Rowland, I tried that already, but I made two break-throughs. First, I went to a location where it was working. I realized then that I had put in the SID for the PPTP group at that location. You know, the "S-1-15-xyz" number? Now while I was there, I noted that they were running 4.1 stable. I upgraded them to 4.3 stable. Guess what? The VPN broke! Something with ntlm_auth and 4.3 stable is borked. I cannot use the name, SID, or anything to make it work. Then I realized that the VPN stopped working at the other location when I upgraded from 4.2 stable to 4.3 stable. So, has something changed in 4.3 from 4.2 and/or 4.1? Why does using the SID work great in 4.1 and 4.2 but doesn't in 4.3? Can i safely downgrade to 4.2 stable from 4.3 stable? Lead IT/IS Specialist Reach Technology FP, Inc On 10/28/2015 02:24 PM, Rowland Penny wrote:> On 28/10/15 18:10, Ryan Ashley wrote: >> That is client setup. We have that under control. Our Linux users use >> Network Manager to connect and our Windows users use the stuff built >> into Windows. My problem is server-side. The server is a PPTP VPN >> (running via pptpd) and I have to add the lines below to make it work. >> >> plugin winbind.so >> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1" >> >> Now, that allows ALL domain users to connect. We only want users in the >> "PPTP" domain group to use the VPN, so we do this instead. >> >> plugin winbind.so >> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >> --require-membership-of=KIGM\\PPTP" >> >> The issue is that ntlm_auth does not see that as a string and it won't >> work. I cannot use quotes because the parameters are quoted, so I am >> stuck. >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 10/28/2015 10:06 AM, Rowland Penny wrote: >>> This might help: >>> https://wiki.archlinux.org/index.php/PPTP_VPN_client_setup_with_pptpclient >>> >>> >>> Rowland >>> >>> >> > > How about single quotes ? i.e. > > ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > --require-membership-of='KIGM\\PPTP'" > > > Rowland > > >
On Fri, 2015-10-30 at 09:53 -0400, Ryan Ashley wrote:> Rowland, I tried that already, but I made two break-throughs. First, > I > went to a location where it was working. I realized then that I had > put > in the SID for the PPTP group at that location. You know, the > "S-1-15-xyz" number? Now while I was there, I noted that they were > running 4.1 stable. I upgraded them to 4.3 stable. Guess what? The > VPN > broke! Something with ntlm_auth and 4.3 stable is borked. I cannot > use > the name, SID, or anything to make it work. Then I realized that the > VPN > stopped working at the other location when I upgraded from 4.2 stable > to > 4.3 stable. > > So, has something changed in 4.3 from 4.2 and/or 4.1? Why does using > the > SID work great in 4.1 and 4.2 but doesn't in 4.3? Can i safely > downgrade > to 4.2 stable from 4.3 stable?At most you would need to clean out the tdbs (which, if you are just using the server for VPN authentication shouldn't have any local info in it) and rejoin the domain. It would be very interesting if you could reproduce on a git tree, and then do a git bisect to determine when it failed. Sadly there are no automated tests for the ntlm-server-1 protocol. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew, I use git very little and would not know how to do what you ask. The good news is that the server is used only for VPN. However, it runs Samba 3.6 as a member. Our DCs are running Samba 4 and that is where the issue is. I do have two different setups though. Client A: Single DC upgraded from 4.1-stable to 4.3-stable. The VPN server runs ON the DC due to limited resources. So Samba4 and pptpd are on the same box. Client B: Two DCs on separate boxes running Samba4, and a third running Samba3 as a member for the VPN server. I upgraded both DCs from 4.2-stable to 4.3-stable and the VPN stopped working. As you can see one location has the DC and VPN server in one physical system, and the other location has both DCs and the VPN server separately. Since the VPN server is a Samba3 domain member, I am assuming there is nothing to do there. I am asking, can I roll back my actual DCs to 4.2-stable? Lead IT/IS Specialist Reach Technology FP, Inc On 10/31/2015 04:34 AM, Andrew Bartlett wrote:> On Fri, 2015-10-30 at 09:53 -0400, Ryan Ashley wrote: >> Rowland, I tried that already, but I made two break-throughs. First, >> I >> went to a location where it was working. I realized then that I had >> put >> in the SID for the PPTP group at that location. You know, the >> "S-1-15-xyz" number? Now while I was there, I noted that they were >> running 4.1 stable. I upgraded them to 4.3 stable. Guess what? The >> VPN >> broke! Something with ntlm_auth and 4.3 stable is borked. I cannot >> use >> the name, SID, or anything to make it work. Then I realized that the >> VPN >> stopped working at the other location when I upgraded from 4.2 stable >> to >> 4.3 stable. >> >> So, has something changed in 4.3 from 4.2 and/or 4.1? Why does using >> the >> SID work great in 4.1 and 4.2 but doesn't in 4.3? Can i safely >> downgrade >> to 4.2 stable from 4.3 stable? > At most you would need to clean out the tdbs (which, if you are just > using the server for VPN authentication shouldn't have any local info > in it) and rejoin the domain. > > It would be very interesting if you could reproduce on a git tree, and > then do a git bisect to determine when it failed. Sadly there are no > automated tests for the ntlm-server-1 protocol. > > Thanks, > > Andrew Bartlett >