[Samba] NTLM_AUTH failing?

Ryan Ashley ryana at reachtechfp.com
Wed Oct 28 13:45:08 UTC 2015 

Thank you, Rowland. I will be going by this afternoon and I will check.
The thing is, if it IS "\", how do I enter that into the pptp-options
file? The entire list of parameters are in quotes, so do I need a
double-backslah or anything?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/27/2015 05:21 PM, Rowland Penny wrote:
> On 27/10/15 21:05, Ryan Ashley wrote:
>> I am not sure how to determine the separator,
>
> The separator is easy to establish, do you have a line in smb.conf
> that starts 'winbind separator =" , if you do, then whatever is after
> the '=' is the separator, if you haven't got the line, then you are
> using the default '\'
>
> Rowland
>
>> but 'which' shows
>> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is
>> broken, I cannot remote in. I will have to show up on-site again,
>> possibly Thursday.
>>
>> Lead IT/IS Specialist
>> Reach Technology FP, Inc
>>
>> On 10/27/2015 01:41 PM, Michael Wandel wrote:
>>> Hey,
>>>
>>> On 27.10.2015 17:53, Ryan Ashley wrote:
>>>> I'm setting up a PPTP VPN server on a client domain and am having
>>>> an odd
>>>> issue. If I run ntlm_auth on the command-line, it works as expected.
>>>> However, if I run it with my PPTP server, it denies access to every
>>>> user. MY setup is that I have a few AD users in an AD group named
>>>> "PPTP". I have the following in my pptp-options file. The server is
>>>> Debian Squeeze 64bit.
>>>>
>>>> name vpn01
>>>> domain kigm.local
>>>> refuse-pap
>>>> refuse-chap
>>>> refuse-mschap
>>>> require-mschap-v2
>>>> require-mppe-128
>>>> ms-dns 192.168.0.1
>>>> ms-dns 192.168.0.2
>>>> proxyarp
>>>> nodefaultroute
>>>> lock
>>>> nobsdcomp
>>>> plugin winbind.so
>>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>>> --require-membership-of=KIGM+PPTP"
>>>>
>>>> This domain is scheduled to be rebuilt next year to get rid of any
>>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no
>>>> systemd, unlike the latest Debian) and will have much newer software.
>>>> However, we have new needs now which require remote access for
>>>> three people.
>>>>
>>>> If I remove the helper protocol option I get an actual "Access denied"
>>>> message in my client log. If I leave it in there, it times out and
>>>> I get
>>>> an error about LCP negotiation timing out. If I use the helper
>>>> option on
>>>> the command-line, it hangs. If not, it works perfectly.
>>>>
>>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain
>>>> username>
>>>>
>>> Which winbind seperator you are using "\" or "+" ?
>>>
>>> What is the output of :
>>>
>>> which ntlm_auth
>>>
>>> best regards
>>>
>>> Michael
>>>
>>>> The above works. Users in the PPTP group return 0 (success) and others
>>>> return an error. Why won't it work with pptpd? Note that the VPN
>>>> server is
>>>> separate from the domain controllers. All of the domain accounts
>>>> and groups
>>>> resolve on the VPN server.
>>>>
>>
>
>

More information about the samba mailing list