I have been researching this issue with the information that Hekki provided and it is accurate in every detail. When I rebuilt my server with Ubuntu 8.04LTS using the same config file it worked without issue. This clearly seems to be a Samba issue and one that fairly serious since it seems to affect any of the RADIUS software that uses ntlm_auth.
Todd Smith -----Original Message----- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Wednesday, September 22, 2010 15:57 To: radiator@open.com.au Subject: Re: [RADIATOR] Issues with AuthbyNTLM (LONG) We had a working Debian 4.0 (etch) installation that was handling authentication about the same as described above. The usual case was Windows doing PEAP. Since 4.0 is not supported anymore, it was upgraded to 5.0 and everything else worked as it should (plain password authentication etc.) but PEAP broke. The trace looked similar: ntlm_auth indicated success and the authentication almost finished. After looking for help, I found out that others had also seen the problem: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00289.html The problem seems to be that ntlm_auth that comes with Debian 5.0 samba package does not return correct values. There is more about this towards the end where the trace file is. The fix was to downgrade winbind and samba-common packages to Debian 4.0 packages. In other words we have the following samba related packages from 4.0 installed on 5.0: ii samba-common 3.0.24-6etch10 Samba common files used by both the server a ii winbind 3.0.24-6etch10 service to resolve user and group informatio A bit more about this solution: only samba-common and winbind were needed. The samba package itself is not installed since smbd and nmbd daemons are not needed for ntlm_auth to work. % dpkg -s samba Package: samba Status: deinstall ok config-files Samba in Debian 5.0 is 3.4.5 so the fix was in effect to downgrade from 3.4 series to 3.0 series. You may be able to fix your problem by uninstalling samba packages, not using purge because winbind needs samba's configuration file. and installing the latest samba-common and winbind from Ubuntu 8.04 branch. I have not tried the downgrade with Ubuntu, but it helped with Debian. I just did a quick check to various Debian and Ubuntu versions and it looks like: - Debian 4.0 has samba 3.0.24 - Debian 5.0 has samba 3.2.5 - Ubuntu 8.04 has samba 3.0.28a - Unbutu 10.04 has samba 3.4.7 >From the above I have also used Ubuntu 8.04 successfully doing ntlm_auth. There is more about ntlm_auth below near the end of included trace. Everything looks good so far. ntlm_auth gets a success back from the Windows server and also the User-Session-Key it requested. If I have understood correctly the User-Session-Key should be a MD4 hash of NTHash the the Windows server stores. In other words md4(md4(asciitounicde(password))) which with plain 7bit ascii is simply md4(md4(password)) The broken ntlm_auth does not return this double hash of password, but instead of some other value. This value causes incorrect "authenticator response" to be calculated and makes the client think that the server does not know the real password hash. In other words the server authentication to the client fails. What happens is that client ends the authentication and no reply is ever received until a new try is initiated by the client. Just like below, the last message is the message to the client. -- Heikki Vatiainen, Arch Red Oy +358 44 087 6547 _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
