[Samba] winbind and pptpd authentication failure [SOLVED]

John Anderson ardour at semiosix.com
Thu Sep 9 12:39:48 MDT 2010


On 09/09/10 16:24, Guenther Deschner wrote:
> On Thu, Sep 09, 2010 at 11:12:52PM +1000, Andrew Bartlett wrote:
>> On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote:
>>> On 09/09/10 13:57, Andrew Bartlett wrote:
>>>> On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:
>>>>> I have a linux firewall using winbind to authenticate users coming in
>>>>> with PPTP. It all seemed to work OK at first. After a while I noticed
>>>>> that authentication was denied to users who had previously (as in less
>>>>> than a day) authenticated successfully. After a day or so of fighting
>>>>> with this setup, I found that restarting winbindd will allow users to
>>>>> authenticate successfully again. This happens with both the built-in
>>>>> windows PPTP VPN client, and pppd as a client under linux.
>>>>>
>>>>> What happens is:
>>>>>
>>>>> - restart winbind
>>>>> - authenticate a user
>>>>> - close pptp connection
>>>>> - a few minutes (seems like around 10) after a first (or several)
>>>>> successful authentication, I get the following ppp trace on the client side:
>>>>>
>>>>> rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name =
>>>>> "pptpd"]
>>>>> sent [CHAP Response id=0x8b
>>>>> <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>,
>>>>> name = "xxxxx"]
>>>>> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF
>>>>> M=Access granted"]
>>>>> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
>>>>> F8673CADD4286B742EF0C39036393650701D0A60
>>>>> MS-CHAPv2 mutual authentication failed.
>>>>> CHAP authentication failed
>>>>> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
>>>>>
>>>>> In other words, the ntlm-auth helper and AD server says OK, but the
>>>>> hashes aren't equal, which causes ppp to say "mutual authentication
>>>>> failed". I hacked the ppp sources (chap_ms.c) gently to output the two
>>>>> hashes.
>>>>
>>>>> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345]
>>>>> (tried all of them) on a x86_64 gentoo box.
>>>>
>>>> Try with the lastest GIT tree.  We finally fixed a bug which caused this
>>>> kind of breakage.  (We returned the wrong session key, which is why the
>>>> server thinks this is OK, but the client isn't impressed).
>>>
>>> Thanks for your reply.
>>>
>>> I have to get this onto a box on the other end of a 512kbps line with a
>>> bandwidth cap, so I'd prefer not to clone the entire repository. Would
>>> the v3-6-stable head have the fix?
>>
>> I would have said that v3-6-test should have it.  I don't know about
>> v3-6-stable, sorry.
>
> all branches have the fix now, you could also individually apply the fix
> mentioned in https://bugzilla.samba.org/show_bug.cgi?id=7568.

Sheesh. I spent two days asking google for help on this issue and I 
never found that bug report. Oh right. That's because I was looking for 
"MS-CHAPv2 mutual authentication failed". Which isn't in that bug report 
because it's coming from a different perspective.

> We got reports that this resolves exactly that issue.

I installed v3-6-stable (I think that's the same as 3.6.0pre1 right 
now), and I'm able to successfully authenticate repeatedly, beyond the 
10 minutes which seemed to be the point where it stopped working 
previously. So here's another report that it resolves the issue.

bye
John


More information about the samba mailing list