[Samba] NTLM_AUTH failing?

Ryan Ashley ryana at reachtechfp.com
Mon Nov 2 18:45:21 UTC 2015

Andrew, I use git very little and would not know how to do what you ask.
The good news is that the server is used only for VPN. However, it runs
Samba 3.6 as a member. Our DCs are running Samba 4 and that is where the
issue is. I do have two different setups though.

Client A:
Single DC upgraded from 4.1-stable to 4.3-stable. The VPN server runs ON
the DC due to limited resources. So Samba4 and pptpd are on the same box.

Client B:
Two DCs on separate boxes running Samba4, and a third running Samba3 as
a member for the VPN server. I upgraded both DCs from 4.2-stable to
4.3-stable and the VPN stopped working.

As you can see one location has the DC and VPN server in one physical
system, and the other location has both DCs and the VPN server
separately. Since the VPN server is a Samba3 domain member, I am
assuming there is nothing to do there. I am asking, can I roll back my
actual DCs to 4.2-stable?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/31/2015 04:34 AM, Andrew Bartlett wrote:
> On Fri, 2015-10-30 at 09:53 -0400, Ryan Ashley wrote:
>> Rowland, I tried that already, but I made two break-throughs. First,
>> I
>> went to a location where it was working. I realized then that I had
>> put
>> in the SID for the PPTP group at that location. You know, the
>> "S-1-15-xyz" number? Now while I was there, I noted that they were
>> running 4.1 stable. I upgraded them to 4.3 stable. Guess what? The
>> VPN
>> broke! Something with ntlm_auth and 4.3 stable is borked. I cannot
>> use
>> the name, SID, or anything to make it work. Then I realized that the
>> VPN
>> stopped working at the other location when I upgraded from 4.2 stable
>> to
>> 4.3 stable.
>> So, has something changed in 4.3 from 4.2 and/or 4.1? Why does using
>> the
>> SID work great in 4.1 and 4.2 but doesn't in 4.3? Can i safely
>> downgrade
>> to 4.2 stable from 4.3 stable?
> At most you would need to clean out the tdbs (which, if you are just
> using the server for VPN authentication shouldn't have any local info
> in it) and rejoin the domain.  
> It would be very interesting if you could reproduce on a git tree, and
> then do a git bisect to determine when it failed.  Sadly there are no
> automated tests for the ntlm-server-1 protocol.
> Thanks,
> Andrew Bartlett

More information about the samba mailing list