[Samba] NTLM_AUTH failing?
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Oct 27 21:21:36 UTC 2015
On 27/10/15 21:05, Ryan Ashley wrote:
> I am not sure how to determine the separator,
The separator is easy to establish, do you have a line in smb.conf that
starts 'winbind separator =" , if you do, then whatever is after the '='
is the separator, if you haven't got the line, then you are using the
default '\'
Rowland
> but 'which' shows
> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is
> broken, I cannot remote in. I will have to show up on-site again,
> possibly Thursday.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/27/2015 01:41 PM, Michael Wandel wrote:
>> Hey,
>>
>> On 27.10.2015 17:53, Ryan Ashley wrote:
>>> I'm setting up a PPTP VPN server on a client domain and am having an odd
>>> issue. If I run ntlm_auth on the command-line, it works as expected.
>>> However, if I run it with my PPTP server, it denies access to every
>>> user. MY setup is that I have a few AD users in an AD group named
>>> "PPTP". I have the following in my pptp-options file. The server is
>>> Debian Squeeze 64bit.
>>>
>>> name vpn01
>>> domain kigm.local
>>> refuse-pap
>>> refuse-chap
>>> refuse-mschap
>>> require-mschap-v2
>>> require-mppe-128
>>> ms-dns 192.168.0.1
>>> ms-dns 192.168.0.2
>>> proxyarp
>>> nodefaultroute
>>> lock
>>> nobsdcomp
>>> plugin winbind.so
>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>> --require-membership-of=KIGM+PPTP"
>>>
>>> This domain is scheduled to be rebuilt next year to get rid of any
>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no
>>> systemd, unlike the latest Debian) and will have much newer software.
>>> However, we have new needs now which require remote access for three people.
>>>
>>> If I remove the helper protocol option I get an actual "Access denied"
>>> message in my client log. If I leave it in there, it times out and I get
>>> an error about LCP negotiation timing out. If I use the helper option on
>>> the command-line, it hangs. If not, it works perfectly.
>>>
>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain username>
>>>
>> Which winbind seperator you are using "\" or "+" ?
>>
>> What is the output of :
>>
>> which ntlm_auth
>>
>> best regards
>>
>> Michael
>>
>>> The above works. Users in the PPTP group return 0 (success) and others
>>> return an error. Why won't it work with pptpd? Note that the VPN server is
>>> separate from the domain controllers. All of the domain accounts and groups
>>> resolve on the VPN server.
>>>
>
More information about the samba
mailing list