That is client setup. We have that under control. Our Linux users use Network Manager to connect and our Windows users use the stuff built into Windows. My problem is server-side. The server is a PPTP VPN (running via pptpd) and I have to add the lines below to make it work. plugin winbind.so ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1" Now, that allows ALL domain users to connect. We only want users in the "PPTP" domain group to use the VPN, so we do this instead. plugin winbind.so ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=KIGM\\PPTP" The issue is that ntlm_auth does not see that as a string and it won't work. I cannot use quotes because the parameters are quoted, so I am stuck. Lead IT/IS Specialist Reach Technology FP, Inc On 10/28/2015 10:06 AM, Rowland Penny wrote:> On 28/10/15 13:45, Ryan Ashley wrote: >> Thank you, Rowland. I will be going by this afternoon and I will check. >> The thing is, if it IS "\", how do I enter that into the pptp-options >> file? The entire list of parameters are in quotes, so do I need a >> double-backslah or anything? >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 10/27/2015 05:21 PM, Rowland Penny wrote: >>> On 27/10/15 21:05, Ryan Ashley wrote: >>>> I am not sure how to determine the separator, >>> The separator is easy to establish, do you have a line in smb.conf >>> that starts 'winbind separator =" , if you do, then whatever is after >>> the '=' is the separator, if you haven't got the line, then you are >>> using the default '\' >>> >>> Rowland >>> >>>> but 'which' shows >>>> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is >>>> broken, I cannot remote in. I will have to show up on-site again, >>>> possibly Thursday. >>>> >>>> Lead IT/IS Specialist >>>> Reach Technology FP, Inc >>>> >>>> On 10/27/2015 01:41 PM, Michael Wandel wrote: >>>>> Hey, >>>>> >>>>> On 27.10.2015 17:53, Ryan Ashley wrote: >>>>>> I'm setting up a PPTP VPN server on a client domain and am having >>>>>> an odd >>>>>> issue. If I run ntlm_auth on the command-line, it works as expected. >>>>>> However, if I run it with my PPTP server, it denies access to every >>>>>> user. MY setup is that I have a few AD users in an AD group named >>>>>> "PPTP". I have the following in my pptp-options file. The server is >>>>>> Debian Squeeze 64bit. >>>>>> >>>>>> name vpn01 >>>>>> domain kigm.local >>>>>> refuse-pap >>>>>> refuse-chap >>>>>> refuse-mschap >>>>>> require-mschap-v2 >>>>>> require-mppe-128 >>>>>> ms-dns 192.168.0.1 >>>>>> ms-dns 192.168.0.2 >>>>>> proxyarp >>>>>> nodefaultroute >>>>>> lock >>>>>> nobsdcomp >>>>>> plugin winbind.so >>>>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >>>>>> --require-membership-of=KIGM+PPTP" >>>>>> >>>>>> This domain is scheduled to be rebuilt next year to get rid of any >>>>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no >>>>>> systemd, unlike the latest Debian) and will have much newer >>>>>> software. >>>>>> However, we have new needs now which require remote access for >>>>>> three people. >>>>>> >>>>>> If I remove the helper protocol option I get an actual "Access >>>>>> denied" >>>>>> message in my client log. If I leave it in there, it times out and >>>>>> I get >>>>>> an error about LCP negotiation timing out. If I use the helper >>>>>> option on >>>>>> the command-line, it hangs. If not, it works perfectly. >>>>>> >>>>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain >>>>>> username> >>>>>> >>>>> Which winbind seperator you are using "\" or "+" ? >>>>> >>>>> What is the output of : >>>>> >>>>> which ntlm_auth >>>>> >>>>> best regards >>>>> >>>>> Michael >>>>> >>>>>> The above works. Users in the PPTP group return 0 (success) and >>>>>> others >>>>>> return an error. Why won't it work with pptpd? Note that the VPN >>>>>> server is >>>>>> separate from the domain controllers. All of the domain accounts >>>>>> and groups >>>>>> resolve on the VPN server. >>>>>> >>> >> > > This might help: > https://wiki.archlinux.org/index.php/PPTP_VPN_client_setup_with_pptpclient > > Rowland > >
On 28/10/15 18:10, Ryan Ashley wrote:> That is client setup. We have that under control. Our Linux users use > Network Manager to connect and our Windows users use the stuff built > into Windows. My problem is server-side. The server is a PPTP VPN > (running via pptpd) and I have to add the lines below to make it work. > > plugin winbind.so > ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1" > > Now, that allows ALL domain users to connect. We only want users in the > "PPTP" domain group to use the VPN, so we do this instead. > > plugin winbind.so > ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > --require-membership-of=KIGM\\PPTP" > > The issue is that ntlm_auth does not see that as a string and it won't > work. I cannot use quotes because the parameters are quoted, so I am stuck. > > Lead IT/IS Specialist > Reach Technology FP, Inc > > On 10/28/2015 10:06 AM, Rowland Penny wrote: >> On 28/10/15 13:45, Ryan Ashley wrote: >>> Thank you, Rowland. I will be going by this afternoon and I will check. >>> The thing is, if it IS "\", how do I enter that into the pptp-options >>> file? The entire list of parameters are in quotes, so do I need a >>> double-backslah or anything? >>> >>> Lead IT/IS Specialist >>> Reach Technology FP, Inc >>> >>> On 10/27/2015 05:21 PM, Rowland Penny wrote: >>>> On 27/10/15 21:05, Ryan Ashley wrote: >>>>> I am not sure how to determine the separator, >>>> The separator is easy to establish, do you have a line in smb.conf >>>> that starts 'winbind separator =" , if you do, then whatever is after >>>> the '=' is the separator, if you haven't got the line, then you are >>>> using the default '\' >>>> >>>> Rowland >>>> >>>>> but 'which' shows >>>>> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is >>>>> broken, I cannot remote in. I will have to show up on-site again, >>>>> possibly Thursday. >>>>> >>>>> Lead IT/IS Specialist >>>>> Reach Technology FP, Inc >>>>> >>>>> On 10/27/2015 01:41 PM, Michael Wandel wrote: >>>>>> Hey, >>>>>> >>>>>> On 27.10.2015 17:53, Ryan Ashley wrote: >>>>>>> I'm setting up a PPTP VPN server on a client domain and am having >>>>>>> an odd >>>>>>> issue. If I run ntlm_auth on the command-line, it works as expected. >>>>>>> However, if I run it with my PPTP server, it denies access to every >>>>>>> user. MY setup is that I have a few AD users in an AD group named >>>>>>> "PPTP". I have the following in my pptp-options file. The server is >>>>>>> Debian Squeeze 64bit. >>>>>>> >>>>>>> name vpn01 >>>>>>> domain kigm.local >>>>>>> refuse-pap >>>>>>> refuse-chap >>>>>>> refuse-mschap >>>>>>> require-mschap-v2 >>>>>>> require-mppe-128 >>>>>>> ms-dns 192.168.0.1 >>>>>>> ms-dns 192.168.0.2 >>>>>>> proxyarp >>>>>>> nodefaultroute >>>>>>> lock >>>>>>> nobsdcomp >>>>>>> plugin winbind.so >>>>>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >>>>>>> --require-membership-of=KIGM+PPTP" >>>>>>> >>>>>>> This domain is scheduled to be rebuilt next year to get rid of any >>>>>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no >>>>>>> systemd, unlike the latest Debian) and will have much newer >>>>>>> software. >>>>>>> However, we have new needs now which require remote access for >>>>>>> three people. >>>>>>> >>>>>>> If I remove the helper protocol option I get an actual "Access >>>>>>> denied" >>>>>>> message in my client log. If I leave it in there, it times out and >>>>>>> I get >>>>>>> an error about LCP negotiation timing out. If I use the helper >>>>>>> option on >>>>>>> the command-line, it hangs. If not, it works perfectly. >>>>>>> >>>>>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain >>>>>>> username> >>>>>>> >>>>>> Which winbind seperator you are using "\" or "+" ? >>>>>> >>>>>> What is the output of : >>>>>> >>>>>> which ntlm_auth >>>>>> >>>>>> best regards >>>>>> >>>>>> Michael >>>>>> >>>>>>> The above works. Users in the PPTP group return 0 (success) and >>>>>>> others >>>>>>> return an error. Why won't it work with pptpd? Note that the VPN >>>>>>> server is >>>>>>> separate from the domain controllers. All of the domain accounts >>>>>>> and groups >>>>>>> resolve on the VPN server. >>>>>>> >> This might help: >> https://wiki.archlinux.org/index.php/PPTP_VPN_client_setup_with_pptpclient >> >> Rowland >> >> >How about single quotes ? i.e. ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='KIGM\\PPTP'" Rowland
Rowland, I tried that already, but I made two break-throughs. First, I went to a location where it was working. I realized then that I had put in the SID for the PPTP group at that location. You know, the "S-1-15-xyz" number? Now while I was there, I noted that they were running 4.1 stable. I upgraded them to 4.3 stable. Guess what? The VPN broke! Something with ntlm_auth and 4.3 stable is borked. I cannot use the name, SID, or anything to make it work. Then I realized that the VPN stopped working at the other location when I upgraded from 4.2 stable to 4.3 stable. So, has something changed in 4.3 from 4.2 and/or 4.1? Why does using the SID work great in 4.1 and 4.2 but doesn't in 4.3? Can i safely downgrade to 4.2 stable from 4.3 stable? Lead IT/IS Specialist Reach Technology FP, Inc On 10/28/2015 02:24 PM, Rowland Penny wrote:> On 28/10/15 18:10, Ryan Ashley wrote: >> That is client setup. We have that under control. Our Linux users use >> Network Manager to connect and our Windows users use the stuff built >> into Windows. My problem is server-side. The server is a PPTP VPN >> (running via pptpd) and I have to add the lines below to make it work. >> >> plugin winbind.so >> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1" >> >> Now, that allows ALL domain users to connect. We only want users in the >> "PPTP" domain group to use the VPN, so we do this instead. >> >> plugin winbind.so >> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >> --require-membership-of=KIGM\\PPTP" >> >> The issue is that ntlm_auth does not see that as a string and it won't >> work. I cannot use quotes because the parameters are quoted, so I am >> stuck. >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 10/28/2015 10:06 AM, Rowland Penny wrote: >>> This might help: >>> https://wiki.archlinux.org/index.php/PPTP_VPN_client_setup_with_pptpclient >>> >>> >>> Rowland >>> >>> >> > > How about single quotes ? i.e. > > ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > --require-membership-of='KIGM\\PPTP'" > > > Rowland > > >