590766 – Winbind fails on ntlm-server-1 with Windows 2008 server

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 590766 - Winbind fails on ntlm-server-1 with Windows 2008 server

Summary: Winbind fails on ntlm-server-1 with Windows 2008 server

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	samba3x
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Guenther Deschner
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-10 16:19 UTC by David Herselman
Modified:	2012-11-04 00:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	samba3x-3.5.4-0.62.el5
Doc Type:	Bug Fix
Doc Text:	Some remote users could not authenticate from workstations running Windows. This occurred, because the winbind service failed to authenticate to a Windows 2008 server using the "ntlm-server-1" ntm_auth protocol. With this update, the service works correctly.
Clone Of:
Environment:
Last Closed:	2011-01-13 22:47:53 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0054	0	normal	SHIPPED_LIVE	samba3x bug fix and enhancement update	2011-01-12 17:15:21 UTC

Description David Herselman 2010-05-10 16:19:16 UTC

Description of problem:
  We are using PPTP Daemon (pptpd 1.3.4-1.rhel5.1) to provide PPTP VPN
  services for remote users. PPTP calls winbind to provide MS-CHAP-v2
  authentication (/etc/ppp/options.pptpd) which contains:
    require-mschap-v2
    require-mppe-128
    plugin winbind.so
    ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='METROREPUBLIC+VPN_Access'"

  Remote Windows machines are presented with an error though:
    Error 778: It was not possible to verify the identity of the server.

  PS: PPTP uses a special protocol (ntlm-server-1) to talk, via winbind,
      to the relevant domain controller.


Version-Release number of selected component (if applicable):
  samba3x-3.3.8-0.51
  ppp-2.4.4-2.el5
  pptpd-1.3.4-1.rhel5.1

How reproducible:
  Very, setup with samba 3.0.33 and then upgrade to samba3x-3.3.8

Steps to Reproduce:
1. Install Samba 3.0.33
2. Join to Windows 2008 domain
3. Setup pptpd to require Active Directory group membership on an authenticated account
4. Test to ensure everything's working and then upgrade to samba3x
  
Actual results:


Expected results:


Additional info:

Comment 2 Guenther Deschner 2010-06-17 19:36:49 UTC

Can you please provide winbind log files (log level = 10) of the failing samba3x winbind ?

Comment 3 Guenther Deschner 2010-06-21 09:51:14 UTC

Tried various combinations of samba releases

- 3.0.33
- 3.3.8
- 3.3.12
- master

with a pptp server, windows xp sp3 client and winbind auth to a w2k8 AD domain and could not reproduce the failure yet.

Comment 5 Hank Hampel 2010-08-23 16:51:14 UTC

I believe this to be an other instance of samba bug #6522 (https://bugzilla.samba.org/show_bug.cgi?id=6522) which is fixed (at least for me) by the patch from bug #7568 (https://bugzilla.samba.org/show_bug.cgi?id=7568).

Comment 6 Guenther Deschner 2010-08-24 08:20:44 UTC

great, thanks for verifiying!

Comment 13 Eva Kopalova 2010-12-15 08:39:46 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Some remote users could not authenticate from workstations running Windows. This occurred, because the winbind service failed to authenticate to a Windows 2008 server using the "ntlm-server-1" ntm_auth protocol. With this update, the service works correctly.

Comment 15 errata-xmlrpc 2011-01-13 22:47:53 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0054.html

Note You need to log in before you can comment on or make changes to this bug.