[Samba] Re: Authenticating PPTP users against Samba/LDAP - Patch
doesn't seem to be working
Robert Schetterer
robert at schetterer.org
Mon Jan 3 17:38:16 GMT 2005
Hi Alex,
write this ( check "your" paths to the files )
plugin winbind.so
ntlm_auth-helper "/usr/sbin/ntlm_auth --helper-protocol=localhost"
in your /etc/ppp/options
also check your winbind config , and your ips in pptpd.conf (they look
a little strange to me )
i recommend to test pptpd first with a entry to /etc/ppp/chap.secrets
which is the default auth ( chap ) for pptpd , if this works
try winbind plugin.
At my tests i got the plugin started and the right pop up message in my
win xp client, also in the logs everything seems to work right ,but
i havent setup samba/winbind yet to test the funktion in a whole.
I will post the results if i have it up and running
Regards
Alex Brown schrieb:
> Andrew Bartlett wrote:
>
>> On Fri, 2004-12-31 at 08:48 -0500, Alex Brown wrote:
>>
>>
>>> Andrew Bartlett wrote:
>>>
>>>
>>>> On Wed, 2004-10-20 at 00:44, Mike Brodbelt wrote:
>>>>
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a few remote user who use a PPTP based VPN. The server is
>>>>> running
>>>>> PoPToP (http://www.poptop.org/), and a pppd patched to support
>>>>> MPPE/MPPC
>>>>> for (some) added security. Currently, users authentication
>>>>> information
>>>>> is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be
>>>>> able to
>>>>> put users into LDAP, and have ppp authenticate either directly
>>>>> against
>>>>> LDAP, or against Samba (with an LDAP backend). Any ideas on how I
>>>>> might
>>>>> go about this? Most of the docs I've seen suggest that you can't
>>>>> use PAM
>>>>> for authentication with CHAP, so it seems not to be as simple as I
>>>>> might
>>>>> have hoped.
>>>>>
>>>>> Disclaimer - I haven't actually tried any of this yet, I'm just
>>>>> trying
>>>>> to get it clear in my head before I start...
>>>>>
>>>>
>>>> The pppd patch (one for 2.4.2, one for current CVS) is here:
>>>> http://download.samba.org/ftp/unpacked/lorikeet/trunk/pppd
>>>>
>>>> The documentation is:
>>>> http://hawkerc.net/staff/abartlet/comp3700/final-report.pdf
>>>>
>>>> Note that the patch changed a little since the report was written, use
>>>> the instructions in the README for configuration.
>>>>
>>>> Andrew Bartlett
>>>>
>>>>
>>>>
>>>
>>> Hi Andrew,
>>>
>>> Thanks for creating the "final-report" document. It is very
>>> informative. I'm trying to set up a PoPToP server that
>>> authenticates to our Windows NT Domain (with a Windows NT 4.0 PDC)
>>> via Samba/Winbind. When I follow the instructions in your document,
>>> after changing to the ppp directory to apply the ntlm_auth patch, I
>>> get the following output.
>>>
>>
>>
>> Current ppp has everything you need already - I finally got it merged
>> upstream. All you need now is the configuration (which has changed
>> since the report was written):
>>
>> Configuration (pppd config file):
>>
>> plugin winbind.so
>> ntlm_auth-helper "/usr/local/bin/ntlm_auth --helper-protocol=ntlm-
>> server-1"
>>
>> The --required-membership-of option is also available, to implement a
>> 'dialin users' or 'vpn users' group.
>>
>> Andrew Bartlett
>>
>>
>>
> Thanks Andrew,
>
> I followed your instructions without applying the patch and I modified
> the /etc/ppp/options.pptpd file to include the changes in your reply.
> I'm having what I'm sure is a small problem so please forgive my
> ignorance.
>
> When I try to authenticate to the poptop server with my Windows XP
> client, I see the following messages in my log...
>
> Jan 3 08:31:37 papcom pptpd[2603]: MGR: Launching /usr/sbin/pptpctrl
> to handle client
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: local address = 192.168.0.1
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: remote address = 192.168.0.3
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: pppd options file =
> /etc/ppp/options.pptpd
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control
> connection started
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control
> Message (type: 1)
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Made a START CTRL CONN RPLY
> packet
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 156 bytes to the
> client.
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Sent packet to client
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control
> Message (type: 7)
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Set parameters to 1525
> maxbps, 64 window size
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Made a OUT CALL RPLY packet
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Starting call (launching
> pppd, opening GRE)
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: pty_fd = 5
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: tty_fd = 6
> Jan 3 08:31:37 papcom pptpd[2604]: CTRL (PPPD Launcher): Connection
> speed = 115200
> Jan 3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 32 bytes to the client.
> Jan 3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): local
> address = 192.168.0.1
> Jan 3 08:31:38 papcom pptpd[2603]: CTRL: Sent packet to client
> Jan 3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): remote
> address = 192.168.0.3
> Jan 3 08:31:38 papcom pptpd[2603]: CTRL: Received PPTP Control
> Message (type: 15)
> Jan 3 08:31:38 papcom pppd[2604]: Plugin
> /usr/local/lib/pppd/2.4.3/winbind.so loaded.
> Jan 3 08:31:38 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet
> with standard ACCMs
> Jan 3 08:31:38 papcom pppd[2604]: WINBIND plugin initialized.
> Jan 3 08:31:38 papcom pptpd[2603]: GRE: Discarding duplicate packet
> Jan 3 08:31:38 papcom pppd[2604]: pppd 2.4.3 started by root, uid 0
> Jan 3 08:31:38 papcom pppd[2604]: using channel 23
> Jan 3 08:31:38 papcom kernel: divert: not allocating divert_blk for
> non-ethernet device ppp0
> Jan 3 08:31:38 papcom pppd[2604]: Using interface ppp0
> Jan 3 08:31:38 papcom pppd[2604]: Connect: ppp0 <--> /dev/pts/2
> Jan 3 08:31:38 papcom pppd[2604]: sent [LCP ConfReq id=0x1 <asyncmap
> 0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
> Jan 3 08:31:38 papcom pptpd[2603]: GRE: Bad checksum from pppd.
> Jan 3 08:31:38 papcom pppd[2604]: rcvd [LCP ConfAck id=0x1 <asyncmap
> 0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x1 <mru 1400>
> <magic 0x7b6b79b5> <pcomp> <accomp> <callback CBCP>]
> Jan 3 08:31:40 papcom pppd[2604]: sent [LCP ConfRej id=0x1 <callback
> CBCP>]
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x2 <mru 1400>
> <magic 0x7b6b79b5> <pcomp> <accomp>]
> Jan 3 08:31:40 papcom pppd[2604]: sent [LCP ConfAck id=0x2 <mru 1400>
> <magic 0x7b6b79b5> <pcomp> <accomp>]
> Jan 3 08:31:40 papcom pppd[2604]: sent [LCP EchoReq id=0x0
> magic=0x57d0a938]
> Jan 3 08:31:40 papcom pppd[2604]: sent [CHAP Challenge id=0xb4
> <5d8f7b72df4bb4a4003ddc0a3d7a4644>, name = "papcom"]
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control
> Message (type: 15)
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Ignored a SET LINK INFO
> packet with real ACCMs!
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x3
> magic=0x7b6b79b5 "MSRASV5.10"]
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x4
> magic=0x7b6b79b5 "MSRAS-1-INFG450ROG-1234"]
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP EchoRep id=0x0
> magic=0x7b6b79b5]
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [CHAP Response id=0xb4
> <ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>,
> name = "PAP\\abrown"]
> Jan 3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP
> authentication
> Jan 3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691
> R=1 C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
> Jan 3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2
> "Authentication failed"]
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control
> Message (type: 15)
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet
> with standard ACCMs
> Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP TermAck id=0x2
> "Authentication failed"]
> Jan 3 08:31:40 papcom pppd[2604]: Connection terminated.
> Jan 3 08:31:40 papcom kernel: divert: no divert_blk to free, ppp0 not
> ethernet
> Jan 3 08:31:40 papcom pppd[2604]: Exit.
> Jan 3 08:31:40 papcom pptpd[2603]: GRE:
> read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error
> = Input/output error
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: PTY read or GRE write failed
> (pty,gre)=(5,6)
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Closing child BCrelay with
> pid 0
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Closing child ppp with pid 2604
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control
> connection finished
> Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Exiting now
> Jan 3 08:31:40 papcom pptpd[2564]: MGR: Reaped child 2603
>
> I know this section of the log . .
>
> <ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>,
> name = "PAP\\abrown"]
> Jan 3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP
> authentication
> Jan 3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691
> R=1 C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
> Jan 3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2
> "Authentication failed"]
>
> is the cause of the problem but I don't know how to fix it.
> It appears that the pppd is expecting something to be in the
> chap-secrets file. I don't have anything in it. Should I have
> something in it that will cause it to talk to the Windows PDC for
> authentication?
>
> Here is a copy of my /etc/ppp/options.pptpd file.
>
> ## CHANGE TO SUIT YOUR SYSTEM
> lock
> debug
> name papcom
> noauth
> #proxyarp
> nobsdcomp
> #chapms-strip-domain
> lcp-echo-failure 30
> lcp-echo-interval 5
> ipcp-accept-local
> ipcp-accept-remote
> refuse-pap
> refuse-chap
> refuse-mschap
> require-mschap-v2
> require-mppe-128
> ms-wins 10.1.100.13
> ms-dns 10.1.100.127
> plugin /usr/local/lib/pppd/2.4.3/winbind.so
> ntlm_auth-helper "/usr/local/bin/ntlm_auth
> --helper-protocol=ntlm-server-1"
>
> Thanks again for any help you can give. I'm learning a lot. I hope
> to be like you when I grow up!
>
> Alex
More information about the samba
mailing list