I am not sure how to determine the separator, but 'which' shows "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is broken, I cannot remote in. I will have to show up on-site again, possibly Thursday. Lead IT/IS Specialist Reach Technology FP, Inc On 10/27/2015 01:41 PM, Michael Wandel wrote:> Hey, > > On 27.10.2015 17:53, Ryan Ashley wrote: >> I'm setting up a PPTP VPN server on a client domain and am having an odd >> issue. If I run ntlm_auth on the command-line, it works as expected. >> However, if I run it with my PPTP server, it denies access to every >> user. MY setup is that I have a few AD users in an AD group named >> "PPTP". I have the following in my pptp-options file. The server is >> Debian Squeeze 64bit. >> >> name vpn01 >> domain kigm.local >> refuse-pap >> refuse-chap >> refuse-mschap >> require-mschap-v2 >> require-mppe-128 >> ms-dns 192.168.0.1 >> ms-dns 192.168.0.2 >> proxyarp >> nodefaultroute >> lock >> nobsdcomp >> plugin winbind.so >> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >> --require-membership-of=KIGM+PPTP" >> >> This domain is scheduled to be rebuilt next year to get rid of any >> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no >> systemd, unlike the latest Debian) and will have much newer software. >> However, we have new needs now which require remote access for three people. >> >> If I remove the helper protocol option I get an actual "Access denied" >> message in my client log. If I leave it in there, it times out and I get >> an error about LCP negotiation timing out. If I use the helper option on >> the command-line, it hangs. If not, it works perfectly. >> >> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain username> >> > Which winbind seperator you are using "\" or "+" ? > > What is the output of : > > which ntlm_auth > > best regards > > Michael > >> The above works. Users in the PPTP group return 0 (success) and others >> return an error. Why won't it work with pptpd? Note that the VPN server is >> separate from the domain controllers. All of the domain accounts and groups >> resolve on the VPN server. >> >
On 27/10/15 21:05, Ryan Ashley wrote:> I am not sure how to determine the separator,The separator is easy to establish, do you have a line in smb.conf that starts 'winbind separator =" , if you do, then whatever is after the '=' is the separator, if you haven't got the line, then you are using the default '\' Rowland> but 'which' shows > "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is > broken, I cannot remote in. I will have to show up on-site again, > possibly Thursday. > > Lead IT/IS Specialist > Reach Technology FP, Inc > > On 10/27/2015 01:41 PM, Michael Wandel wrote: >> Hey, >> >> On 27.10.2015 17:53, Ryan Ashley wrote: >>> I'm setting up a PPTP VPN server on a client domain and am having an odd >>> issue. If I run ntlm_auth on the command-line, it works as expected. >>> However, if I run it with my PPTP server, it denies access to every >>> user. MY setup is that I have a few AD users in an AD group named >>> "PPTP". I have the following in my pptp-options file. The server is >>> Debian Squeeze 64bit. >>> >>> name vpn01 >>> domain kigm.local >>> refuse-pap >>> refuse-chap >>> refuse-mschap >>> require-mschap-v2 >>> require-mppe-128 >>> ms-dns 192.168.0.1 >>> ms-dns 192.168.0.2 >>> proxyarp >>> nodefaultroute >>> lock >>> nobsdcomp >>> plugin winbind.so >>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >>> --require-membership-of=KIGM+PPTP" >>> >>> This domain is scheduled to be rebuilt next year to get rid of any >>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no >>> systemd, unlike the latest Debian) and will have much newer software. >>> However, we have new needs now which require remote access for three people. >>> >>> If I remove the helper protocol option I get an actual "Access denied" >>> message in my client log. If I leave it in there, it times out and I get >>> an error about LCP negotiation timing out. If I use the helper option on >>> the command-line, it hangs. If not, it works perfectly. >>> >>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain username> >>> >> Which winbind seperator you are using "\" or "+" ? >> >> What is the output of : >> >> which ntlm_auth >> >> best regards >> >> Michael >> >>> The above works. Users in the PPTP group return 0 (success) and others >>> return an error. Why won't it work with pptpd? Note that the VPN server is >>> separate from the domain controllers. All of the domain accounts and groups >>> resolve on the VPN server. >>> >
Thank you, Rowland. I will be going by this afternoon and I will check. The thing is, if it IS "\", how do I enter that into the pptp-options file? The entire list of parameters are in quotes, so do I need a double-backslah or anything? Lead IT/IS Specialist Reach Technology FP, Inc On 10/27/2015 05:21 PM, Rowland Penny wrote:> On 27/10/15 21:05, Ryan Ashley wrote: >> I am not sure how to determine the separator, > > The separator is easy to establish, do you have a line in smb.conf > that starts 'winbind separator =" , if you do, then whatever is after > the '=' is the separator, if you haven't got the line, then you are > using the default '\' > > Rowland > >> but 'which' shows >> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is >> broken, I cannot remote in. I will have to show up on-site again, >> possibly Thursday. >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 10/27/2015 01:41 PM, Michael Wandel wrote: >>> Hey, >>> >>> On 27.10.2015 17:53, Ryan Ashley wrote: >>>> I'm setting up a PPTP VPN server on a client domain and am having >>>> an odd >>>> issue. If I run ntlm_auth on the command-line, it works as expected. >>>> However, if I run it with my PPTP server, it denies access to every >>>> user. MY setup is that I have a few AD users in an AD group named >>>> "PPTP". I have the following in my pptp-options file. The server is >>>> Debian Squeeze 64bit. >>>> >>>> name vpn01 >>>> domain kigm.local >>>> refuse-pap >>>> refuse-chap >>>> refuse-mschap >>>> require-mschap-v2 >>>> require-mppe-128 >>>> ms-dns 192.168.0.1 >>>> ms-dns 192.168.0.2 >>>> proxyarp >>>> nodefaultroute >>>> lock >>>> nobsdcomp >>>> plugin winbind.so >>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >>>> --require-membership-of=KIGM+PPTP" >>>> >>>> This domain is scheduled to be rebuilt next year to get rid of any >>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no >>>> systemd, unlike the latest Debian) and will have much newer software. >>>> However, we have new needs now which require remote access for >>>> three people. >>>> >>>> If I remove the helper protocol option I get an actual "Access denied" >>>> message in my client log. If I leave it in there, it times out and >>>> I get >>>> an error about LCP negotiation timing out. If I use the helper >>>> option on >>>> the command-line, it hangs. If not, it works perfectly. >>>> >>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain >>>> username> >>>> >>> Which winbind seperator you are using "\" or "+" ? >>> >>> What is the output of : >>> >>> which ntlm_auth >>> >>> best regards >>> >>> Michael >>> >>>> The above works. Users in the PPTP group return 0 (success) and others >>>> return an error. Why won't it work with pptpd? Note that the VPN >>>> server is >>>> separate from the domain controllers. All of the domain accounts >>>> and groups >>>> resolve on the VPN server. >>>> >> > >