, so it should be easy to modify the template(s) and create this entries automatically. P.S. I'm not a radius expoert, I just read some blogs and made some "try & error" sessions. Customer asked for it. Already fixed in UCS@school RADIUS package: Bug #44603 @Sönke, can you attach the patch from Bug #44955 to this issue? (In reply to Stefan Gohmann from comment #3) > @Sönke, can you attach the patch from Bug #44955 to this issue? Quite simple... the given username is modified until it fits for the LDAP search. The patch wouldn't help here. I think parseUsername() in git/ucs/services/univention-radius/usr/share/pyshared/univention/networkaccess.py has to be modified. Something like this: --- a/services/univention-radius/usr/share/pyshared/univention/networkaccess.py +++ b/services/univention-radius/usr/share/pyshared/univention/networkaccess.py @@ -262,6 +262,9 @@ DISALLOWED_SAMBA_ACCOUNT_FLAGS = frozenset((SAMBA_ACCOUNT_FLAG_DISABLED, SAMBA_A def parseUsername(username): '''convert username from host/-format to $-format if required''' if not username.startswith('host/'): + if username.count('\\') == 1: + # seems to be in format DOMAIN\USERNAME + username = username.split('\\', 1)[1] return username username = username.split('/', 1)[1] # remove host/ username = username.split('.', 1)[0] # remove right of '.' This requires some more investigation. The flag "ntdomain" mentioned in comment 1 is already part of sites-available/default. If the realms are added to /etc/freeradius/3.0/proxy.conf, the authentication works sometimes. "sometimes" because the success depends on the username. Currently it looks like freeradius is converting the user "NSTX\bwce6f7qcj" to "NSTX\010wce6f7qcj" when the ntlm_auth_helper is called. It even gets worse if the username starts with a "n" → "\n" → newline. In such cases, the authentication fails constantly. If the username starts with a "u", there is no problem with authentication. I added a test script ucs-test/45_radius/03_username_with_ntdomain that is currently disabled, because it would fail randomly due to the random usernames. The patch in comment #4 is not required. So if this quoting problem is fixed, the bug would be (nearly) solved. Bonus would be, that the realm is automatically written to proxy.conf. (In reply to Sönke Schwardt-Krummrich from comment #5) > This requires some more investigation. Next day, new attempt... > The flag "ntdomain" mentioned in comment 1 is already part of > sites-available/default. If the realms are added to > /etc/freeradius/3.0/proxy.conf, the authentication works sometimes. > > "sometimes" because the success depends on the username. > Currently it looks like freeradius is converting the user "NSTX\bwce6f7qcj" > to "NSTX\010wce6f7qcj" when the ntlm_auth_helper is called. It even gets > worse if the username starts with a "n" → "\n" → newline. radtest and radclient have problems at least with backslashes and are trying to quote or interpret them → the username becomes garbage. The testscript 03_username_with_ntdomain has been changed accordingly and is now using eapol_test. > The patch in comment #4 is not required. This is still the case. > Bonus would be, that the realm is automatically written to proxy.conf. There is now a new UCR template proxy.conf that contains a realm entry for the NETBIOS domain (stored in UCRV windows/domain). The original proxy.conf is diverted to proxy.conf.debian. d5ba83e3e6 Bug #42535: Merge branch 'sschwardt/42535/4.3/radius-auth' into 4.3-2 00ffa3361a Bug #42535: add changelog entry 77471aca25 Bug #42535: reimplement 03_username_with_ntdomain to circumvent freeradius quoting issues 5fc4a69417 Bug #42535: add advisory 5e98c20ea3 Bug #42535: add changelog entry 539df6009b Bug #42535: add new UCR template for proxy.conf but also include proxy.conf.debian Package: univention-radius Version: 5.0.1-1A~4.3.0.201811281453 Branch: ucs_4.3-0 Scope: errata4.3-2 Package: ucs-test Version: 8.0.28-237A~4.3.0.201811281454 Branch: ucs_4.3-0 Scope: errata4.3-2 893da68b5c Bug #42535: fixed whitespace typo Package: univention-radius Version: 5.0.1-2A~4.3.0.201811291515 Branch: ucs_4.3-0 Scope: errata4.3-2 Advisory has been updated. I fixed a small bug in the proxy.conf template: [4.3-2 9e041adcbe] Bug #42535: Fix missing comment on new line [4.3-2 be329db6dc] Bug #42535: YAML Tests are looking good -> OK YAML -> OK Package: univention-radius Version: 5.0.1-3A~4.3.0.201811291625 Branch: ucs_4.3-0 Scope: errata4.3-2 |