[Samba] NTLM_AUTH failing?

Ryan Ashley ryana at reachtechfp.com
Tue Oct 27 21:05:44 UTC 2015 

I am not sure how to determine the separator, but 'which' shows
"/usr/bin/ntlm_auth". I already ran it while on-site. Since it is
broken, I cannot remote in. I will have to show up on-site again,
possibly Thursday.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/27/2015 01:41 PM, Michael Wandel wrote:
> Hey,
>
> On 27.10.2015 17:53, Ryan Ashley wrote:
>> I'm setting up a PPTP VPN server on a client domain and am having an odd
>> issue. If I run ntlm_auth on the command-line, it works as expected.
>> However, if I run it with my PPTP server, it denies access to every
>> user. MY setup is that I have a few AD users in an AD group named
>> "PPTP". I have the following in my pptp-options file. The server is
>> Debian Squeeze 64bit.
>>
>> name vpn01
>> domain kigm.local
>> refuse-pap
>> refuse-chap
>> refuse-mschap
>> require-mschap-v2
>> require-mppe-128
>> ms-dns 192.168.0.1
>> ms-dns 192.168.0.2
>> proxyarp
>> nodefaultroute
>> lock
>> nobsdcomp
>> plugin winbind.so
>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>> --require-membership-of=KIGM+PPTP"
>>
>> This domain is scheduled to be rebuilt next year to get rid of any
>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no
>> systemd, unlike the latest Debian) and will have much newer software.
>> However, we have new needs now which require remote access for three people.
>>
>> If I remove the helper protocol option I get an actual "Access denied"
>> message in my client log. If I leave it in there, it times out and I get
>> an error about LCP negotiation timing out. If I use the helper option on
>> the command-line, it hangs. If not, it works perfectly.
>>
>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain username>
>>
> Which winbind seperator you are using "\" or "+" ?
>
> What is the output of :
>
> which ntlm_auth
>
> best regards
>
> Michael
>
>> The above works. Users in the PPTP group return 0 (success) and others
>> return an error. Why won't it work with pptpd? Note that the VPN server is
>> separate from the domain controllers. All of the domain accounts and groups
>> resolve on the VPN server.
>>
>

More information about the samba mailing list