We have a system running fedora 8 using pptpd from the poptop yum repository. See http://www.poptop.org/ pptpd/pppd use the winbind plugin from the ppp package to authenticate to Active Directory. This works just fine. Then I found the same setup would not work on a fedora 9 setup. In order to exclude any possible configuration errors I built a virtual machine and simulated an upgrade. This is what I found: - fedora 8 out of the box works just fine - fedora 8 yummed up-to-date still works fine - after upgrading to fc9 it stops working - yum update would not change things - reverting to last f8 kernel would not help - reverting to last f8 ppp rpm would not help - reverting to pptpd rpm built for f8 would not help - reverting to last f8 samba rpms would help! What's happening when things don't work is that the XP client comes with this error, after a successful authentication: "Error 778: It was not possible to verify the identity of the server" I can see in the log files and in wireshark traces that the authentication was indeed successful. If I, on purpose, type a wrong password, I get the authentication failure message one would expect. Wireshark shows that the XP client is terminating the connection immediately after a successful CHAP handshake. I've seen several reports of this error on the poptop mailing list, all unanswered. Maybe they are seeing the same problem. Fedora 9 comes with a major Samba update, from 3.0 to 3.2 The winbind plugin that pptpd is using is supplied by Samba, so of course winbind bugs or changes affect pptpd. Still I wonder what exactly broke, as winbind is in fact authenticating just fine. Pim
On Tue, 2008-07-29 at 18:13 +0200, Pim Zandbergen wrote:> We have a system running fedora 8 using pptpd from the poptop yum > repository. > See http://www.poptop.org/ > > pptpd/pppd use the winbind plugin from the ppp package to authenticate > to Active Directory. > This works just fine. > > Then I found the same setup would not work on a fedora 9 setup.So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba 3.2 PDC from Fedora 9?> What's happening when things don't work is that the XP client > comes with this error, after a successful authentication: > > "Error 778: It was not possible to verify the identity of the server" > Wireshark shows that the XP client is terminating the connection > immediately after a successful CHAP handshake.This almost certainly means the session key returned from the PDC to the member server (where winbind and radius are) and calculated into the MSCHAPv2 response is incorrect/missing/etc. Look for it being missing first - check with strace/gdb/etc in pppd to see what broke about the interaction with ntlm_auth. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20080730/94bb554a/attachment.bin
Seemingly Similar Threads
- FW: MSCHAPv2 microsoft client/linux/Active Directory
- VPN server and logon to Samba PDC
- PDC and remote login
- centos7: pptpd vpn problem: mppe_decompress[0]: FLUSHED bit not set in stateless mode!
- [Bug 512] poptop (pptpd) will not work if ip_nat_pptp loaded