On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote: > On 09/09/10 13:57, Andrew Bartlett wrote: > > On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: > >> I have a linux firewall using winbind to authenticate users coming in > >> with PPTP. It all seemed to work OK at first. After a while I noticed > >> that authentication was denied to users who had previously (as in less > >> than a day) authenticated successfully. After a day or so of fighting > >> with this setup, I found that restarting winbindd will allow users to > >> authenticate successfully again. This happens with both the built-in > >> windows PPTP VPN client, and pppd as a client under linux. > >> > >> What happens is: > >> > >> - restart winbind > >> - authenticate a user > >> - close pptp connection > >> - a few minutes (seems like around 10) after a first (or several) > >> successful authentication, I get the following ppp trace on the client > >> side: > >> > >> rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name = > >> "pptpd"] > >> sent [CHAP Response id=0x8b > >> <95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, > >> name = "xxxxx"] > >> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF > >> M=Access granted"] > >> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted > >> F8673CADD4286B742EF0C39036393650701D0A60 > >> MS-CHAPv2 mutual authentication failed. > >> CHAP authentication failed > >> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] > >> > >> In other words, the ntlm-auth helper and AD server says OK, but the > >> hashes aren't equal, which causes ppp to say "mutual authentication > >> failed". I hacked the ppp sources (chap_ms.c) gently to output the two > >> hashes. > > > >> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] > >> (tried all of them) on a x86_64 gentoo box. > > > > Try with the lastest GIT tree. We finally fixed a bug which caused this > > kind of breakage. (We returned the wrong session key, which is why the > > server thinks this is OK, but the client isn't impressed). > > Thanks for your reply. > > I have to get this onto a box on the other end of a 512kbps line with a > bandwidth cap, so I'd prefer not to clone the entire repository. Would > the v3-6-stable head have the fix?
I would have said that v3-6-test should have it. I don't know about v3-6-stable, sorry. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
