[Samba] winbind and pptpd authentication failure

Guenther Deschner gd at samba.org
Thu Sep 9 08:24:08 MDT 2010 

On Thu, Sep 09, 2010 at 11:12:52PM +1000, Andrew Bartlett wrote:
> On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote:
> > On 09/09/10 13:57, Andrew Bartlett wrote:
> > > On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:
> > >> I have a linux firewall using winbind to authenticate users coming in
> > >> with PPTP. It all seemed to work OK at first. After a while I noticed
> > >> that authentication was denied to users who had previously (as in less
> > >> than a day) authenticated successfully. After a day or so of fighting
> > >> with this setup, I found that restarting winbindd will allow users to
> > >> authenticate successfully again. This happens with both the built-in
> > >> windows PPTP VPN client, and pppd as a client under linux.
> > >>
> > >> What happens is:
> > >>
> > >> - restart winbind
> > >> - authenticate a user
> > >> - close pptp connection
> > >> - a few minutes (seems like around 10) after a first (or several)
> > >> successful authentication, I get the following ppp trace on the client side:
> > >>
> > >> rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name =
> > >> "pptpd"]
> > >> sent [CHAP Response id=0x8b
> > >> <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>,
> > >> name = "xxxxx"]
> > >> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF
> > >> M=Access granted"]
> > >> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
> > >> F8673CADD4286B742EF0C39036393650701D0A60
> > >> MS-CHAPv2 mutual authentication failed.
> > >> CHAP authentication failed
> > >> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
> > >>
> > >> In other words, the ntlm-auth helper and AD server says OK, but the
> > >> hashes aren't equal, which causes ppp to say "mutual authentication
> > >> failed". I hacked the ppp sources (chap_ms.c) gently to output the two
> > >> hashes.
> > >
> > >> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345]
> > >> (tried all of them) on a x86_64 gentoo box.
> > >
> > > Try with the lastest GIT tree.  We finally fixed a bug which caused this
> > > kind of breakage.  (We returned the wrong session key, which is why the
> > > server thinks this is OK, but the client isn't impressed).
> > 
> > Thanks for your reply.
> > 
> > I have to get this onto a box on the other end of a 512kbps line with a 
> > bandwidth cap, so I'd prefer not to clone the entire repository. Would 
> > the v3-6-stable head have the fix?
> 
> I would have said that v3-6-test should have it.  I don't know about
> v3-6-stable, sorry.

all branches have the fix now, you could also individually apply the fix
mentioned in https://bugzilla.samba.org/show_bug.cgi?id=7568.

We got reports that this resolves exactly that issue.

Thanks,
Guenther


-- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20100909/2f3ded94/attachment.pgp>

More information about the samba mailing list