Univention Bugzilla – Full Text Bug Listing |
Summary: | Not possible to use machine account which windows clients send to auth at the radius server | ||
---|---|---|---|
Product: | UCS@school | Reporter: | Michel Smidt <michelsmidt> |
Component: | Radius | Assignee: | Sönke Schwardt-Krummrich <schwardt> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | normal | ||
Priority: | P5 | CC: | best, ebersbach, michelsmidt, schwardt |
Version: | UCS@school 4.1 R2 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS@school 4.1 R2 v13 | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.171 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 44955 | ||
Attachments: |
Patch to handle kerberos principle in ucs-school-ntlm-auth.
handle kerberos principal in "username" appropriately |
Created attachment 8856 [details]
handle kerberos principal in "username" appropriately
ucs-school-radius-802.1x.yaml: r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory ucs-school-radius-802.1x (5.0.1-1): r80751 | Bug #44603: add handling of kerberos principals The code is now able to handle kerberos principal names of hosts: "host/win0815.mydomain.example.com" is automatically converted to "win0815$" for the LDAP lookup. The principal has to start with "host/". All other kerberos principals are left untouched during lookup. Package: ucs-school-radius-802.1x Version: 5.0.1-1.17.201707111320 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2 Looks good principally. But is the following behavior OK?: # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foobar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2 2016-11-18 16:27:05 [26889] getNTPasswordHash: username2='foobar$' stationId='112233445566' → correct # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2 2016-11-18 16:27:03 [26885] getNTPasswordHash: username2='foo$bar' stationId='112233445566' → if the hostname/username of a machine contains a "$" (not at the end) it cannot authenticate. It looks like a bug to me. The code reads like the following: + if '$' not in username: + username += '$' The test should look at the last character only. However, the '$' character is not allowed in host names. Therefore, his case shouldn't happen and I'd actually expected the authentication to fail. You are right, this does not make any sense. The $ character is now always added if the username initially starts with "host/". r81540 | Bug #44603: always add $ sign for host accounts (In reply to Florian Best from comment #3) > # /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key > --username='host/foo$bar.domain' --challenge=00 --nt-response=00 > --station-id='1122-3344-5566→' --debug-fn /dev/stdout | grep username2 > 2016-11-18 16:27:03 [26885] getNTPasswordHash: username2='foo$bar' > stationId='112233445566' > → if the hostname/username of a machine contains a "$" (not at the end) it > cannot authenticate. This is not solely a problem of the code but also that there is no computer account with uid=foo$bar in LDAP ;-) Package: ucs-school-radius-802.1x Version: 5.0.1-2.18.201707281735 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2 OK: latest changes /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username='host/foo$bar.domain' --challenge=00 --nt-response=00 --station-id='1122-3344-5566→' --logfile /dev/stdout | grep username2 2017-07-25 15:38:14 [1263] getNTPasswordHash: username2='foo$bar$' stationId='112233445566' UCS@school 4.1 R2 v13 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html If this error occurs again, please clone this bug. |
Created attachment 8851 [details] Patch to handle kerberos principle in ucs-school-ntlm-auth. Windows clients (win7 & win10) send "host/FQDN" as machine account if they try to access WPA2-Enterprise networks. Currently the ucs-school-ntlm-auth which we use in our radius server to authenticate users and machines only can handle usernames (e.g. michel) or machine accounts (e.g. client$). Unfortunately as mentioned above the windows clients send the kerberos principle to auth and therfore fail currently. The attached patch contains some debug statements. A debug facility for ucs-school-ntlm-auth would be very neat.