[Samba] samba 3.2 breaks ppp winbind plugin

Pim Zandbergen P.Zandbergen at macroscoop.nl
Wed Jul 30 16:55:15 GMT 2008

Andrew Bartlett wrote:
> On Tue, 2008-07-29 at 18:13 +0200, Pim Zandbergen wrote:
>> We have a system running fedora 8 using pptpd from the poptop yum 
>> repository.
>> See http://www.poptop.org/
>> pptpd/pppd use the winbind plugin from the ppp package to authenticate 
>> to Active Directory.
>> This works just fine. 
>> Then I found the same setup would not work on a fedora 9 setup.
> So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba
> 3.2 PDC from Fedora 9?
No, this is Samba 3.2 (Fedora 9) failing to work with a Windows 2003 
Server PDC,
where Samba 3.0 (Fedora 8) works fine.
>> What's happening when things don't work is that the XP client
>> comes with this error, after a successful authentication:
>> "Error 778: It was not possible to verify the identity of the server"
>> Wireshark shows that the XP client is terminating the connection
>> immediately after a successful CHAP handshake.
> This almost certainly means the session key returned from the PDC to the
> member server (where winbind and radius are) and calculated into the
> MSCHAPv2 response is incorrect/missing/etc.
> Look for it being missing first - check with strace/gdb/etc in pppd to
> see what broke about the interaction with ntlm_auth.   

I ran ntlm_auth by hand on both systems in manual mode. Both work fine.
But pppd calls ntlm_auth using a special protocol, made for pppd.
I will probably have to capture this interaction and see the differences.

It would help if I would understand what else is in the MSCHAPv2 response
other than "the authentication was successful", because it always is, and
why the Windows client still is not satisfied.


More information about the samba mailing list