[Samba] winbind and pptpd authentication failure

John Anderson ardour at semiosix.com
Tue Sep 7 10:03:20 MDT 2010


Hi all

I'm not sure whether to go to the ppp lists for this, or the samba 
lists. I thought I'd try here first.

I have a linux firewall using winbind to authenticate users coming in 
with PPTP. It all seemed to work OK at first. After a while I noticed 
that authentication was denied to users who had previously (as in less 
than a day) authenticated successfully. After a day or so of fighting 
with this setup, I found that restarting winbindd will allow users to 
authenticate successfully again. This happens with both the built-in 
windows PPTP VPN client, and pppd as a client under linux.

What happens is:

- restart winbind
- authenticate a user
- close pptp connection
- a few minutes (seems like around 10) after a first (or several) 
successful authentication, I get the following ppp trace on the client side:

rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = 
"pptpd"]
sent [CHAP Response id=0x8b 
<95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, 
name = "xxxxx"]
rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF 
M=Access granted"]
5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
F8673CADD4286B742EF0C39036393650701D0A60
MS-CHAPv2 mutual authentication failed.
CHAP authentication failed
sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]

In other words, the ntlm-auth helper and AD server says OK, but the 
hashes aren't equal, which causes ppp to say "mutual authentication 
failed". I hacked the ppp sources (chap_ms.c) gently to output the two 
hashes.

Immediately after the pppd authentication failure, wbinfo -a is 
successful with the same username. I also tried

	ntlm_auth --username xxxx

which comes back with

	NT_STATUS_OK: Success (0x0)

but
	ntlm_auth --username xxxxx --diagnostics

comes back with (after a bunch of logging info that I won't post yet)

	Wrong Password (0xc000006a)
	Wrong Password (0xc000006a)
	Wrong Password (0xc000006a)
	Wrong Password (0xc000006a)
	Wrong Password (0xc000006a)
	Wrong Password (0xc000006a)

I don't know if that's expected.

Any help diagnosing this much appreciated. I've tried starting winbind 
with the -n switch, and setting winbind cache time = 10 in smb.conf. 
Neither changes the behaviour I've described.

PPTP access works perfectly if I use an identical setup except that I 
store the usernames and passwords in chap-secrets rather than using winbind.

I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] 
(tried all of them) on a x86_64 gentoo box.

thanks
John


More information about the samba mailing list