ntlm_auth returns invalid NT_KEY

Is there are reason why the priority of this bug is so low? This issue prevents deployment of freeradius authenticating against Active Directory in a corporate environment.

My company has recently upgraded to using the LucidLynx server release of Ubuntu on our main servers - and this issue means that it is no longer possible to perform the necessary authentication for users on our network. In particular, this means we are no longer able to provide wireless network access to our employees - which is a serious problem.

Given that LucidLynx is a LTS release, is there a plan to release the version of Samba containing the fix for this bug to Lucid soon?

Can someone comment on whether this fix is going to be released on Lucid? This is causing us serious problems, meaning our company's wireless network is essentially unusable.

As of 2010-11-16, this bug is not yet confirmed to be fixed. If you want to help, please test the bugfix on the corresponding Samba bug and report your results on the Samba bugzilla.

I have tested the fix attached to the Samba bug on my Ubuntu Lucid server, and this fixed the problem - ntlm_auth now works correctly.

I've posted a comment on Samba bugzilla, confirming that the patch fixes this issue. Is this sufficient for getting the fix released for Lucid?

This is fixed in the 3.5.9 packages from Natty.

It's a complete show stopper for any sort of RADIUS installation authenticating against AD, so the severity should be a bit higher I think.

The patch is available so could this get packaged?

Apparently fixed in the version in natty, I intend to upload SRUs for Lucid and Maverick.

SRU Test Case [ Provided by Craig Balfour]:

Install Software
----------------
apt-get install samba winbind krb5-user freeradius

Configure Kerberos
------------------

Edit /etc/krb5.conf:
[realms]

EXAMPLE.CO.ZA = {
        kdc = server1.example.co.za
        kdc = server2.example.co.za
        admin_server = server1.example.co.za
}

[domain_realm]
        .example.co.za = EXAMPLE.CO.ZA
        example.co.za = EXAMPLE.CO.ZA

Configure Samba
---------------

Edit /etc/samba/smb.conf:

workgroup = EXAMPLE
security = ads
realm = EXAMPLE.CO.ZA

Join Samba to Active Directory Domain
-------------------------------------

net join -U Administrator

service winbind restart
service smbd restart

Configure freeradius
--------------------

Edit /etc/freeradius/modules/mschap:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-EXAMPLE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

addgroup freerad winbindd_priv

service freeradius restart

Install and Configure rad_eap_test
----------------------------------
apt-get install libssl-dev

Download http://hostap.epitest.fi/releases/wpa_supplicant-0.7.3.tar.gz
tar zxvof wpa_supplicant-0.7.3.tar.gz
cd wpa_supplicant-0.7.3/wpa_supplicant

Create .config:
CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_LEAP=y
CONFIG_IEEE8021X=y

make eapol_test

Download http://wiki.eduroam.cz/rad_eap_test/rad_eap_test-0.23.tar.bz2
tar jxvof rad_eap_test-0.23.tar.bz2
cd rad_eap_test-0.23
cp ../wpa_supplicant-0.7.3/wpa_supplicant/eapol_test bin/

./rad_eap_test -H localhost -P 1812 -S testing123 -u fred -p password -m WPA-EAP -e PEAP

With faulty version of Samba test returns:
access-reject; 1
With fixed version of Samba, test returns:
access-accept; 0

References:

1. http://deployingradius.com/documents/configuration/active_directory.html
2. http://marcel.bl2000.org/?p=242

I have builds of the proposed branches in my SRU PPA: https://launchpad.net/~stefanor/+archive/sru

Uploaded samba 2:3.5.4~dfsg-1ubuntu8.4 to maverick-proposed.

Uploaded samba 2:3.4.7~dfsg-1ubuntu3.5 to lucid-proposed.

Accepted samba into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted samba into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I've updated to the proposed package for Lucid, and tested it, and can confirm that this fixes the ntlm_auth issue.

This bug was fixed in the package samba - 2:3.4.7~dfsg-1ubuntu3.5

---------------
samba (2:3.4.7~dfsg-1ubuntu3.5) lucid-proposed; urgency=low

  * debian/patches/ntlm-auth-lp623342.patch: ntlm_auth returns an invalid
    response key. (LP: #623342) Patch taken from upstream
    (https://bugzilla.samba.org/show_bug.cgi?id=7568)
 -- Stefano Rivera <email address hidden> Wed, 02 Mar 2011 22:40:42 +0100

The patch does not work for me... :(

I installed "samba (2:3.4.7~dfsg-1ubuntu3.5)" and the result was:
$ ./rad_eap_test -H localhost -P 1812 -S testing123 -u "DOMAIN\user" -p password -m WPA-EAP -e PEAP
timeout; 5

I patched "samba (2:3.4.7~dfsg-1ubuntu3.5)" with [1] and the result is:
$ ./rad_eap_test -H localhost -P 1812 -S testing123 -u "DOMAIN\user" -p password -m WPA-EAP -e PEAP
access-accept; 0

So long,
    Aiko

[1]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c32

Sorry for the delay on testing. We are having no issue with the lucid update, and have tested the maverick one too.

Aiko:
I've prepared a PPA Build with a later version of the patch you linked to:
https://launchpad.net/~stefanor/+archive/sru

It seems to work (no regressions), but we also aren't seeing the issue you are (a timeout).
I suggest filing a separate bug for this.

This bug was fixed in the package samba - 2:3.5.4~dfsg-1ubuntu8.4

---------------
samba (2:3.5.4~dfsg-1ubuntu8.4) maverick-proposed; urgency=low

  * debian/patches/ntlm-auth-lp623342.patch: ntlm_auth returns an invalid
    response key. (LP: #623342) Patch taken from upstream
    (https://bugzilla.samba.org/show_bug.cgi?id=7568)
 -- Stefano Rivera <email address hidden> Wed, 02 Mar 2011 22:38:19 +0100

I had a closer look at those bug reports. And I found other people[1] who mention that the patch from [2] is not enough. They use [3], which is a configurable variant of [4].

On the other hand, Stefan Metzmacher says in [5], that we should try Samba-3.5.8. Stefan Metzmacher is also the code reviewer from [2].

And I can confirm, that Ubuntu 11.04 with Samba-3.5.8~dfsg-1ubuntu1 runs out of the box within my freeradius infrastructure:

$ ./rad_eap_test -H localhost -P 1812 -S Password123 -u 'DOMAIN\user' -p Password -m WPA-EAP -e PEAP
access-accept; 0

[1]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c47
[2]: https://bugzilla.samba.org/show_bug.cgi?id=7568
[3]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c39
[4]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c32
[5]: https://bugzilla.samba.org/show_bug.cgi?id=6563#c52

Aiko, as Stefano suggested earlier, this sounds like something that should be tracked as a new (but related) issue, as this bug report appears to be fixed for some of the affected users.

This bug is not fixed for me in 2:3.4.7~dfsg-1ubuntu3.5.

Sorry for the late answer.

I missed the updates before but I have seen the change "Confirmed → Incomplete".

My initial problem has gone with 12.04. I no longer need any patches. Everythings works out of the box.

Thanks,
Aiko