Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-radius-check-access can't handle empty sambaNTPassword in user object | ||
---|---|---|---|
Product: | UCS | Reporter: | Valentin Heidelberger <heidelberger> |
Component: | Radius | Assignee: | Jürn Brodersen <brodersen> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | Arne.Bartelt, best, brodersen |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 2: Improvement: Would be a product improvement |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.023 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Valentin Heidelberger
2019-05-16 18:29:07 CEST
Do you know why "sambaNTPassword" was empty? I would like to give a hint as what an admin can do to resolve this, as well as a warning. I guess asking the user to reset the password would help. Got the same error over here. I did an `univention-ldapsearch uid=USER` and the sambaNTPassword attribute is: NO PASSWORD********************* in the result for every user. Also found the sambaAcctFlags: [U ] on theses account. I don't if its interesting, but in line 229++ it is used for warning outputs. After some research i've found out that freeradius server setting the sambaNTPassword attribute with the password hash from auth request. Tested the ntlm auth with test command: ntlm_auth --request-nt-key --domain=MY.DOMAIN --username=TESTUSER --password=TESTPASSWORD and got: pm_process() returned Yes NT_STATUS_OK: The operation completed successfully. (0x0) Then i tried to test radius but got and error in eap sub module? radtest -t mschap TESTUSER TESTPASSWORD localhost 0 testing123 -x Sent Access-Request Id 23 from 0.0.0.0:46716 to 127.0.0.1:1812 length 139 User-Name = "TESTUSER" MS-CHAP-Password = "TESTPASSWORD" NAS-IP-Address = 50.100.200.14 NAS-Port = 0 Message-Authenticator = 0x00 Framed-Protocol = PPP Cleartext-Password = "TESTPASSWORD" MS-CHAP-Challenge = 0x04a1f8a51c413f51 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f469a398c991e3308c16d3073df38744bf235231630ce347 Received Access-Reject Id 23 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=dd296208bd54383a V=2" (0) -: Expected Access-Accept got Access-Reject Then i've done usermod -a -G winbindd_priv freerad for the windbind socket permission error i found in a forum. The log output wrote run freeradius -X (debug mode) (20) Received Access-Request Id 23 from 127.0.0.1:46716 to 127.0.0.1:1812 length 139 (20) User-Name = "TESTUSER" (20) NAS-IP-Address = 50.100.200.14 (20) NAS-Port = 0 (20) Message-Authenticator = 0x040ebb7bc5520a03f300eea3588107c8 (20) Framed-Protocol = PPP (20) MS-CHAP-Challenge = 0x04a1f8a51c413f51 (20) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f469a398c991e3308c16d3073df38744bf235231630ce347 (20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (20) [mschap] = ok (20) ntdomain: Checking for prefix before "\" (20) ntdomain: No '\' in User-Name = "TESTUSER", looking up realm NULL (20) ntdomain: No such realm "NULL" (20) [ntdomain] = noop (20) eap: No EAP-Message, not doing EAP (20) [eap] = noop (20) files: users: Matched entry DEFAULT at line 181 (20) [files] = ok rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): Reserved connection (0) (20) ldap: EXPAND (uid=%{mschap:User-Name:-%{User-Name}}) (20) ldap: --> (uid=TESTUSER) (20) ldap: Performing search in "dc=fefp,dc=de" with filter "(uid=TESTUSER)", scope "sub" (20) ldap: Waiting for search result... (20) ldap: User object found at DN "uid=TESTUSER,cn=users,dc=fefp,dc=de" (20) ldap: Processing user attributes (20) ldap: control:Password-With-Header += '{KINIT}' (20) ldap: control:NT-Password := 0x4e4f2050415353574f52442a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Need 6 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (7), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://dateiserver.fefp.de:7389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (20) [ldap] = updated (20) [expiration] = noop (20) [logintime] = noop (20) pap: Unknown header {{KINIT}} in Password-With-Header, re-writing to Cleartext-Password (20) pap: Removing &control:Password-With-Header (20) pap: WARNING: Auth-Type already set. Not setting to PAP (20) [pap] = noop (20) } # authorize = updated (20) Found Auth-Type = MS-CHAP (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Auth-Type MS-CHAP { (20) mschap: WARNING: NT-Password has not been normalized by the 'pap' module (likely still in hex format). Authentication may fail (20) mschap: Found Cleartext-Password, hashing to create NT-Password (20) mschap: Found Cleartext-Password, hashing to create LM-Password (20) mschap: Client is using MS-CHAPv1 with NT-Password (20) mschap: Executing: /usr/bin/univention-radius-ntlm-auth-suidwrapper --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --station-id=%{outer.request:Calling-Station-Id}: (20) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (20) mschap: --> --username=TESTUSER (20) mschap: mschap1: 04 (20) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (20) mschap: --> --challenge=04a1f8a51c413f51 (20) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (20) mschap: --> --nt-response=f469a398c991e3308c16d3073df38744bf235231630ce347 (20) mschap: EXPAND --station-id=%{outer.request:Calling-Station-Id} (20) mschap: --> --station-id= (20) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (20) mschap: External script failed (20) mschap: ERROR: External script says: Logon failure (0xc000006d) (20) mschap: ERROR: MS-CHAP2-Response is incorrect (20) [mschap] = reject (20) } # Auth-Type MS-CHAP = reject (20) Failed to authenticate the user (20) Login incorrect (mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'): [TESTUSER/<via Auth-Type = MS-CHAP>] (from client localhost port 0) (20) Using Post-Auth-Type Reject (20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (20) Post-Auth-Type REJECT { (20) attr_filter.access_reject: EXPAND %{User-Name} (20) attr_filter.access_reject: --> TESTUSER (20) attr_filter.access_reject: Matched entry DEFAULT at line 11 (20) [attr_filter.access_reject] = updated (20) [eap] = noop (20) policy remove_reply_message_if_eap { (20) if (&reply:EAP-Message && &reply:Reply-Message) { (20) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (20) else { (20) [noop] = noop (20) } # else = noop (20) } # policy remove_reply_message_if_eap = noop (20) } # Post-Auth-Type REJECT = updated Does anybody know where to look at? (In reply to Arne from comment #3) > After some research i've found out that freeradius server setting the > sambaNTPassword attribute with the password hash from auth request. > Tested the ntlm auth with test command: > ntlm_auth --request-nt-key --domain=MY.DOMAIN --username=TESTUSER > --password=TESTPASSWORD > and got: > pm_process() returned Yes > NT_STATUS_OK: The operation completed successfully. (0x0) Please note that we are using our own ntlm auth helper. Users need to be explicitly allowed to use radius authentication. See https://docs.software-univention.de/manual-4.4.html#ip-config:radius:configuration:allowed-users You can use the "univention-radius-check-access" to check if the user is allowed to use radius authentication. For more debugging you can set "ucr set freeradius/auth/helper/ntlm/debug=4" and check /var/log/univention/radius_ntlm_auth.log The "NO PASSWORD*********************" seems to be set by the ad-connector app. As to why that got set I'm not sure. I think that question is better suited for help.univention.de thanks [4.4-1 4d1838b44a] Bug #49499: Improve warning for missing sambaNTpassword successful build Package: univention-radius Version: 6.0.2-11A~4.4.0.201908191534 Branch: ucs_4.4-0-errata4.4-1 Scope: errata4.4-1 (In reply to Jürn Brodersen from comment #1) > Do you know why "sambaNTPassword" was empty? > I would like to give a hint as what an admin can do to resolve this, as well > as a warning. I guess asking the user to reset the password would help. Sorry for the late answer. A customer uses memberservers instead of educative slaves for radius auth at their school sites. The memberserver is just not allowed to read the sambaNTPassword directly. I added an ACL allowing the memberserver to read the attribute to the school slave's slapd.conf to make it work. Verifed: * Code review and check with flake8 and mypy * General functional test (ucs-test-radius & eapol_test) * Advisory |