On 09/09/10 16:24, Guenther Deschner wrote:
On Thu, Sep 09, 2010 at 11:12:52PM +1000, Andrew Bartlett wrote:
On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote:
On 09/09/10 13:57, Andrew Bartlett wrote:
On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote:
I have a linux firewall using winbind to authenticate users coming in
with PPTP. It all seemed to work OK at first. After a while I noticed
that authentication was denied to users who had previously (as in less
than a day) authenticated successfully. After a day or so of fighting
with this setup, I found that restarting winbindd will allow users to
authenticate successfully again. This happens with both the built-in
windows PPTP VPN client, and pppd as a client under linux.
What happens is:
- restart winbind
- authenticate a user
- close pptp connection
- a few minutes (seems like around 10) after a first (or several)
successful authentication, I get the following ppp trace on the client side:
rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name =
"pptpd"]
sent [CHAP Response id=0x8b
<95c9d3a1061299d9ca4874659c37f1720000000000000000161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>,
name = "xxxxx"]
rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF
M=Access granted"]
5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted
F8673CADD4286B742EF0C39036393650701D0A60
MS-CHAPv2 mutual authentication failed.
CHAP authentication failed
sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
In other words, the ntlm-auth helper and AD server says OK, but the
hashes aren't equal, which causes ppp to say "mutual authentication
failed". I hacked the ppp sources (chap_ms.c) gently to output the two
hashes.
I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345]
(tried all of them) on a x86_64 gentoo box.
Try with the lastest GIT tree. We finally fixed a bug which caused this
kind of breakage. (We returned the wrong session key, which is why the
server thinks this is OK, but the client isn't impressed).
Thanks for your reply.
I have to get this onto a box on the other end of a 512kbps line with a
bandwidth cap, so I'd prefer not to clone the entire repository. Would
the v3-6-stable head have the fix?
I would have said that v3-6-test should have it. I don't know about
v3-6-stable, sorry.
all branches have the fix now, you could also individually apply the fix
mentioned in https://bugzilla.samba.org/show_bug.cgi?id=7568.
Sheesh. I spent two days asking google for help on this issue and I
never found that bug report. Oh right. That's because I was looking for
"MS-CHAPv2 mutual authentication failed". Which isn't in that bug report
because it's coming from a different perspective.
We got reports that this resolves exactly that issue.
I installed v3-6-stable (I think that's the same as 3.6.0pre1 right
now), and I'm able to successfully authenticate repeatedly, beyond the
10 minutes which seemed to be the point where it stopped working
previously. So here's another report that it resolves the issue.
bye
John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
