[Samba] winbind and pptpd authentication failure

Andrew Bartlett abartlet at samba.org
Thu Sep 9 05:57:35 MDT 2010

On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:
> Hi all
> I'm not sure whether to go to the ppp lists for this, or the samba 
> lists. I thought I'd try here first.
> I have a linux firewall using winbind to authenticate users coming in 
> with PPTP. It all seemed to work OK at first. After a while I noticed 
> that authentication was denied to users who had previously (as in less 
> than a day) authenticated successfully. After a day or so of fighting 
> with this setup, I found that restarting winbindd will allow users to 
> authenticate successfully again. This happens with both the built-in 
> windows PPTP VPN client, and pppd as a client under linux.
> What happens is:
> - restart winbind
> - authenticate a user
> - close pptp connection
> - a few minutes (seems like around 10) after a first (or several) 
> successful authentication, I get the following ppp trace on the client side:
> rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = 
> "pptpd"]
> sent [CHAP Response id=0x8b 
> <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, 
> name = "xxxxx"]
> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF 
> M=Access granted"]
> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
> F8673CADD4286B742EF0C39036393650701D0A60
> MS-CHAPv2 mutual authentication failed.
> CHAP authentication failed
> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
> In other words, the ntlm-auth helper and AD server says OK, but the 
> hashes aren't equal, which causes ppp to say "mutual authentication 
> failed". I hacked the ppp sources (chap_ms.c) gently to output the two 
> hashes.

> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] 
> (tried all of them) on a x86_64 gentoo box.

Try with the lastest GIT tree.  We finally fixed a bug which caused this
kind of breakage.  (We returned the wrong session key, which is why the
server thinks this is OK, but the client isn't impressed). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100909/b0dd3a25/attachment.pgp>

More information about the samba mailing list