Hi all I'm not sure whether to go to the ppp lists for this, or the samba lists. I thought I'd try here first. I have a linux firewall using winbind to authenticate users coming in with PPTP. It all seemed to work OK at first. After a while I noticed that authentication was denied to users who had previously (as in less than a day) authenticated successfully. After a day or so of fighting with this setup, I found that restarting winbindd will allow users to authenticate successfully again. This happens with both the built-in windows PPTP VPN client, and pppd as a client under linux. What happens is: - restart winbind - authenticate a user - close pptp connection - a few minutes (seems like around 10) after a first (or several) successful authentication, I get the following ppp trace on the client side: rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = "pptpd"] sent [CHAP Response id=0x8b <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, name = "xxxxx"] rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted"] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say "mutual authentication failed". I hacked the ppp sources (chap_ms.c) gently to output the two hashes. Immediately after the pppd authentication failure, wbinfo -a is successful with the same username. I also tried ntlm_auth --username xxxx which comes back with NT_STATUS_OK: Success (0x0) but ntlm_auth --username xxxxx --diagnostics comes back with (after a bunch of logging info that I won't post yet) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) I don't know if that's expected. Any help diagnosing this much appreciated. I've tried starting winbind with the -n switch, and setting winbind cache time = 10 in smb.conf. Neither changes the behaviour I've described. PPTP access works perfectly if I use an identical setup except that I store the usernames and passwords in chap-secrets rather than using winbind. I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] (tried all of them) on a x86_64 gentoo box. thanks John
Hi all I'm not sure whether to go to the ppp lists for this, or the samba lists. I thought I'd try here first. I have a linux firewall using winbind to authenticate users coming in with PPTP. It all seemed to work OK at first. After a while I noticed that authentication was denied to users who had previously (as in less than a day) authenticated successfully. After a day or so of fighting with this setup, I found that restarting winbindd will allow users to authenticate successfully again. This happens with both the built-in windows PPTP VPN client, and pppd as a client under linux. What happens is: - restart winbind - authenticate a user - close pptp connection - a few minutes (seems like around 10) after a first (or several) successful authentication, I get the following ppp trace on the client side: rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = "pptpd"] sent [CHAP Response id=0x8b <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, name = "xxxxx"] rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted"] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say "mutual authentication failed". I hacked the ppp sources (chap_ms.c) gently to output the two hashes. Immediately after the pppd authentication failure, wbinfo -a is successful with the same username. I also tried ntlm_auth --username xxxx which comes back with NT_STATUS_OK: Success (0x0) but ntlm_auth --username xxxxx --diagnostics comes back with (after a bunch of logging info that I won't post yet) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) I don't know if that's expected. Any help diagnosing this much appreciated. I've tried starting winbind with the -n switch, and setting winbind cache time = 10 in smb.conf. Neither changes the behaviour I've described. PPTP access works perfectly if I use an identical setup except that I store the usernames and passwords in chap-secrets rather than using winbind. I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] (tried all of them) on a x86_64 gentoo box. thanks John
On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:> Hi all > > I'm not sure whether to go to the ppp lists for this, or the samba > lists. I thought I'd try here first. > > I have a linux firewall using winbind to authenticate users coming in > with PPTP. It all seemed to work OK at first. After a while I noticed > that authentication was denied to users who had previously (as in less > than a day) authenticated successfully. After a day or so of fighting > with this setup, I found that restarting winbindd will allow users to > authenticate successfully again. This happens with both the built-in > windows PPTP VPN client, and pppd as a client under linux. > > What happens is: > > - restart winbind > - authenticate a user > - close pptp connection > - a few minutes (seems like around 10) after a first (or several) > successful authentication, I get the following ppp trace on the client side: > > rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = > "pptpd"] > sent [CHAP Response id=0x8b > <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, > name = "xxxxx"] > rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF > M=Access granted"] > 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted > F8673CADD4286B742EF0C39036393650701D0A60 > MS-CHAPv2 mutual authentication failed. > CHAP authentication failed > sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] > > In other words, the ntlm-auth helper and AD server says OK, but the > hashes aren't equal, which causes ppp to say "mutual authentication > failed". I hacked the ppp sources (chap_ms.c) gently to output the two > hashes.> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] > (tried all of them) on a x86_64 gentoo box.Try with the lastest GIT tree. We finally fixed a bug which caused this kind of breakage. (We returned the wrong session key, which is why the server thinks this is OK, but the client isn't impressed). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20100909/b0dd3a25/attachment.pgp>