Bug 44603

Summary: Not possible to use machine account which windows clients send to auth at the radius server
Product: UCS@school Reporter: Michel Smidt <michelsmidt>
Component: RadiusAssignee: Sönke Schwardt-Krummrich <schwardt>
Status: CLOSED FIXED QA Contact: Florian Best <best>
Severity: normal    
Priority: P5 CC: best, ebersbach, michelsmidt, schwardt
Version: UCS@school 4.1 R2Flags: best: Patch_Available+
Target Milestone: UCS@school 4.1 R2 v13   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 44955    
Attachments: Patch to handle kerberos principle in ucs-school-ntlm-auth.
handle kerberos principal in "username" appropriately

Description Michel Smidt 2017-05-16 10:59:57 CEST 
Created attachment 8851 [details]
Patch to handle kerberos principle in ucs-school-ntlm-auth.

Windows clients (win7 & win10) send "host/FQDN" as machine account if they try to access WPA2-Enterprise networks.
Currently the ucs-school-ntlm-auth which we use in our radius server to authenticate users and machines only can handle usernames (e.g. michel) or machine accounts (e.g. client$). Unfortunately as mentioned above the windows clients send the kerberos principle to auth and therfore fail currently.

The attached patch contains some debug statements. A debug facility for ucs-school-ntlm-auth would be very neat.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2017-05-17 16:40:04 CEST 
Created attachment 8856 [details]
handle kerberos principal in "username" appropriately
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-07-11 13:43:41 CEST 
ucs-school-radius-802.1x.yaml:
r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory

ucs-school-radius-802.1x (5.0.1-1):
r80751 | Bug #44603: add handling of kerberos principals

The code is now able to handle kerberos principal names of hosts:
"host/win0815.mydomain.example.com" is automatically converted to "win0815$" for the LDAP lookup.
The principal has to start with "host/". All other kerberos principals are left untouched during lookup.

Package: ucs-school-radius-802.1x
Version: 5.0.1-1.17.201707111320
Branch: ucs_4.1-0
Scope: ucs-school-4.1r2
Comment 3 Florian Best univentionstaff 2017-07-19 17:24:30 CEST 
Looks good principally. But is the following behavior OK?:

# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foobar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2
2016-11-18 16:27:05 [26889] getNTPasswordHash: username2='foobar$'  stationId='112233445566'
→ correct

# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2
2016-11-18 16:27:03 [26885] getNTPasswordHash: username2='foo$bar'  stationId='112233445566'
→ if the hostname/username of a machine contains a "$" (not at the end) it cannot authenticate.
Comment 4 Jan Christoph Ebersbach univentionstaff 2017-07-21 15:22:13 CEST 
It looks like a bug to me.  The code reads like the following:
+               if '$' not in username:
+                       username += '$'

The test should look at the last character only.  However, the '$' character is not allowed in host names.  Therefore, his case shouldn't happen and I'd actually expected the authentication to fail.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2017-07-28 17:10:20 CEST 
You are right, this does not make any sense. The $ character is now always added if the username initially starts with "host/".

r81540 | Bug #44603: always add $ sign for host accounts

(In reply to Florian Best from comment #3)
> # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key
> --username='host/foo$bar.domain' --challenge=00 --nt-response=00
> --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2
> 2016-11-18 16:27:03 [26885] getNTPasswordHash: username2='foo$bar' 
> stationId='112233445566'
> → if the hostname/username of a machine contains a "$" (not at the end) it
> cannot authenticate.

This is not solely a problem of the code but also that there is no computer account with uid=foo$bar in LDAP ;-)
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2017-07-28 17:45:22 CEST 
Package: ucs-school-radius-802.1x
Version: 5.0.1-2.18.201707281735
Branch: ucs_4.1-0
Scope: ucs-school-4.1r2
Comment 7 Florian Best univentionstaff 2017-08-04 15:14:43 CEST 
OK: latest changes
/usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --logfile /dev/stdout | grep username2
2017-07-25 15:38:14 [1263] getNTPasswordHash: username2='foo$bar$'  stationId='112233445566'
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2017-09-12 13:18:20 CEST 
UCS@school 4.1 R2 v13 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html

If this error occurs again, please clone this bug.