[Samba] NTLM_AUTH failing?

[Ryan Ashley]

I'm setting up a PPTP VPN server on a client domain and am having an odd
issue. If I run ntlm_auth on the command-line, it works as expected.
However, if I run it with my PPTP server, it denies access to every
user. MY setup is that I have a few AD users in an AD group named
"PPTP". I have the following in my pptp-options file. The server is
Debian Squeeze 64bit.

name vpn01
domain kigm.local
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.0.1
ms-dns 192.168.0.2
proxyarp
nodefaultroute
lock
nobsdcomp
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
--require-membership-of=KIGM+PPTP"

This domain is scheduled to be rebuilt next year to get rid of any
".local" issues. It also means we upgrade to Gentoo DNU/Linux (no
systemd, unlike the latest Debian) and will have much newer software.
However, we have new needs now which require remote access for three people.

If I remove the helper protocol option I get an actual "Access denied"
message in my client log. If I leave it in there, it times out and I get
an error about LCP negotiation timing out. If I use the helper option on
the command-line, it hangs. If not, it works perfectly.

ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain username>

The above works. Users in the PPTP group return 0 (success) and others
return an error. Why won't it work with pptpd? Note that the VPN server is
separate from the domain controllers. All of the domain accounts and groups
resolve on the VPN server.

-- 
Lead IT/IS Specialist
Reach Technology FP, Inc