[Samba] winbind and pptpd authentication failure

John Anderson ardour at semiosix.com
Thu Sep 9 06:33:22 MDT 2010

On 09/09/10 13:57, Andrew Bartlett wrote:
> On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:
>> I have a linux firewall using winbind to authenticate users coming in
>> with PPTP. It all seemed to work OK at first. After a while I noticed
>> that authentication was denied to users who had previously (as in less
>> than a day) authenticated successfully. After a day or so of fighting
>> with this setup, I found that restarting winbindd will allow users to
>> authenticate successfully again. This happens with both the built-in
>> windows PPTP VPN client, and pppd as a client under linux.
>> What happens is:
>> - restart winbind
>> - authenticate a user
>> - close pptp connection
>> - a few minutes (seems like around 10) after a first (or several)
>> successful authentication, I get the following ppp trace on the client side:
>> rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name =
>> "pptpd"]
>> sent [CHAP Response id=0x8b
>> <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>,
>> name = "xxxxx"]
>> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF
>> M=Access granted"]
>> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
>> F8673CADD4286B742EF0C39036393650701D0A60
>> MS-CHAPv2 mutual authentication failed.
>> CHAP authentication failed
>> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
>> In other words, the ntlm-auth helper and AD server says OK, but the
>> hashes aren't equal, which causes ppp to say "mutual authentication
>> failed". I hacked the ppp sources (chap_ms.c) gently to output the two
>> hashes.
>> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345]
>> (tried all of them) on a x86_64 gentoo box.
> Try with the lastest GIT tree.  We finally fixed a bug which caused this
> kind of breakage.  (We returned the wrong session key, which is why the
> server thinks this is OK, but the client isn't impressed).

Thanks for your reply.

I have to get this onto a box on the other end of a 512kbps line with a 
bandwidth cap, so I'd prefer not to clone the entire repository. Would 
the v3-6-stable head have the fix?


More information about the samba mailing list