[Samba] NTLM_AUTH failing?

[Ryan Ashley]

So, am I stuck with 4.3 since it is the domain controllers which got the
upgrade? Still stopped on this one and not sure which direction I should
move in. It seems like all authentication to Windows 7 workstations
works fine, just ntlm_auth failing. I am moving towards L2TP/IPsec for
VPN, which means PAM should handle authentication, but I will have PPTP
servers around for a while longer, so this is of some concern to me.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 11/02/2015 01:45 PM, Ryan Ashley wrote:
> Andrew, I use git very little and would not know how to do what you ask.
> The good news is that the server is used only for VPN. However, it runs
> Samba 3.6 as a member. Our DCs are running Samba 4 and that is where the
> issue is. I do have two different setups though.
>
> Client A:
> Single DC upgraded from 4.1-stable to 4.3-stable. The VPN server runs ON
> the DC due to limited resources. So Samba4 and pptpd are on the same box.
>
> Client B:
> Two DCs on separate boxes running Samba4, and a third running Samba3 as
> a member for the VPN server. I upgraded both DCs from 4.2-stable to
> 4.3-stable and the VPN stopped working.
>
> As you can see one location has the DC and VPN server in one physical
> system, and the other location has both DCs and the VPN server
> separately. Since the VPN server is a Samba3 domain member, I am
> assuming there is nothing to do there. I am asking, can I roll back my
> actual DCs to 4.2-stable?
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/31/2015 04:34 AM, Andrew Bartlett wrote:
>> On Fri, 2015-10-30 at 09:53 -0400, Ryan Ashley wrote:
>>> Rowland, I tried that already, but I made two break-throughs. First,
>>> I
>>> went to a location where it was working. I realized then that I had
>>> put
>>> in the SID for the PPTP group at that location. You know, the
>>> "S-1-15-xyz" number? Now while I was there, I noted that they were
>>> running 4.1 stable. I upgraded them to 4.3 stable. Guess what? The
>>> VPN
>>> broke! Something with ntlm_auth and 4.3 stable is borked. I cannot
>>> use
>>> the name, SID, or anything to make it work. Then I realized that the
>>> VPN
>>> stopped working at the other location when I upgraded from 4.2 stable
>>> to
>>> 4.3 stable.
>>>
>>> So, has something changed in 4.3 from 4.2 and/or 4.1? Why does using
>>> the
>>> SID work great in 4.1 and 4.2 but doesn't in 4.3? Can i safely
>>> downgrade
>>> to 4.2 stable from 4.3 stable?
>> At most you would need to clean out the tdbs (which, if you are just
>> using the server for VPN authentication shouldn't have any local info
>> in it) and rejoin the domain.  
>>
>> It would be very interesting if you could reproduce on a git tree, and
>> then do a git bisect to determine when it failed.  Sadly there are no
>> automated tests for the ntlm-server-1 protocol.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>