Bug 6522 - pppd winbind plugin do not work with new winbind
Summary: pppd winbind plugin do not work with new winbind
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.3.4
Hardware: x86 Linux
: P3 major
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
: 7900 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-06-30 08:42 UTC by Vladimir Lettiev
Modified: 2017-01-03 00:38 UTC (History)
5 users (show)

See Also:


Attachments
Config and Log from Lenny and Squeeze (13.99 KB, text/x-log)
2010-06-21 10:06 UTC, Robert LeBlanc
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2009-06-30 08:42:04 UTC
there is system with debian lenny as dialin-server.
pppd use winbind.so plugin for authentication against AD (/etc/ppp/options):
...
require-mschap-v2
require-mppe-128
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
...

winbind configured as a member of a AD domain and works fine.

XP/Vista dialin clients disconnects with this error, after a successful authentication:

"Error 778: It was not possible to verify the identity of the server"

pppd log:
...
sent [CHAP Challenge id=0xb6 <fad6402e54549963ba95b8a601b247e1>, name = "SERVER"]
rcvd [LCP Ident id=0x4 magic=0x4b183c95 "MSRASV5.10"]
rcvd [LCP Ident id=0x5 magic=0x4b183c95 "MSRAS-0-CLIENT"]
rcvd [LCP EchoRep id=0x0 magic=0x4b183c95]
rcvd [CHAP Response id=0xb6 <8398d101f626eedb1df5bb9e7f8dddf80000000000000000abf28b770748f4e622fe77e7466a789487e60ed29b83bf7c00>, name = "domain\\user"]
sent [CHAP Success id=0xb6 "S=9B12ED6F2BBDE806EFC3FC9947D848C7F4226266 M=Access granted"]
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [LCP TermReq id=0x6 "K\030<\37777777625\000<\37777777715t\000\000\003\n"]
LCP terminated by peer (K^X<M-^U^@<M-Mt^@^@^C^J)
...


i have found the same issue here, but it was fixed in 3.2.1: http://www.nabble.com/samba-3.2-breaks-ppp-winbind-plugin-td18715806.html

have try this versions os samba: 3.2.5-4lenny6 (in lenny) 3.3.4-1~bpo50+2 (in backports), but without success.


Also i try to configure a radius server with AD integration (http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO) and use pppd radius plugin. But with same negative result from clients: Error 778.
Comment 1 Vladimir Lettiev 2009-07-01 01:55:43 UTC
Today i came back to work and discover that problem disappeared: dialup client can connect. But when winbind service was restarted problem come back again :(

Also i tried to dialup from linuxbox. Client pppd returned this error:
...
rcvd [CHAP Success id=0x9f "S=36CCDA5954D68F37A3A1B58651BFB3B6237026C2 M=Access granted"]
MS-CHAPv2 mutual authentication failed.
CHAP authentication failed
sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
...

symptoms of failure is the same as in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518229 , but in my case winbind need some time (several hours?) to self-repair.
Comment 2 Vladimir Lettiev 2009-07-05 16:38:50 UTC
Downgrade to 3.0.35 solved the problem.
Comment 3 David Herselman 2010-05-20 05:11:31 UTC
I can confirm that this problem causes intermittend problems with a Windows 2008 domain (domain functional level raised to 'Windows Server 2008'.

NB: Users can eventually connect if they try enough times

Also using winbind for Squid NTLM authentication which is working perfectly.

Running Samba 3.3.12 with pptpd 1.3.4-1.rhel5.1
Comment 4 Robert LeBlanc 2010-06-03 15:34:52 UTC
I am experienceing the problem as well. We are running winbindd 3.4.8 (Debian Squeeze) and I've also tried 3.5.3 (Squeeze base with samba and winbind from Debian Experimental), both are showing the same problem, client can not authenticate server. The client is sending back garbage after it get the 'access granted' message. The same config works fine with chap_secrets and disabling winbind:

Jun  2 16:56:05 debian pppd[17472]: pppd 2.4.4 started by root, uid 0
Jun  2 16:56:05 debian pppd[17472]: using channel 17
Jun  2 16:56:05 debian pppd[17472]: Using interface ppp0
Jun  2 16:56:05 debian pppd[17472]: Connect: ppp0 <--> /dev/pts/2
Jun  2 16:56:05 debian pppd[17472]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xa2912b7> <pcomp> <accomp>]
Jun  2 16:56:05 debian pptpd[17470]: GRE: Bad checksum from pppd.
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x648b71fd> <pcomp> <accomp> <callback CBCP>]
Jun  2 16:56:05 debian pppd[17472]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xa2912b7> <pcomp> <accomp>]
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x648b71fd> <pcomp> <accomp>]
Jun  2 16:56:05 debian pppd[17472]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x648b71fd> <pcomp> <accomp>]
Jun  2 16:56:05 debian pppd[17472]: sent [LCP EchoReq id=0x0 magic=0xa2912b7]
Jun  2 16:56:05 debian pppd[17472]: sent [CHAP Challenge id=0x75 <d33a4de16233bb406c42b02c9801acd4>, name = "debian"]
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x2 magic=0x648b71fd "MSRASV5.10"]
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x3 magic=0x648b71fd "MSRAS-0-WINCOMP"]
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP EchoRep id=0x0 magic=0x648b71fd]
Jun  2 16:56:05 debian pppd[17472]: rcvd [CHAP Response id=0x75 <69dbcaab0e152ea056654a46c4ca7bae00000000000000006d7bcc32ef97cfafde7c34570aaa0c55e83b8475da22923300>, name = "DOMAIN\\user"]
Jun  2 16:56:05 debian pptpd[17470]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jun  2 16:56:05 debian pppd[17472]: sent [CHAP Success id=0x75 "S=B68D646C4DC626290C5BCD1148AE833C004B1E70 M=Access granted"]
Jun  2 16:56:05 debian pppd[17472]: sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Jun  2 16:56:05 debian pppd[17472]: rcvd [LCP TermReq id=0x4 "d\37777777613q\37777777775\000<\37777777715t\000\000\003\n"]
Jun  2 16:56:05 debian pppd[17472]: LCP terminated by peer (dM-^KqM-}^@<M-Mt^@^@^C^J)
Jun  2 16:56:05 debian pppd[17472]: sent [LCP TermAck id=0x4]
Jun  2 16:56:05 debian pptpd[17470]: CTRL: Reaping child PPP[17472]
Jun  2 16:56:05 debian pppd[17472]: Modem hangup
Jun  2 16:56:05 debian pppd[17472]: Connection terminated.
Jun  2 16:56:05 debian pppd[17472]: Connect time 0.0 minutes.
Jun  2 16:56:05 debian pppd[17472]: Sent 10 bytes, received 0 bytes.
Jun  2 16:56:06 debian pppd[17472]: Exit.
Comment 5 Guenther Deschner 2010-06-21 09:14:25 UTC
Tried very hard to reproduce this but cannot.

I was trying MSCHAPV2 pptp login from Windows XP SP3 to a pptpd / ppp / winbind plugin combo using samba 3.0.33, 3.3.8, 3.3.12, 3.4.8 and master winbind that was asking a w2k8 AD domain controller to verify credentials and it just worked for me.

Can someone with a clear reproducer please upload all config / logfiles involved ?
Comment 6 Robert LeBlanc 2010-06-21 10:06:44 UTC
Created attachment 5802 [details]
Config and Log from Lenny and Squeeze

Here is the config and logs from a working Lenny install, and the config and logs from a failing Squeeze install. All software is the same version, only kernel is different.
Comment 7 Robert LeBlanc 2010-06-21 10:07:01 UTC
I'm not sure if this is helpful, if it is not, please let me know what else I can provide. I'm running pptpd on a Debian Lenny machine with Winbind 3.4.8 from lenny-backports and it works perfectly, however on my Debian Squeeze machine with Winbind 3.4.8, it doesn't work. Both machines are running the same version of pppd (2.4.4) and pptpd (1.3.4). Lenny is running "Linux lsweb 2.6.26-2-amd64 #1 SMP Wed May 12 18:03:14 UTC 2010 x86_64 GNU/Linux" and Squeeze is running "Linux lsweb2 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64 GNU/Linux"
Comment 8 Guenther Deschner 2010-08-10 06:27:08 UTC
Do you have a chance to test the patch provided in 
https://bugzilla.samba.org/show_bug.cgi?id=7568 ?

I am convinced it will resolve this issue as well.
Comment 9 Hank Hampel 2010-08-23 11:38:31 UTC
I was experiencing the same problems with winbind 3.3.8 from CentOS 5.5 (patch level 52). After manually applying the patch from https://bugzilla.samba.org/show_bug.cgi?id=7568 everything works fine again (for some days now). So that seems to be the correct solution to this bug as well.

Is there any chance that this patch is going to be included in the 3.3 version of samba?
Comment 10 Guenther Deschner 2010-08-23 13:27:18 UTC
(In reply to comment #9)
> I was experiencing the same problems with winbind 3.3.8 from CentOS 5.5 (patch
> level 52). After manually applying the patch from
> https://bugzilla.samba.org/show_bug.cgi?id=7568 everything works fine again
> (for some days now). So that seems to be the correct solution to this bug as
> well.

Thanks a lot for testing!

> 
> Is there any chance that this patch is going to be included in the 3.3 version
> of samba?

Sorry, Samba 3.3 is unfortunately no longer actively maintained. Only security fixes will go into a next 3.3.x release. 
See http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.3

You should contact your vendor so they can add this fix and provide new packages.
Comment 11 Kai Blin 2011-01-07 05:31:43 UTC
*** Bug 7900 has been marked as a duplicate of this bug. ***
Comment 13 Andrew Bartlett 2017-01-03 00:38:19 UTC
(In reply to Hank Hampel from comment #9)

Marking as fixed per your comment.  As per GD, we only apply fixes to supported versions.