Red Hat Bugzilla – Bug 590766
Winbind fails on ntlm-server-1 with Windows 2008 server
Last modified: 2012-11-03 20:31:24 EDT
Description of problem: We are using PPTP Daemon (pptpd 1.3.4-1.rhel5.1) to provide PPTP VPN services for remote users. PPTP calls winbind to provide MS-CHAP-v2 authentication (/etc/ppp/options.pptpd) which contains: require-mschap-v2 require-mppe-128 plugin winbind.so ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='METROREPUBLIC+VPN_Access'" Remote Windows machines are presented with an error though: Error 778: It was not possible to verify the identity of the server. PS: PPTP uses a special protocol (ntlm-server-1) to talk, via winbind, to the relevant domain controller. Version-Release number of selected component (if applicable): samba3x-3.3.8-0.51 ppp-2.4.4-2.el5 pptpd-1.3.4-1.rhel5.1 How reproducible: Very, setup with samba 3.0.33 and then upgrade to samba3x-3.3.8 Steps to Reproduce: 1. Install Samba 3.0.33 2. Join to Windows 2008 domain 3. Setup pptpd to require Active Directory group membership on an authenticated account 4. Test to ensure everything's working and then upgrade to samba3x Actual results: Expected results: Additional info:
Can you please provide winbind log files (log level = 10) of the failing samba3x winbind ?
Tried various combinations of samba releases - 3.0.33 - 3.3.8 - 3.3.12 - master with a pptp server, windows xp sp3 client and winbind auth to a w2k8 AD domain and could not reproduce the failure yet.
I believe this to be an other instance of samba bug #6522 (https://bugzilla.samba.org/show_bug.cgi?id=6522) which is fixed (at least for me) by the patch from bug #7568 (https://bugzilla.samba.org/show_bug.cgi?id=7568).
great, thanks for verifiying!
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Some remote users could not authenticate from workstations running Windows. This occurred, because the winbind service failed to authenticate to a Windows 2008 server using the "ntlm-server-1" ntm_auth protocol. With this update, the service works correctly.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0054.html