Univention Bugzilla – Bug 42535
Support domain\username format for radius
Last modified: 2022-01-21 18:45:48 CET
If possible allow the format of domain\username for RADIUS authentication so that windows can be configured to auto send the username and also it is possible to join the network with the machine account.
I've got similar problems but was able to solve it quite easily... 1. in /etc/freeradius/proxy.conf I added the following line at the bottom: realm <NT DOMAIN NAME> { } 2. in /etc/freeradius/sites-available/default I added this: ... authorize { # some comments... preprocess # NEW ntdomain # more comments... chap ... everything else is default, so it should be easy to modify the template(s) and create this entries automatically. P.S. I'm not a radius expoert, I just read some blogs and made some "try & error" sessions.
Customer asked for it. Already fixed in UCS@school RADIUS package: Bug #44603
@Sönke, can you attach the patch from Bug #44955 to this issue?
(In reply to Stefan Gohmann from comment #3) > @Sönke, can you attach the patch from Bug #44955 to this issue? Quite simple... the given username is modified until it fits for the LDAP search. The patch wouldn't help here. I think parseUsername() in git/ucs/services/univention-radius/usr/share/pyshared/univention/networkaccess.py has to be modified. Something like this: --- a/services/univention-radius/usr/share/pyshared/univention/networkaccess.py +++ b/services/univention-radius/usr/share/pyshared/univention/networkaccess.py @@ -262,6 +262,9 @@ DISALLOWED_SAMBA_ACCOUNT_FLAGS = frozenset((SAMBA_ACCOUNT_FLAG_DISABLED, SAMBA_A def parseUsername(username): '''convert username from host/-format to $-format if required''' if not username.startswith('host/'): + if username.count('\\') == 1: + # seems to be in format DOMAIN\USERNAME + username = username.split('\\', 1)[1] return username username = username.split('/', 1)[1] # remove host/ username = username.split('.', 1)[0] # remove right of '.'
This requires some more investigation. The flag "ntdomain" mentioned in comment 1 is already part of sites-available/default. If the realms are added to /etc/freeradius/3.0/proxy.conf, the authentication works sometimes. "sometimes" because the success depends on the username. Currently it looks like freeradius is converting the user "NSTX\bwce6f7qcj" to "NSTX\010wce6f7qcj" when the ntlm_auth_helper is called. It even gets worse if the username starts with a "n" → "\n" → newline. In such cases, the authentication fails constantly. If the username starts with a "u", there is no problem with authentication. I added a test script ucs-test/45_radius/03_username_with_ntdomain that is currently disabled, because it would fail randomly due to the random usernames. The patch in comment #4 is not required. So if this quoting problem is fixed, the bug would be (nearly) solved. Bonus would be, that the realm is automatically written to proxy.conf.
(In reply to Sönke Schwardt-Krummrich from comment #5) > This requires some more investigation. Next day, new attempt... > The flag "ntdomain" mentioned in comment 1 is already part of > sites-available/default. If the realms are added to > /etc/freeradius/3.0/proxy.conf, the authentication works sometimes. > > "sometimes" because the success depends on the username. > Currently it looks like freeradius is converting the user "NSTX\bwce6f7qcj" > to "NSTX\010wce6f7qcj" when the ntlm_auth_helper is called. It even gets > worse if the username starts with a "n" → "\n" → newline. radtest and radclient have problems at least with backslashes and are trying to quote or interpret them → the username becomes garbage. The testscript 03_username_with_ntdomain has been changed accordingly and is now using eapol_test. > The patch in comment #4 is not required. This is still the case. > Bonus would be, that the realm is automatically written to proxy.conf. There is now a new UCR template proxy.conf that contains a realm entry for the NETBIOS domain (stored in UCRV windows/domain). The original proxy.conf is diverted to proxy.conf.debian. d5ba83e3e6 Bug #42535: Merge branch 'sschwardt/42535/4.3/radius-auth' into 4.3-2 00ffa3361a Bug #42535: add changelog entry 77471aca25 Bug #42535: reimplement 03_username_with_ntdomain to circumvent freeradius quoting issues 5fc4a69417 Bug #42535: add advisory 5e98c20ea3 Bug #42535: add changelog entry 539df6009b Bug #42535: add new UCR template for proxy.conf but also include proxy.conf.debian Package: univention-radius Version: 5.0.1-1A~4.3.0.201811281453 Branch: ucs_4.3-0 Scope: errata4.3-2 Package: ucs-test Version: 8.0.28-237A~4.3.0.201811281454 Branch: ucs_4.3-0 Scope: errata4.3-2
893da68b5c Bug #42535: fixed whitespace typo Package: univention-radius Version: 5.0.1-2A~4.3.0.201811291515 Branch: ucs_4.3-0 Scope: errata4.3-2 Advisory has been updated.
I fixed a small bug in the proxy.conf template: [4.3-2 9e041adcbe] Bug #42535: Fix missing comment on new line [4.3-2 be329db6dc] Bug #42535: YAML Tests are looking good -> OK YAML -> OK Package: univention-radius Version: 5.0.1-3A~4.3.0.201811291625 Branch: ucs_4.3-0 Scope: errata4.3-2
<http://errata.software-univention.de/ucs/4.3/361.html>