[Samba] Re: Authenticating PPTP users against Samba/LDAP - Patch doesn't seem to be working

Robert Schetterer robert at schetterer.org
Mon Jan 3 17:38:16 GMT 2005


Hi Alex,
write this ( check "your" paths to the files )
plugin winbind.so
ntlm_auth-helper "/usr/sbin/ntlm_auth --helper-protocol=localhost"
in your /etc/ppp/options
also check your winbind config , and your ips in  pptpd.conf  (they look 
a little strange to me )
i recommend to test pptpd first with a entry to /etc/ppp/chap.secrets 
which is the default auth ( chap ) for pptpd , if this works
try winbind plugin.
At my tests i got the plugin started and the right pop up message in my 
win xp client, also in the logs everything seems to work right ,but
i havent setup samba/winbind yet to test the funktion in a whole.
I will post the results if i have it up and running
Regards


Alex Brown schrieb:

> Andrew Bartlett wrote:
>
>> On Fri, 2004-12-31 at 08:48 -0500, Alex Brown wrote:
>>  
>>
>>> Andrew Bartlett wrote:
>>>   
>>>
>>>> On Wed, 2004-10-20 at 00:44, Mike Brodbelt wrote:
>>>>
>>>>     
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a few remote user who use a PPTP based VPN. The server is 
>>>>> running
>>>>> PoPToP (http://www.poptop.org/), and a pppd patched to support 
>>>>> MPPE/MPPC
>>>>> for (some) added security. Currently, users authentication 
>>>>> information
>>>>> is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be 
>>>>> able to
>>>>> put users into LDAP, and have ppp authenticate either directly 
>>>>> against
>>>>> LDAP, or against Samba (with an LDAP backend). Any ideas on how I 
>>>>> might
>>>>> go about this? Most of the docs I've seen suggest that you can't 
>>>>> use PAM
>>>>> for authentication with CHAP, so it seems not to be as simple as I 
>>>>> might
>>>>> have hoped.
>>>>>
>>>>> Disclaimer - I haven't actually tried any of this yet, I'm just 
>>>>> trying
>>>>> to get it clear in my head before I start...
>>>>>       
>>>>
>>>> The pppd patch (one for 2.4.2, one for current CVS) is here:
>>>> http://download.samba.org/ftp/unpacked/lorikeet/trunk/pppd
>>>>
>>>> The documentation is:
>>>> http://hawkerc.net/staff/abartlet/comp3700/final-report.pdf
>>>>
>>>> Note that the patch changed a little since the report was written, use
>>>> the instructions in the README for configuration.
>>>>
>>>> Andrew Bartlett
>>>>
>>>>
>>>>     
>>>
>>> Hi Andrew,
>>>
>>> Thanks for creating the "final-report" document.  It is very 
>>> informative.  I'm trying to set up a PoPToP server that 
>>> authenticates to our Windows NT Domain (with a Windows NT 4.0 PDC) 
>>> via Samba/Winbind. When I follow the instructions in your document, 
>>> after changing to the ppp directory to apply the ntlm_auth patch, I 
>>> get the following output.
>>>   
>>
>>
>> Current ppp has everything you need already - I finally got it merged
>> upstream.  All you need now is the configuration (which has changed
>> since the report was written):
>>
>> Configuration (pppd config file):
>>
>> plugin winbind.so
>> ntlm_auth-helper "/usr/local/bin/ntlm_auth --helper-protocol=ntlm-
>> server-1"
>>
>> The --required-membership-of option is also available, to implement a
>> 'dialin users' or 'vpn users' group.
>>
>> Andrew Bartlett
>>
>>  
>>
> Thanks Andrew,
>
> I followed your instructions without applying the patch and I modified 
> the /etc/ppp/options.pptpd file to include the changes in your reply.
> I'm having what I'm sure is a small problem so please forgive my 
> ignorance.
>
> When I try to authenticate to the poptop server with my Windows XP 
> client, I see the following messages in my log...
>
> Jan  3 08:31:37 papcom pptpd[2603]: MGR: Launching /usr/sbin/pptpctrl 
> to handle client
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: local address = 192.168.0.1
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: remote address = 192.168.0.3
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: pppd options file = 
> /etc/ppp/options.pptpd
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control 
> connection started
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control 
> Message (type: 1)
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Made a START CTRL CONN RPLY 
> packet
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 156 bytes to the 
> client.
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Sent packet to client
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control 
> Message (type: 7)
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Set parameters to 1525 
> maxbps, 64 window size
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Made a OUT CALL RPLY packet
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: Starting call (launching 
> pppd, opening GRE)
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: pty_fd = 5
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: tty_fd = 6
> Jan  3 08:31:37 papcom pptpd[2604]: CTRL (PPPD Launcher): Connection 
> speed = 115200
> Jan  3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 32 bytes to the client.
> Jan  3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): local 
> address = 192.168.0.1
> Jan  3 08:31:38 papcom pptpd[2603]: CTRL: Sent packet to client
> Jan  3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): remote 
> address = 192.168.0.3
> Jan  3 08:31:38 papcom pptpd[2603]: CTRL: Received PPTP Control 
> Message (type: 15)
> Jan  3 08:31:38 papcom pppd[2604]: Plugin 
> /usr/local/lib/pppd/2.4.3/winbind.so loaded.
> Jan  3 08:31:38 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet 
> with standard ACCMs
> Jan  3 08:31:38 papcom pppd[2604]: WINBIND plugin initialized.
> Jan  3 08:31:38 papcom pptpd[2603]: GRE: Discarding duplicate packet
> Jan  3 08:31:38 papcom pppd[2604]: pppd 2.4.3 started by root, uid 0
> Jan  3 08:31:38 papcom pppd[2604]: using channel 23
> Jan  3 08:31:38 papcom kernel: divert: not allocating divert_blk for 
> non-ethernet device ppp0
> Jan  3 08:31:38 papcom pppd[2604]: Using interface ppp0
> Jan  3 08:31:38 papcom pppd[2604]: Connect: ppp0 <--> /dev/pts/2
> Jan  3 08:31:38 papcom pppd[2604]: sent [LCP ConfReq id=0x1 <asyncmap 
> 0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
> Jan  3 08:31:38 papcom pptpd[2603]: GRE: Bad checksum from pppd.
> Jan  3 08:31:38 papcom pppd[2604]: rcvd [LCP ConfAck id=0x1 <asyncmap 
> 0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x1 <mru 1400> 
> <magic 0x7b6b79b5> <pcomp> <accomp> <callback CBCP>]
> Jan  3 08:31:40 papcom pppd[2604]: sent [LCP ConfRej id=0x1 <callback 
> CBCP>]
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x2 <mru 1400> 
> <magic 0x7b6b79b5> <pcomp> <accomp>]
> Jan  3 08:31:40 papcom pppd[2604]: sent [LCP ConfAck id=0x2 <mru 1400> 
> <magic 0x7b6b79b5> <pcomp> <accomp>]
> Jan  3 08:31:40 papcom pppd[2604]: sent [LCP EchoReq id=0x0 
> magic=0x57d0a938]
> Jan  3 08:31:40 papcom pppd[2604]: sent [CHAP Challenge id=0xb4 
> <5d8f7b72df4bb4a4003ddc0a3d7a4644>, name = "papcom"]
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control 
> Message (type: 15)
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Ignored a SET LINK INFO 
> packet with real ACCMs!
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x3 
> magic=0x7b6b79b5 "MSRASV5.10"]
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x4 
> magic=0x7b6b79b5 "MSRAS-1-INFG450ROG-1234"]
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP EchoRep id=0x0 
> magic=0x7b6b79b5]
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [CHAP Response id=0xb4 
> <ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>, 
> name = "PAP\\abrown"]
> Jan  3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP 
> authentication
> Jan  3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691 
> R=1 C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
> Jan  3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2 
> "Authentication failed"]
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control 
> Message (type: 15)
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet 
> with standard ACCMs
> Jan  3 08:31:40 papcom pppd[2604]: rcvd [LCP TermAck id=0x2 
> "Authentication failed"]
> Jan  3 08:31:40 papcom pppd[2604]: Connection terminated.
> Jan  3 08:31:40 papcom kernel: divert: no divert_blk to free, ppp0 not 
> ethernet
> Jan  3 08:31:40 papcom pppd[2604]: Exit.
> Jan  3 08:31:40 papcom pptpd[2603]: GRE: 
> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error 
> = Input/output error
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: PTY read or GRE write failed 
> (pty,gre)=(5,6)
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Closing child BCrelay with 
> pid 0
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Closing child ppp with pid 2604
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control 
> connection finished
> Jan  3 08:31:40 papcom pptpd[2603]: CTRL: Exiting now
> Jan  3 08:31:40 papcom pptpd[2564]: MGR: Reaped child 2603
>
> I know this section of the log . .
>
> <ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>, 
> name = "PAP\\abrown"]
> Jan  3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP 
> authentication
> Jan  3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691 
> R=1 C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
> Jan  3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2 
> "Authentication failed"]
>
> is the cause of the problem but I don't know how to fix it.
> It appears that the pppd is expecting something to be in the 
> chap-secrets file.  I don't have anything in it.  Should I have 
> something in it that will cause it to talk to the Windows PDC for 
> authentication?
>
> Here is a copy of my /etc/ppp/options.pptpd file.
>
> ## CHANGE TO SUIT YOUR SYSTEM
> lock
> debug
> name papcom
> noauth
> #proxyarp
> nobsdcomp
> #chapms-strip-domain
> lcp-echo-failure 30
> lcp-echo-interval 5
> ipcp-accept-local
> ipcp-accept-remote
> refuse-pap
> refuse-chap
> refuse-mschap
> require-mschap-v2
> require-mppe-128
> ms-wins 10.1.100.13
> ms-dns 10.1.100.127
> plugin /usr/local/lib/pppd/2.4.3/winbind.so
> ntlm_auth-helper "/usr/local/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1"
>
> Thanks again for any help you can give.  I'm learning a lot.  I hope 
> to be like you when I grow up!
>
> Alex



More information about the samba mailing list