VPN error 778 between Windows 7 and Debian Squeeze w/ pptpd and AD

active-directoryunixvpn

I have a VPN server set up on a debian (lenny) machine. I get an error, 778: "it was not possible to verify the identity of the server", every time I try to connect. I checked the configuration against this site, and set up a replica machine to set it up and test it there as well. On both debian machines, I get a 778.

The wierd thing is, I don't get this error when using a CHAP secrets file; only when using winbind (so as to authenticate over active directory). But we need AD authentication to ensure security in our environment. I have found no literature on this subject other than to update my certificates:

# dpkg-reconfigure ca-certificates

which I did.

To pose the question, why am I getting the 778 error and how do I fix the error on a Debian machine?

EDIT: I found this at http://www.schneier.com/paper-pptpv2.pdf . How MS-CHAPv2 works:

  1. Client requests a login challenge from the Server.
  2. The Server sends back a 16-byte random challenge.
  3. The Client
    generates a random 16-byte number, called the "Peer Authenticator
    Challenge."
  4. The Client generates an 8-byte challenge by hashing
    the 16-byte challenge received in step (2), the 16-byte Peer
    Authenticator Challenge generated in step (4), and the Client's
    username.
  5. The Client creates a 24-byte reply, using the Windows NT hash function and the 8-byte
    challenge generated in step (4). This process is identical to
    MS-CHAPv1.
  6. The Client sends the Server the results of steps (3)
    and (5).
  7. The Server uses the hashes of the Client's password,
    stored in a database, to decrypt the replies. If the decrypted blocks
    match the challenge, the Client is authenticated.
  8. The Server uses
    the 16-byte Peer Authenticator Challenge from the client, as well as
    the Client's hashed password, to create a 20-byte \Authenticator
    Response."
  9. The Client also computes the Authenticator Response. If the
    computed response matches the received response, the Server is
    authenticated.

I suppose then that the Debian machine is not sending the 16-byte Authenticator Challenge or that it is not working correctly. Is there any reason why it would have that problem, and if so, what do I do to fix it?

Best Answer

I found it! There error is a SAMBA bug, detailed here. Both squeeze and lenny machines use samba 3.4.8 . I updated via http://backports.debian.org and it worked!

Related Topic