ntlm_auth returns invalid NT_KEY

Bug #623342 reported by Aiko Barz on 2010-08-24
42
This bug affects 6 people
Affects Status Importance Assigned to Milestone
samba
Fix Released
Critical
samba (Ubuntu)
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned

Bug Description

Binary package hint: winbind

ntlm_auth returns an invalid response key. This makes programs like freeradius fail. So, it is impossible to authenticate against Active Directory. This affects 802.1X WLAN setups for example, that authenticate against freeradius/Active Directory.
Other programs like Squid may authenticate against Radius too.

This bug seems to be fixed in the not yet released Samba-3.4.9 package.

See https://bugzilla.samba.org/show_bug.cgi?id=6563 for more details.

Related branches

Mathias Gug (mathiaz) on 2010-08-25
Changed in samba (Ubuntu):
importance: Undecided → Low
Changed in samba:
status: Unknown → Confirmed
Lawrence Troup (lawrencetroup) wrote :

Is there are reason why the priority of this bug is so low? This issue prevents deployment of freeradius authenticating against Active Directory in a corporate environment.

My company has recently upgraded to using the LucidLynx server release of Ubuntu on our main servers - and this issue means that it is no longer possible to perform the necessary authentication for users on our network. In particular, this means we are no longer able to provide wireless network access to our employees - which is a serious problem.

Given that LucidLynx is a LTS release, is there a plan to release the version of Samba containing the fix for this bug to Lucid soon?

Lawrence Troup (lawrencetroup) wrote :

Can someone comment on whether this fix is going to be released on Lucid? This is causing us serious problems, meaning our company's wireless network is essentially unusable.

Chuck Short (zulcss) on 2010-11-26
Changed in samba (Ubuntu):
status: New → Confirmed
Kai Blin (kai.blin) wrote :

As of 2010-11-16, this bug is not yet confirmed to be fixed. If you want to help, please test the bugfix on the corresponding Samba bug and report your results on the Samba bugzilla.

Lawrence Troup (lawrencetroup) wrote :

I have tested the fix attached to the Samba bug on my Ubuntu Lucid server, and this fixed the problem - ntlm_auth now works correctly.

I've posted a comment on Samba bugzilla, confirming that the patch fixes this issue. Is this sufficient for getting the fix released for Lucid?

Adam Bishop (adam-omega) wrote :

This is fixed in the 3.5.9 packages from Natty.

It's a complete show stopper for any sort of RADIUS installation authenticating against AD, so the severity should be a bit higher I think.

The patch is available so could this get packaged?

Changed in samba:
importance: Unknown → Critical
Stefano Rivera (stefanor) wrote :

Apparently fixed in the version in natty, I intend to upload SRUs for Lucid and Maverick.

Changed in samba (Ubuntu):
status: Confirmed → Fix Released
Stefano Rivera (stefanor) wrote :

SRU Test Case [ Provided by Craig Balfour]:

Install Software
----------------
apt-get install samba winbind krb5-user freeradius

Configure Kerberos
------------------

Edit /etc/krb5.conf:
[realms]

EXAMPLE.CO.ZA = {
        kdc = server1.example.co.za
        kdc = server2.example.co.za
        admin_server = server1.example.co.za
}

[domain_realm]
        .example.co.za = EXAMPLE.CO.ZA
        example.co.za = EXAMPLE.CO.ZA

Configure Samba
---------------

Edit /etc/samba/smb.conf:

workgroup = EXAMPLE
security = ads
realm = EXAMPLE.CO.ZA

Join Samba to Active Directory Domain
-------------------------------------

net join -U Administrator

service winbind restart
service smbd restart

Configure freeradius
--------------------

Edit /etc/freeradius/modules/mschap:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-EXAMPLE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

addgroup freerad winbindd_priv

service freeradius restart

Install and Configure rad_eap_test
----------------------------------
apt-get install libssl-dev

Download http://hostap.epitest.fi/releases/wpa_supplicant-0.7.3.tar.gz
tar zxvof wpa_supplicant-0.7.3.tar.gz
cd wpa_supplicant-0.7.3/wpa_supplicant

Create .config:
CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_LEAP=y
CONFIG_IEEE8021X=y

make eapol_test

Download http://wiki.eduroam.cz/rad_eap_test/rad_eap_test-0.23.tar.bz2
tar jxvof rad_eap_test-0.23.tar.bz2
cd rad_eap_test-0.23
cp ../wpa_supplicant-0.7.3/wpa_supplicant/eapol_test bin/

./rad_eap_test -H localhost -P 1812 -S testing123 -u fred -p password -m WPA-EAP -e PEAP

With faulty version of Samba test returns:
access-reject; 1
With fixed version of Samba, test returns:
access-accept; 0

References:

1. http://deployingradius.com/documents/configuration/active_directory.html
2. http://marcel.bl2000.org/?p=242

Changed in samba (Ubuntu Lucid):
importance: Undecided → Low
Changed in samba (Ubuntu Maverick):
importance: Undecided → Low
Changed in samba (Ubuntu Lucid):
status: New → In Progress
Changed in samba (Ubuntu Maverick):
status: New → In Progress
Stefano Rivera (stefanor) wrote :

I have builds of the proposed branches in my SRU PPA: https://launchpad.net/~stefanor/+archive/sru

Stefano Rivera (stefanor) wrote :
Stefano Rivera (stefanor) wrote :
Benjamin Drung (bdrung) wrote :

Uploaded samba 2:3.5.4~dfsg-1ubuntu8.4 to maverick-proposed.

Changed in samba (Ubuntu Maverick):
status: In Progress → Fix Committed
Benjamin Drung (bdrung) wrote :

Uploaded samba 2:3.4.7~dfsg-1ubuntu3.5 to lucid-proposed.

Changed in samba (Ubuntu Lucid):
status: In Progress → Fix Committed

Accepted samba into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Martin Pitt (pitti) wrote :

Accepted samba into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Lawrence Troup (lawrencetroup) wrote :

I've updated to the proposed package for Lucid, and tested it, and can confirm that this fixes the ntlm_auth issue.

Martin Pitt (pitti) on 2011-03-16
tags: added: verification-done-lucid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.4.7~dfsg-1ubuntu3.5

---------------
samba (2:3.4.7~dfsg-1ubuntu3.5) lucid-proposed; urgency=low

  * debian/patches/ntlm-auth-lp623342.patch: ntlm_auth returns an invalid
    response key. (LP: #623342) Patch taken from upstream
    (https://bugzilla.samba.org/show_bug.cgi?id=7568)
 -- Stefano Rivera <email address hidden> Wed, 02 Mar 2011 22:40:42 +0100

Changed in samba (Ubuntu Lucid):
status: Fix Committed → Fix Released
Aiko Barz (aiko-chroot) wrote :

The patch does not work for me... :(

I installed "samba (2:3.4.7~dfsg-1ubuntu3.5)" and the result was:
$ ./rad_eap_test -H localhost -P 1812 -S testing123 -u "DOMAIN\user" -p password -m WPA-EAP -e PEAP
timeout; 5

I patched "samba (2:3.4.7~dfsg-1ubuntu3.5)" with [1] and the result is:
$ ./rad_eap_test -H localhost -P 1812 -S testing123 -u "DOMAIN\user" -p password -m WPA-EAP -e PEAP
access-accept; 0

So long,
    Aiko

[1]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c32

Stefano Rivera (stefanor) wrote :

Sorry for the delay on testing. We are having no issue with the lucid update, and have tested the maverick one too.

Aiko:
I've prepared a PPA Build with a later version of the patch you linked to:
https://launchpad.net/~stefanor/+archive/sru

It seems to work (no regressions), but we also aren't seeing the issue you are (a timeout).
I suggest filing a separate bug for this.

tags: added: verification-done
removed: verification-done-lucid verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.5.4~dfsg-1ubuntu8.4

---------------
samba (2:3.5.4~dfsg-1ubuntu8.4) maverick-proposed; urgency=low

  * debian/patches/ntlm-auth-lp623342.patch: ntlm_auth returns an invalid
    response key. (LP: #623342) Patch taken from upstream
    (https://bugzilla.samba.org/show_bug.cgi?id=7568)
 -- Stefano Rivera <email address hidden> Wed, 02 Mar 2011 22:38:19 +0100

Changed in samba (Ubuntu Maverick):
status: Fix Committed → Fix Released
Aiko Barz (aiko-chroot) wrote :

I had a closer look at those bug reports. And I found other people[1] who mention that the patch from [2] is not enough. They use [3], which is a configurable variant of [4].

On the other hand, Stefan Metzmacher says in [5], that we should try Samba-3.5.8. Stefan Metzmacher is also the code reviewer from [2].

And I can confirm, that Ubuntu 11.04 with Samba-3.5.8~dfsg-1ubuntu1 runs out of the box within my freeradius infrastructure:

$ ./rad_eap_test -H localhost -P 1812 -S Password123 -u 'DOMAIN\user' -p Password -m WPA-EAP -e PEAP
access-accept; 0

[1]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c47
[2]: https://bugzilla.samba.org/show_bug.cgi?id=7568
[3]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c39
[4]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c32
[5]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c52

Clint Byrum (clint-fewbar) wrote :

Aiko, as Stefano suggested earlier, this sounds like something that should be tracked as a new (but related) issue, as this bug report appears to be fixed for some of the affected users.

Alex Mauer (hawke) wrote :

This bug is not fixed for me in 2:3.4.7~dfsg-1ubuntu3.5.

Changed in samba:
status: Confirmed → Incomplete
Aiko Barz (aiko-chroot) wrote :

Sorry for the late answer.

I missed the updates before but I have seen the change "Confirmed → Incomplete".

My initial problem has gone with 12.04. I no longer need any patches. Everythings works out of the box.

Thanks,
Aiko

Changed in samba:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.