Andrew Bartlett wrote:
On Fri, 2004-12-31 at 08:48 -0500, Alex Brown wrote:
Andrew Bartlett wrote:
On Wed, 2004-10-20 at 00:44, Mike Brodbelt wrote:
Hi,
I have a few remote user who use a PPTP based VPN. The server is running PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC for (some) added security. Currently, users authentication information is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to put users into LDAP, and have ppp authenticate either directly against LDAP, or against Samba (with an LDAP backend). Any ideas on how I might go about this? Most of the docs I've seen suggest that you can't use PAM for authentication with CHAP, so it seems not to be as simple as I might have hoped.
Disclaimer - I haven't actually tried any of this yet, I'm just trying
to get it clear in my head before I start...
The pppd patch (one for 2.4.2, one for current CVS) is here: http://download.samba.org/ftp/unpacked/lorikeet/trunk/pppd
The documentation is: http://hawkerc.net/staff/abartlet/comp3700/final-report.pdf
Note that the patch changed a little since the report was written, use the instructions in the README for configuration.
Andrew Bartlett
Hi Andrew,
Thanks for creating the "final-report" document. It is very informative. I'm trying to set up a PoPToP server that authenticates to our Windows NT Domain (with a Windows NT 4.0 PDC) via Samba/Winbind. When I follow the instructions in your document, after changing to the ppp directory to apply the ntlm_auth patch, I get the following output.
Current ppp has everything you need already - I finally got it merged upstream. All you need now is the configuration (which has changed since the report was written):
Configuration (pppd config file):
plugin winbind.so ntlm_auth-helper "/usr/local/bin/ntlm_auth --helper-protocol=ntlm- server-1"
The --required-membership-of option is also available, to implement a 'dialin users' or 'vpn users' group.
Andrew Bartlett
Thanks Andrew,
I followed your instructions without applying the patch and I modified the /etc/ppp/options.pptpd file to include the changes in your reply.
I'm having what I'm sure is a small problem so please forgive my ignorance.
When I try to authenticate to the poptop server with my Windows XP client, I see the following messages in my log...
Jan 3 08:31:37 papcom pptpd[2603]: MGR: Launching /usr/sbin/pptpctrl to handle client
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: local address = 192.168.0.1
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: remote address = 192.168.0.3
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: pppd options file = /etc/ppp/options.pptpd
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control connection started
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control Message (type: 1)
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Made a START CTRL CONN RPLY packet
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 156 bytes to the client.
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Sent packet to client
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Received PPTP Control Message (type: 7)
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Set parameters to 1525 maxbps, 64 window size
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Made a OUT CALL RPLY packet
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: Starting call (launching pppd, opening GRE)
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: pty_fd = 5
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: tty_fd = 6
Jan 3 08:31:37 papcom pptpd[2604]: CTRL (PPPD Launcher): Connection speed = 115200
Jan 3 08:31:37 papcom pptpd[2603]: CTRL: I wrote 32 bytes to the client.
Jan 3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): local address = 192.168.0.1
Jan 3 08:31:38 papcom pptpd[2603]: CTRL: Sent packet to client
Jan 3 08:31:38 papcom pptpd[2604]: CTRL (PPPD Launcher): remote address = 192.168.0.3
Jan 3 08:31:38 papcom pptpd[2603]: CTRL: Received PPTP Control Message (type: 15)
Jan 3 08:31:38 papcom pppd[2604]: Plugin /usr/local/lib/pppd/2.4.3/winbind.so loaded.
Jan 3 08:31:38 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Jan 3 08:31:38 papcom pppd[2604]: WINBIND plugin initialized.
Jan 3 08:31:38 papcom pptpd[2603]: GRE: Discarding duplicate packet
Jan 3 08:31:38 papcom pppd[2604]: pppd 2.4.3 started by root, uid 0
Jan 3 08:31:38 papcom pppd[2604]: using channel 23
Jan 3 08:31:38 papcom kernel: divert: not allocating divert_blk for non-ethernet device ppp0
Jan 3 08:31:38 papcom pppd[2604]: Using interface ppp0
Jan 3 08:31:38 papcom pppd[2604]: Connect: ppp0 <--> /dev/pts/2
Jan 3 08:31:38 papcom pppd[2604]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
Jan 3 08:31:38 papcom pptpd[2603]: GRE: Bad checksum from pppd.
Jan 3 08:31:38 papcom pppd[2604]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x57d0a938> <pcomp> <accomp>]
Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x7b6b79b5> <pcomp> <accomp> <callback CBCP>]
Jan 3 08:31:40 papcom pppd[2604]: sent [LCP ConfRej id=0x1 <callback CBCP>]
Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP ConfReq id=0x2 <mru 1400> <magic 0x7b6b79b5> <pcomp> <accomp>]
Jan 3 08:31:40 papcom pppd[2604]: sent [LCP ConfAck id=0x2 <mru 1400> <magic 0x7b6b79b5> <pcomp> <accomp>]
Jan 3 08:31:40 papcom pppd[2604]: sent [LCP EchoReq id=0x0 magic=0x57d0a938]
Jan 3 08:31:40 papcom pppd[2604]: sent [CHAP Challenge id=0xb4 <5d8f7b72df4bb4a4003ddc0a3d7a4644>, name = "papcom"]
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control Message (type: 15)
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x3 magic=0x7b6b79b5 "MSRASV5.10"]
Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP Ident id=0x4 magic=0x7b6b79b5 "MSRAS-1-INFG450ROG-1234"]
Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP EchoRep id=0x0 magic=0x7b6b79b5]
Jan 3 08:31:40 papcom pppd[2604]: rcvd [CHAP Response id=0xb4 <ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>, name = "PAP\\abrown"]
Jan 3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP authentication
Jan 3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691 R=1 C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
Jan 3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2 "Authentication failed"]
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Received PPTP Control Message (type: 15)
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Jan 3 08:31:40 papcom pppd[2604]: rcvd [LCP TermAck id=0x2 "Authentication failed"]
Jan 3 08:31:40 papcom pppd[2604]: Connection terminated.
Jan 3 08:31:40 papcom kernel: divert: no divert_blk to free, ppp0 not ethernet
Jan 3 08:31:40 papcom pppd[2604]: Exit.
Jan 3 08:31:40 papcom pptpd[2603]: GRE: read(fd=5,buffer=804d5a0,len=8196) from PTY failed: status = -1 error = Input/output error
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: PTY read or GRE write failed (pty,gre)=(5,6)
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Closing child BCrelay with pid 0
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Closing child ppp with pid 2604
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Client 66.156.10.36 control connection finished
Jan 3 08:31:40 papcom pptpd[2603]: CTRL: Exiting now
Jan 3 08:31:40 papcom pptpd[2564]: MGR: Reaped child 2603
I know this section of the log . .
<ec918ac4e0cd14ab96a16047e9417f4f00000000000000008a747cd2cfdf8dbd4e993df5b34cf15ac6b65c94e3b1721c00>, name = "PAP\\abrown"]
Jan 3 08:31:40 papcom pppd[2604]: Peer PAP\\abrown failed CHAP authentication
Jan 3 08:31:40 papcom pppd[2604]: sent [CHAP Failure id=0xb4 "E=691 R=1 C=5d8f7b72df4bb4a4003ddc0a3d7a4644 V=0 M=Access denied"]
Jan 3 08:31:40 papcom pppd[2604]: sent [LCP TermReq id=0x2 "Authentication failed"]
is the cause of the problem but I don't know how to fix it.
It appears that the pppd is expecting something to be in the chap-secrets file. I don't have anything in it. Should I have something in it that will cause it to talk to the Windows PDC for authentication?
Here is a copy of my /etc/ppp/options.pptpd file.
## CHANGE TO SUIT YOUR SYSTEM lock debug name papcom noauth #proxyarp nobsdcomp #chapms-strip-domain lcp-echo-failure 30 lcp-echo-interval 5 ipcp-accept-local ipcp-accept-remote refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-wins 10.1.100.13 ms-dns 10.1.100.127 plugin /usr/local/lib/pppd/2.4.3/winbind.so ntlm_auth-helper "/usr/local/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Thanks again for any help you can give. I'm learning a lot. I hope to be like you when I grow up!
Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
