[Samba] winbind and pptpd authentication failure

Andrew Bartlett abartlet at samba.org
Thu Sep 9 05:57:35 MDT 2010 

On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:
> Hi all
> 
> I'm not sure whether to go to the ppp lists for this, or the samba 
> lists. I thought I'd try here first.
> 
> I have a linux firewall using winbind to authenticate users coming in 
> with PPTP. It all seemed to work OK at first. After a while I noticed 
> that authentication was denied to users who had previously (as in less 
> than a day) authenticated successfully. After a day or so of fighting 
> with this setup, I found that restarting winbindd will allow users to 
> authenticate successfully again. This happens with both the built-in 
> windows PPTP VPN client, and pppd as a client under linux.
> 
> What happens is:
> 
> - restart winbind
> - authenticate a user
> - close pptp connection
> - a few minutes (seems like around 10) after a first (or several) 
> successful authentication, I get the following ppp trace on the client side:
> 
> rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = 
> "pptpd"]
> sent [CHAP Response id=0x8b 
> <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, 
> name = "xxxxx"]
> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF 
> M=Access granted"]
> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
> F8673CADD4286B742EF0C39036393650701D0A60
> MS-CHAPv2 mutual authentication failed.
> CHAP authentication failed
> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
> 
> In other words, the ntlm-auth helper and AD server says OK, but the 
> hashes aren't equal, which causes ppp to say "mutual authentication 
> failed". I hacked the ppp sources (chap_ms.c) gently to output the two 
> hashes.

> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] 
> (tried all of them) on a x86_64 gentoo box.

Try with the lastest GIT tree.  We finally fixed a bug which caused this
kind of breakage.  (We returned the wrong session key, which is why the
server thinks this is OK, but the client isn't impressed). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100909/b0dd3a25/attachment.pgp>

More information about the samba mailing list