there is system with debian lenny as dialin-server. pppd use winbind.so plugin for authentication against AD (/etc/ppp/options): ... require-mschap-v2 require-mppe-128 plugin winbind.so ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1" ... winbind configured as a member of a AD domain and works fine. XP/Vista dialin clients disconnects with this error, after a successful authentication: "Error 778: It was not possible to verify the identity of the server" pppd log: ... sent [CHAP Challenge id=0xb6 <fad6402e54549963ba95b8a601b247e1>, name = "SERVER"] rcvd [LCP Ident id=0x4 magic=0x4b183c95 "MSRASV5.10"] rcvd [LCP Ident id=0x5 magic=0x4b183c95 "MSRAS-0-CLIENT"] rcvd [LCP EchoRep id=0x0 magic=0x4b183c95] rcvd [CHAP Response id=0xb6 <8398d101f626eedb1df5bb9e7f8dddf80000000000000000abf28b770748f4e622fe77e7466a789487e60ed29b83bf7c00>, name = "domain\\user"] sent [CHAP Success id=0xb6 "S=9B12ED6F2BBDE806EFC3FC9947D848C7F4226266 M=Access granted"] sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>] rcvd [LCP TermReq id=0x6 "K\030<\37777777625\000<\37777777715t\000\000\003\n"] LCP terminated by peer (K^X<M-^U^@<M-Mt^@^@^C^J) ... i have found the same issue here, but it was fixed in 3.2.1: http://www.nabble.com/samba-3.2-breaks-ppp-winbind-plugin-td18715806.html have try this versions os samba: 3.2.5-4lenny6 (in lenny) 3.3.4-1~bpo50+2 (in backports), but without success. Also i try to configure a radius server with AD integration (http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO) and use pppd radius plugin. But with same negative result from clients: Error 778.
Today i came back to work and discover that problem disappeared: dialup client can connect. But when winbind service was restarted problem come back again :( Also i tried to dialup from linuxbox. Client pppd returned this error: ... rcvd [CHAP Success id=0x9f "S=36CCDA5954D68F37A3A1B58651BFB3B6237026C2 M=Access granted"] MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] ... symptoms of failure is the same as in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518229 , but in my case winbind need some time (several hours?) to self-repair.
Downgrade to 3.0.35 solved the problem.
I can confirm that this problem causes intermittend problems with a Windows 2008 domain (domain functional level raised to 'Windows Server 2008'. NB: Users can eventually connect if they try enough times Also using winbind for Squid NTLM authentication which is working perfectly. Running Samba 3.3.12 with pptpd 1.3.4-1.rhel5.1
I am experienceing the problem as well. We are running winbindd 3.4.8 (Debian Squeeze) and I've also tried 3.5.3 (Squeeze base with samba and winbind from Debian Experimental), both are showing the same problem, client can not authenticate server. The client is sending back garbage after it get the 'access granted' message. The same config works fine with chap_secrets and disabling winbind: Jun 2 16:56:05 debian pppd[17472]: pppd 2.4.4 started by root, uid 0 Jun 2 16:56:05 debian pppd[17472]: using channel 17 Jun 2 16:56:05 debian pppd[17472]: Using interface ppp0 Jun 2 16:56:05 debian pppd[17472]: Connect: ppp0 <--> /dev/pts/2 Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xa2912b7> <pcomp> <accomp>] Jun 2 16:56:05 debian pptpd[17470]: GRE: Bad checksum from pppd. Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x648b71fd> <pcomp> <accomp> <callback CBCP>] Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfRej id=0x0 <callback CBCP>] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xa2912b7> <pcomp> <accomp>] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x648b71fd> <pcomp> <accomp>] Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x648b71fd> <pcomp> <accomp>] Jun 2 16:56:05 debian pppd[17472]: sent [LCP EchoReq id=0x0 magic=0xa2912b7] Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Challenge id=0x75 <d33a4de16233bb406c42b02c9801acd4>, name = "debian"] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x2 magic=0x648b71fd "MSRASV5.10"] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x3 magic=0x648b71fd "MSRAS-0-WINCOMP"] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP EchoRep id=0x0 magic=0x648b71fd] Jun 2 16:56:05 debian pppd[17472]: rcvd [CHAP Response id=0x75 <69dbcaab0e152ea056654a46c4ca7bae00000000000000006d7bcc32ef97cfafde7c34570aaa0c55e83b8475da22923300>, name = "DOMAIN\\user"] Jun 2 16:56:05 debian pptpd[17470]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Success id=0x75 "S=B68D646C4DC626290C5BCD1148AE833C004B1E70 M=Access granted"] Jun 2 16:56:05 debian pppd[17472]: sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP TermReq id=0x4 "d\37777777613q\37777777775\000<\37777777715t\000\000\003\n"] Jun 2 16:56:05 debian pppd[17472]: LCP terminated by peer (dM-^KqM-}^@<M-Mt^@^@^C^J) Jun 2 16:56:05 debian pppd[17472]: sent [LCP TermAck id=0x4] Jun 2 16:56:05 debian pptpd[17470]: CTRL: Reaping child PPP[17472] Jun 2 16:56:05 debian pppd[17472]: Modem hangup Jun 2 16:56:05 debian pppd[17472]: Connection terminated. Jun 2 16:56:05 debian pppd[17472]: Connect time 0.0 minutes. Jun 2 16:56:05 debian pppd[17472]: Sent 10 bytes, received 0 bytes. Jun 2 16:56:06 debian pppd[17472]: Exit.
Tried very hard to reproduce this but cannot. I was trying MSCHAPV2 pptp login from Windows XP SP3 to a pptpd / ppp / winbind plugin combo using samba 3.0.33, 3.3.8, 3.3.12, 3.4.8 and master winbind that was asking a w2k8 AD domain controller to verify credentials and it just worked for me. Can someone with a clear reproducer please upload all config / logfiles involved ?
Created attachment 5802 [details] Config and Log from Lenny and Squeeze Here is the config and logs from a working Lenny install, and the config and logs from a failing Squeeze install. All software is the same version, only kernel is different.
I'm not sure if this is helpful, if it is not, please let me know what else I can provide. I'm running pptpd on a Debian Lenny machine with Winbind 3.4.8 from lenny-backports and it works perfectly, however on my Debian Squeeze machine with Winbind 3.4.8, it doesn't work. Both machines are running the same version of pppd (2.4.4) and pptpd (1.3.4). Lenny is running "Linux lsweb 2.6.26-2-amd64 #1 SMP Wed May 12 18:03:14 UTC 2010 x86_64 GNU/Linux" and Squeeze is running "Linux lsweb2 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64 GNU/Linux"
Do you have a chance to test the patch provided in https://bugzilla.samba.org/show_bug.cgi?id=7568 ? I am convinced it will resolve this issue as well.
I was experiencing the same problems with winbind 3.3.8 from CentOS 5.5 (patch level 52). After manually applying the patch from https://bugzilla.samba.org/show_bug.cgi?id=7568 everything works fine again (for some days now). So that seems to be the correct solution to this bug as well. Is there any chance that this patch is going to be included in the 3.3 version of samba?
(In reply to comment #9) > I was experiencing the same problems with winbind 3.3.8 from CentOS 5.5 (patch > level 52). After manually applying the patch from > https://bugzilla.samba.org/show_bug.cgi?id=7568 everything works fine again > (for some days now). So that seems to be the correct solution to this bug as > well. Thanks a lot for testing! > > Is there any chance that this patch is going to be included in the 3.3 version > of samba? Sorry, Samba 3.3 is unfortunately no longer actively maintained. Only security fixes will go into a next 3.3.x release. See http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.3 You should contact your vendor so they can add this fix and provide new packages.
*** Bug 7900 has been marked as a duplicate of this bug. ***
(In reply to Hank Hampel from comment #9) Marking as fixed per your comment. As per GD, we only apply fixes to supported versions.