[Samba] NTLM_AUTH failing?

Rowland Penny rowlandpenny241155 at gmail.com
Wed Oct 28 18:24:00 UTC 2015


On 28/10/15 18:10, Ryan Ashley wrote:
> That is client setup. We have that under control. Our Linux users use
> Network Manager to connect and our Windows users use the stuff built
> into Windows. My problem is server-side. The server is a PPTP VPN
> (running via pptpd) and I have to add the lines below to make it work.
>
> plugin winbind.so
> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
>
> Now, that allows ALL domain users to connect. We only want users in the
> "PPTP" domain group to use the VPN, so we do this instead.
>
> plugin winbind.so
> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> --require-membership-of=KIGM\\PPTP"
>
> The issue is that ntlm_auth does not see that as a string and it won't
> work. I cannot use quotes because the parameters are quoted, so I am stuck.
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 10/28/2015 10:06 AM, Rowland Penny wrote:
>> On 28/10/15 13:45, Ryan Ashley wrote:
>>> Thank you, Rowland. I will be going by this afternoon and I will check.
>>> The thing is, if it IS "\", how do I enter that into the pptp-options
>>> file? The entire list of parameters are in quotes, so do I need a
>>> double-backslah or anything?
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 10/27/2015 05:21 PM, Rowland Penny wrote:
>>>> On 27/10/15 21:05, Ryan Ashley wrote:
>>>>> I am not sure how to determine the separator,
>>>> The separator is easy to establish, do you have a line in smb.conf
>>>> that starts 'winbind separator =" , if you do, then whatever is after
>>>> the '=' is the separator, if you haven't got the line, then you are
>>>> using the default '\'
>>>>
>>>> Rowland
>>>>
>>>>> but 'which' shows
>>>>> "/usr/bin/ntlm_auth". I already ran it while on-site. Since it is
>>>>> broken, I cannot remote in. I will have to show up on-site again,
>>>>> possibly Thursday.
>>>>>
>>>>> Lead IT/IS Specialist
>>>>> Reach Technology FP, Inc
>>>>>
>>>>> On 10/27/2015 01:41 PM, Michael Wandel wrote:
>>>>>> Hey,
>>>>>>
>>>>>> On 27.10.2015 17:53, Ryan Ashley wrote:
>>>>>>> I'm setting up a PPTP VPN server on a client domain and am having
>>>>>>> an odd
>>>>>>> issue. If I run ntlm_auth on the command-line, it works as expected.
>>>>>>> However, if I run it with my PPTP server, it denies access to every
>>>>>>> user. MY setup is that I have a few AD users in an AD group named
>>>>>>> "PPTP". I have the following in my pptp-options file. The server is
>>>>>>> Debian Squeeze 64bit.
>>>>>>>
>>>>>>> name vpn01
>>>>>>> domain kigm.local
>>>>>>> refuse-pap
>>>>>>> refuse-chap
>>>>>>> refuse-mschap
>>>>>>> require-mschap-v2
>>>>>>> require-mppe-128
>>>>>>> ms-dns 192.168.0.1
>>>>>>> ms-dns 192.168.0.2
>>>>>>> proxyarp
>>>>>>> nodefaultroute
>>>>>>> lock
>>>>>>> nobsdcomp
>>>>>>> plugin winbind.so
>>>>>>> ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>>>>>> --require-membership-of=KIGM+PPTP"
>>>>>>>
>>>>>>> This domain is scheduled to be rebuilt next year to get rid of any
>>>>>>> ".local" issues. It also means we upgrade to Gentoo DNU/Linux (no
>>>>>>> systemd, unlike the latest Debian) and will have much newer
>>>>>>> software.
>>>>>>> However, we have new needs now which require remote access for
>>>>>>> three people.
>>>>>>>
>>>>>>> If I remove the helper protocol option I get an actual "Access
>>>>>>> denied"
>>>>>>> message in my client log. If I leave it in there, it times out and
>>>>>>> I get
>>>>>>> an error about LCP negotiation timing out. If I use the helper
>>>>>>> option on
>>>>>>> the command-line, it hangs. If not, it works perfectly.
>>>>>>>
>>>>>>> ntlm_auth --require-membership-of="KIGM\PPTP" --username=<domain
>>>>>>> username>
>>>>>>>
>>>>>> Which winbind seperator you are using "\" or "+" ?
>>>>>>
>>>>>> What is the output of :
>>>>>>
>>>>>> which ntlm_auth
>>>>>>
>>>>>> best regards
>>>>>>
>>>>>> Michael
>>>>>>
>>>>>>> The above works. Users in the PPTP group return 0 (success) and
>>>>>>> others
>>>>>>> return an error. Why won't it work with pptpd? Note that the VPN
>>>>>>> server is
>>>>>>> separate from the domain controllers. All of the domain accounts
>>>>>>> and groups
>>>>>>> resolve on the VPN server.
>>>>>>>
>> This might help:
>> https://wiki.archlinux.org/index.php/PPTP_VPN_client_setup_with_pptpclient
>>
>> Rowland
>>
>>
>

How about single quotes ? i.e.

ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='KIGM\\PPTP'"


Rowland





More information about the samba mailing list