samba - Jul 2008 - samba 3.2 breaks ppp winbind plugin

We have a system running fedora 8 using pptpd from the poptop yum 
repository.
See http://www.poptop.org/

pptpd/pppd use the winbind plugin from the ppp package to authenticate 
to Active Directory.
This works just fine. 

Then I found the same setup would not work on a fedora 9 setup.

In order to exclude any possible configuration errors I built
a virtual machine and simulated an upgrade. This is what I found:

- fedora 8 out of the box works just fine
- fedora 8 yummed up-to-date still works fine
- after upgrading to fc9 it stops working
- yum update would not change things
- reverting to last f8 kernel would not help
- reverting to last f8 ppp rpm would not help
- reverting to pptpd rpm built for f8 would not help
- reverting to last f8 samba rpms would help!

What's happening when things don't work is that the XP client
comes with this error, after a successful authentication:

"Error 778: It was not possible to verify the identity of the server"

I can see in the log files and in wireshark traces that the authentication
was indeed successful. If I, on purpose, type a wrong password, I get
the authentication failure message one would expect.

Wireshark shows that the XP client is terminating the connection
immediately after a successful CHAP handshake.

I've seen several reports of this error on the poptop mailing list, all 
unanswered.
Maybe they are seeing the same problem.

Fedora 9 comes with a major Samba update, from 3.0 to 3.2
The winbind plugin that pptpd is using is supplied by Samba,
so of course  winbind bugs or changes affect pptpd.

Still I wonder what exactly broke, as winbind is in fact
authenticating just fine.

Pim

On Tue, 2008-07-29 at 18:13 +0200, Pim Zandbergen wrote:
> We have a system running fedora 8 using pptpd from the poptop yum 
> repository.
> See http://www.poptop.org/
> 
> pptpd/pppd use the winbind plugin from the ppp package to authenticate 
> to Active Directory.
> This works just fine. 
> 
> Then I found the same setup would not work on a fedora 9 setup.
So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba
3.2 PDC from Fedora 9?
> What's happening when things don't work is that the XP client
> comes with this error, after a successful authentication:
> 
> "Error 778: It was not possible to verify the identity of the
server"
> Wireshark shows that the XP client is terminating the connection
> immediately after a successful CHAP handshake.
This almost certainly means the session key returned from the PDC to the
member server (where winbind and radius are) and calculated into the
MSCHAPv2 response is incorrect/missing/etc.

Look for it being missing first - check with strace/gdb/etc in pppd to
see what broke about the interaction with ntlm_auth.   

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080730/94bb554a/attachment.bin