[Samba] samba 3.2 breaks ppp winbind plugin
This is a discussion on [Samba] samba 3.2 breaks ppp winbind plugin within the Samba forums, part of the Networking and Network Related category; We have a system running fedora 8 using pptpd from the poptop yum repository. See http://www.poptop.org/ pptpd/...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-29-2008
|
|||
|
|||
[Samba] samba 3.2 breaks ppp winbind plugin
We have a system running fedora 8 using pptpd from the poptop yum
repository. See http://www.poptop.org/ pptpd/pppd use the winbind plugin from the ppp package to authenticate to Active Directory. This works just fine. Then I found the same setup would not work on a fedora 9 setup. In order to exclude any possible configuration errors I built a virtual machine and simulated an upgrade. This is what I found: - fedora 8 out of the box works just fine - fedora 8 yummed up-to-date still works fine - after upgrading to fc9 it stops working - yum update would not change things - reverting to last f8 kernel would not help - reverting to last f8 ppp rpm would not help - reverting to pptpd rpm built for f8 would not help - reverting to last f8 samba rpms would help! What's happening when things don't work is that the XP client comes with this error, after a successful authentication: "Error 778: It was not possible to verify the identity of the server" I can see in the log files and in wireshark traces that the authentication was indeed successful. If I, on purpose, type a wrong password, I get the authentication failure message one would expect. Wireshark shows that the XP client is terminating the connection immediately after a successful CHAP handshake. I've seen several reports of this error on the poptop mailing list, all unanswered. Maybe they are seeing the same problem. Fedora 9 comes with a major Samba update, from 3.0 to 3.2 The winbind plugin that pptpd is using is supplied by Samba, so of course winbind bugs or changes affect pptpd. Still I wonder what exactly broke, as winbind is in fact authenticating just fine. Pim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
07-30-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
On Tue, 2008-07-29 at 18:13 +0200, Pim Zandbergen wrote:
> We have a system running fedora 8 using pptpd from the poptop yum > repository. > See http://www.poptop.org/ > > pptpd/pppd use the winbind plugin from the ppp package to authenticate > to Active Directory. > This works just fine. > > Then I found the same setup would not work on a fedora 9 setup. So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba 3.2 PDC from Fedora 9? > What's happening when things don't work is that the XP client > comes with this error, after a successful authentication: > > "Error 778: It was not possible to verify the identity of the server" > Wireshark shows that the XP client is terminating the connection > immediately after a successful CHAP handshake. This almost certainly means the session key returned from the PDC to the member server (where winbind and radius are) and calculated into the MSCHAPv2 response is incorrect/missing/etc. Look for it being missing first - check with strace/gdb/etc in pppd to see what broke about the interaction with ntlm_auth. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIj+dbz4A8Wyi0NrsRAj/tAJ9b/i4xcl5oHtj0djhUyZzzvBIo0ACgs5ed 1fHa4e78ZpvKibNbBp6NT/c= =VyeZ -----END PGP SIGNATURE-----
|
|
07-30-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
Andrew Bartlett wrote:
> On Tue, 2008-07-29 at 18:13 +0200, Pim Zandbergen wrote: > >> We have a system running fedora 8 using pptpd from the poptop yum >> repository. >> See http://www.poptop.org/ >> >> pptpd/pppd use the winbind plugin from the ppp package to authenticate >> to Active Directory. >> This works just fine. >> >> Then I found the same setup would not work on a fedora 9 setup. >> > > So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba > 3.2 PDC from Fedora 9? > > No, this is Samba 3.2 (Fedora 9) failing to work with a Windows 2003 Server PDC, where Samba 3.0 (Fedora 8) works fine. >> What's happening when things don't work is that the XP client >> comes with this error, after a successful authentication: >> >> "Error 778: It was not possible to verify the identity of the server" >> Wireshark shows that the XP client is terminating the connection >> immediately after a successful CHAP handshake. >> > > This almost certainly means the session key returned from the PDC to the > member server (where winbind and radius are) and calculated into the > MSCHAPv2 response is incorrect/missing/etc. > > Look for it being missing first - check with strace/gdb/etc in pppd to > see what broke about the interaction with ntlm_auth. > I ran ntlm_auth by hand on both systems in manual mode. Both work fine. But pppd calls ntlm_auth using a special protocol, made for pppd. I will probably have to capture this interaction and see the differences. It would help if I would understand what else is in the MSCHAPv2 response other than "the authentication was successful", because it always is, and why the Windows client still is not satisfied. Pim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-30-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
On Wed, Jul 30, 2008 at 06:55:15PM +0200, Pim Zandbergen wrote:
> I ran ntlm_auth by hand on both systems in manual mode. Both work fine. > But pppd calls ntlm_auth using a special protocol, made for pppd. > I will probably have to capture this interaction and see the differences. Can you do this and post the working and non-working responses, so we can track down what isn't working please ? Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-30-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
On Wed, Jul 30, 2008 at 06:55:15PM +0200, Pim Zandbergen wrote:
> >So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba > >3.2 PDC from Fedora 9? > > > > > No, this is Samba 3.2 (Fedora 9) failing to work with a Windows 2003 > Server PDC, > where Samba 3.0 (Fedora 8) works fine. Can't this be 5616? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIkM1eUzqjrWwMRl0RAhkEAJ4owYV1IuRwMbuEGVA4YD nGj+1BHgCgiZh+ vKvu7a79Mz0L2K/rk65i9iQ= =uLe4 -----END PGP SIGNATURE-----
|
|
07-31-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
On Wed, 2008-07-30 at 22:21 +0200, Volker Lendecke wrote:
> On Wed, Jul 30, 2008 at 06:55:15PM +0200, Pim Zandbergen wrote: > > >So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba > > >3.2 PDC from Fedora 9? > > > > > > > > No, this is Samba 3.2 (Fedora 9) failing to work with a Windows 2003 > > Server PDC, > > where Samba 3.0 (Fedora 8) works fine. > > Can't this be 5616? That (failure to decrypt the session key for the client) matches the symptoms here exactly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIkOetz4A8Wyi0NrsRAnr1AJ90kaIF3gkU8BPI5SZtMH iI8J1oaACfYUjB a1uD30kYYQGCryaFHe2bf18= =bTcn -----END PGP SIGNATURE-----
|
|
07-31-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
On Thu, Jul 31, 2008 at 08:14:05AM +1000, Andrew Bartlett wrote:
> On Wed, 2008-07-30 at 22:21 +0200, Volker Lendecke wrote: > > On Wed, Jul 30, 2008 at 06:55:15PM +0200, Pim Zandbergen wrote: > > > >So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba > > > >3.2 PDC from Fedora 9? > > > > > > > > > > > No, this is Samba 3.2 (Fedora 9) failing to work with a Windows 2003 > > > Server PDC, > > > where Samba 3.0 (Fedora 8) works fine. > > > > Can't this be 5616? > > That (failure to decrypt the session key for the client) matches the > symptoms here exactly. As you can see in 5616, there is a patch provided: https://bugzilla.samba.org/attachmen...26&action=view :-) Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIkTR/UzqjrWwMRl0RAn6dAJ4n+2M8Zia0lA7da6MDtzsfOiIpuACcDa Bq Hs/KA4S348bEphgNJzqVn9g= =e1Dw -----END PGP SIGNATURE-----
|
|
07-31-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
Volker Lendecke wrote:
> On Thu, Jul 31, 2008 at 08:14:05AM +1000, Andrew Bartlett wrote: > >> On Wed, 2008-07-30 at 22:21 +0200, Volker Lendecke wrote: >> >>> On Wed, Jul 30, 2008 at 06:55:15PM +0200, Pim Zandbergen wrote: >>> >>>>> So, this is winbind from Samba 3 (Fedora 8) failing to work with a Samba >>>>> 3.2 PDC from Fedora 9? >>>>> >>>>> >>>>> >>>> No, this is Samba 3.2 (Fedora 9) failing to work with a Windows 2003 >>>> Server PDC, >>>> where Samba 3.0 (Fedora 8) works fine. >>>> >>> Can't this be 5616? >>> >> That (failure to decrypt the session key for the client) matches the >> symptoms here exactly. >> > > As you can see in 5616, there is a patch provided: > https://bugzilla.samba.org/attachmen...26&action=view > :-) > > Volker > I will apply it and let you know. Thanks, Pim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-31-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
Pim Zandbergen wrote:
> Volker Lendecke wrote: >> On Thu, Jul 31, 2008 at 08:14:05AM +1000, Andrew Bartlett wrote: >> >>> On Wed, 2008-07-30 at 22:21 +0200, Volker Lendecke wrote: >>> >>>> On Wed, Jul 30, 2008 at 06:55:15PM +0200, Pim Zandbergen wrote: >>>> >>>>>> So, this is winbind from Samba 3 (Fedora 8) failing to work with >>>>>> a Samba >>>>>> 3.2 PDC from Fedora 9? >>>>>> >>>>>> >>>>>> >>>>> No, this is Samba 3.2 (Fedora 9) failing to work with a Windows >>>>> 2003 Server PDC, >>>>> where Samba 3.0 (Fedora 8) works fine. >>>>> >>>> Can't this be 5616? >>>> >>> That (failure to decrypt the session key for the client) matches the >>> symptoms here exactly. >> >> As you can see in 5616, there is a patch provided: >> https://bugzilla.samba.org/attachmen...26&action=view >> :-) >> >> Volker >> > I will apply it and let you know. It does not solve the problem. Thanks, Pim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-01-2008
|
|||
|
|||
|
Re: [Samba] samba 3.2 breaks ppp winbind plugin
On Thu, Jul 31, 2008 at 10:47:03PM +0200, Pim Zandbergen wrote:
> >I will apply it and let you know. > It does not solve the problem. Günther Deschner fixed the same bug for winbind with fef58091408. Maybe you just try the current git code? Or also apply the attached patch? Thanks for testing, Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIkq0sUzqjrWwMRl0RAoMEAJ0dLkak1ettC4ytRAqh2y RsRd0n4QCdH7xA +9WMYTmMja+t6jouFHYusqE= =QaNb -----END PGP SIGNATURE-----
|
Linear Mode
