[Samba] NTLM_AUTH failing?
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Oct 28 14:06:59 UTC 2015
On 28/10/15 13:45, Ryan Ashley wrote:
> Thank you, Rowland. I will be going by this afternoon and I will check.
> The thing is, if it IS "\", how do I enter that into the pptp-options
> file? The entire list of parameters are in quotes, so do I need a
> double-backslah or anything?
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/27/2015 05:21 PM, Rowland Penny wrote:
>> On 27/10/15 21:05, Ryan Ashley wrote:
>>> I am not sure how to determine the separator,
>> The separator is easy to establish, do you have a line in smb.conf
>> that starts 'winbind separator =" , if you do, then whatever is after
>> the '=' is the separator, if you haven't got the line, then you are
>> using the default '\'
>>
>> Rowland
>>
>>> but 'which' shows
>>> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is
>>> broken, I cannot remote in. I will have to show up on-site again,
>>> possibly Thursday.
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 10/27/2015 01:41 PM, Michael Wandel wrote:
>>>> Hey,
>>>>
>>>> On 27.10.2015 17:53, Ryan Ashley wrote:
>>>>> I'm setting up a PPTP VPN server on a client domain and am having
>>>>> an odd
>>>>> issue. If I run ntlm_auth on the command-line, it works as expected.
>>>>> However, if I run it with my PPTP server, it denies access to every
>>>>> user. MY setup is that I have a few AD users in an AD group named
>>>>> "PPTP". I have the following in my pptp-options file. The server is
>>>>> Debian Squeeze 64bit.
>>>>>
>>>>> name vpn01
>>>>> domain kigm.local
>>>>> refuse-pap
>>>>> refuse-chap
>>>>> refuse-mschap
>>>>> require-mschap-v2
>>>>> require-mppe-128
>>>>> ms-dns 192.168.0.1
>>>>> ms-dns 192.168.0.2
>>>>> proxyarp
>>>>> nodefaultroute
>>>>> lock
>>>>> nobsdcomp
>>>>> plugin winbind.so
>>>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>>>> --require-membership-of=KIGM+PPTP"
>>>>>
>>>>> This domain is scheduled to be rebuilt next year to get rid of any
>>>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no
>>>>> systemd, unlike the latest Debian) and will have much newer software.
>>>>> However, we have new needs now which require remote access for
>>>>> three people.
>>>>>
>>>>> If I remove the helper protocol option I get an actual "Access denied"
>>>>> message in my client log. If I leave it in there, it times out and
>>>>> I get
>>>>> an error about LCP negotiation timing out. If I use the helper
>>>>> option on
>>>>> the command-line, it hangs. If not, it works perfectly.
>>>>>
>>>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain
>>>>> username>
>>>>>
>>>> Which winbind seperator you are using "\" or "+" ?
>>>>
>>>> What is the output of :
>>>>
>>>> which ntlm_auth
>>>>
>>>> best regards
>>>>
>>>> Michael
>>>>
>>>>> The above works. Users in the PPTP group return 0 (success) and others
>>>>> return an error. Why won't it work with pptpd? Note that the VPN
>>>>> server is
>>>>> separate from the domain controllers. All of the domain accounts
>>>>> and groups
>>>>> resolve on the VPN server.
>>>>>
>>
>
This might help:
https://wiki.archlinux.org/index.php/PPTP_VPN_client_setup_with_pptpclient
Rowland
More information about the samba
mailing list