[Samba] Re: Authenticating PPTP users against Samba/LDAP - Patch doesn't seem to be working

Alex Brown alexjrb at bellsouth.net
Mon Jan 3 15:41:26 GMT 2005 

Andrew Bartlett wrote:

>On Fri, 2004-12-31 at 08:48 -0500, Alex Brown wrote:
>  
>
>>Andrew Bartlett wrote:
>>    
>>
>>>On Wed, 2004-10-20 at 00:44, Mike Brodbelt wrote:
>>>
>>>      
>>>
>>>>Hi,
>>>>
>>>>I have a few remote user who use a PPTP based VPN. The server is running
>>>>PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC
>>>>for (some) added security. Currently, users authentication information
>>>>is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to
>>>>put users into LDAP, and have ppp authenticate either directly against
>>>>LDAP, or against Samba (with an LDAP backend). Any ideas on how I might
>>>>go about this? Most of the docs I've seen suggest that you can't use PAM
>>>>for authentication with CHAP, so it seems not to be as simple as I might
>>>>have hoped.
>>>>
>>>>Disclaimer - I haven't actually tried any of this yet, I'm just trying
>>>>to get it clear in my head before I start...
>>>>        
>>>>
>>>The pppd patch (one for 2.4.2, one for current CVS) is here:
>>>http://download.samba.org/ftp/unpacked/lorikeet/trunk/pppd
>>>
>>>The documentation is:
>>>http://hawkerc.net/staff/abartlet/comp3700/final-report.pdf
>>>
>>>Note that the patch changed a little since the report was written, use
>>>the instructions in the README for configuration.
>>>
>>>Andrew Bartlett
>>>
>>>
>>>      
>>>
>>Hi Andrew,
>>
>>Thanks for creating the "final-report" document.  It is very 
>>informative.  I'm trying to set up a PoPToP server that authenticates to 
>>our Windows NT Domain (with a Windows NT 4.0 PDC) via Samba/Winbind. 
>>When I follow the instructions in your document, after changing to the 
>>ppp directory to apply the ntlm_auth patch, I get the following output.
>>    
>>
>
>Current ppp has everything you need already - I finally got it merged
>upstream.  All you need now is the configuration (which has changed
>since the report was written):
>
>Configuration (pppd config file):
>
>plugin winbind.so
>ntlm_auth-helper "/usr/local/bin/ntlm_auth --helper-protocol=ntlm-
>server-1"
>
>The --required-membership-of option is also available, to implement a
>'dialin users' or 'vpn users' group.
>
>Andrew Bartlett
>
>  
>
Thanks Andrew,

I followed your instructions without applying the patch and I modified 
the /etc/ppp/options.pptpd file to include the changes in your reply. 

I'm having what I'm sure is a small problem so please forgive my ignorance.

When I try to authenticate to the poptop server with my Windows XP 
client, I see the following messages in my log...

Jan  3 08:31:37 papcom pptpd[2603]: MGR: Launching /usr/sbin/pptpctrl to 
handle client
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: local address = 192.168.0.1
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: remote address = 192.168.0.3
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: pppd options file = 
/etc/ppp/options.pptpd
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control 
connection started
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control Message 
(type: 1)
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Made a START CTRL CONN RPLY packet
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 156 bytes to the client.
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Sent packet to client
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control Message 
(type: 7)
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Set parameters to 1525 maxbps, 
64 window size
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Made a OUT CALL RPLY packet
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Starting call (launching pppd, 
opening GRE)
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: pty_fd = 5
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: tty_fd = 6
Jan  3 08:31:37 papcom pptpd[2604]: CTRL (PPPD Launcher): Connection 
speed = 115200
Jan  3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 32 bytes to the client.
Jan  3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): local address 
= 192.168.0.1
Jan  3 08:31:38 papcom pptpd[2603]: CTRL: Sent packet to client
Jan  3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): remote address 
= 192.168.0.3
Jan  3 08:31:38 papcom pptpd[2603]: CTRL: Received PPTP Control Message 
(type: 15)
Jan  3 08:31:38 papcom pppd[2604]: Plugin 
/usr/local/lib/pppd/2.4.3/winbind.so loaded.
Jan  3 08:31:38 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet 
with standard ACCMs
Jan  3 08:31:38 papcom pppd[2604]: WINBIND plugin initialized.
Jan  3 08:31:38 papcom pptpd[2603]: GRE: Discarding duplicate packet
Jan  3 08:31:38 papcom pppd[2604]: pppd 2.4.3 started by root, uid 0
Jan  3 08:31:38 papcom pppd[2604]: using channel 23
Jan  3 08:31:38 papcom kernel: divert: not allocating divert_blk for 
non-ethernet device ppp0
Jan  3 08:31:38 papcom pppd[2604]: Using interface ppp0
Jan  3 08:31:38 papcom pppd[2604]: Connect: ppp0 <--> /dev/pts/2
Jan  3 08:31:38 papcom pppd[2604]: sent [LCP ConfReq id=0x1 <asyncmap 
0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
Jan  3 08:31:38 papcom pptpd[2603]: GRE: Bad checksum from pppd.
Jan  3 08:31:38 papcom pppd[2604]: rcvd [LCP ConfAck id=0x1 <asyncmap 
0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x1 <mru 1400> 
<magic 0x7b6b79b5> <pcomp> <accomp> <callback CBCP>]
Jan  3 08:31:40 papcom pppd[2604]: sent [LCP ConfRej id=0x1 <callback CBCP>]
Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x2 <mru 1400> 
<magic 0x7b6b79b5> <pcomp> <accomp>]
Jan  3 08:31:40 papcom pppd[2604]: sent [LCP ConfAck id=0x2 <mru 1400> 
<magic 0x7b6b79b5> <pcomp> <accomp>]
Jan  3 08:31:40 papcom pppd[2604]: sent [LCP EchoReq id=0x0 
magic=0x57d0a938]
Jan  3 08:31:40 papcom pppd[2604]: sent [CHAP Challenge id=0xb4 
<5d8f7b72df4bb4a4003ddc0a3d7a4644>, name = "papcom"]
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control Message 
(type: 15)
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Ignored a SET LINK INFO packet 
with real ACCMs!
Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x3 
magic=0x7b6b79b5 "MSRASV5.10"]
Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x4 
magic=0x7b6b79b5 "MSRAS-1-INFG450ROG-1234"]
Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP EchoRep id=0x0 
magic=0x7b6b79b5]
Jan  3 08:31:40 papcom pppd[2604]: rcvd [CHAP Response id=0xb4 
<ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>, 
name = "PAP\\abrown"]
Jan  3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP 
authentication
Jan  3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691 R=1 
C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
Jan  3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2 
"Authentication failed"]
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control Message 
(type: 15)
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet 
with standard ACCMs
Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP TermAck id=0x2 
"Authentication failed"]
Jan  3 08:31:40 papcom pppd[2604]: Connection terminated.
Jan  3 08:31:40 papcom kernel: divert: no divert_blk to free, ppp0 not 
ethernet
Jan  3 08:31:40 papcom pppd[2604]: Exit.
Jan  3 08:31:40 papcom pptpd[2603]: GRE: 
read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error = 
Input/output error
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: PTY read or GRE write failed 
(pty,gre)=(5,6)
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Closing child BCrelay with pid 0
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Closing child ppp with pid 2604
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control 
connection finished
Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Exiting now
Jan  3 08:31:40 papcom pptpd[2564]: MGR: Reaped child 2603

I know this section of the log . .

<ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>, 
name = "PAP\\abrown"]
Jan  3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP 
authentication
Jan  3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691 R=1 
C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
Jan  3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2 
"Authentication failed"]

is the cause of the problem but I don't know how to fix it.
It appears that the pppd is expecting something to be in the 
chap-secrets file.  I don't have anything in it.  Should I have 
something in it that will cause it to talk to the Windows PDC for 
authentication?

Here is a copy of my /etc/ppp/options.pptpd file.

## CHANGE TO SUIT YOUR SYSTEM
lock
debug
name papcom
noauth
#proxyarp
nobsdcomp
#chapms-strip-domain
lcp-echo-failure 30
lcp-echo-interval 5
ipcp-accept-local
ipcp-accept-remote
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-wins 10.1.100.13
ms-dns 10.1.100.127
plugin /usr/local/lib/pppd/2.4.3/winbind.so
ntlm_auth-helper "/usr/local/bin/ntlm_auth --helper-protocol=ntlm-server-1"

Thanks again for any help you can give.  I'm learning a lot.  I hope to 
be like you when I grow up!

Alex

More information about the samba mailing list