Poptop VPN Server – Windows Server AD Authentication – ntlm_auth –require-membership-of

July 26th, 2009 by Oliver - Tagged with PopTop, PPTP, VPN, Windows Server - Posted in Web Platforms

Recently I have had the need to connect into my home LAN from work. I opted to go down the Linux route due to it’s lower resource consumption (compared to Windows) and that I also needed a solution that could be virtualised easily.

The Short
Change the line starting with ntlm_auth-helper in your /etc/ppp/options.pptpd to use the Windows groups SID instead of the groups name and per group authentication will work fine.

The Long
After installing Fedora Core 11 (latest release at the time) I followed the instructions located at http://poptop.sourceforge.net/dox/redhat-howto.phtml to install a basic non-linked (authentication wise) version of PopTop onto the server. I added a user to the /etc/ppp/chap-secrets, temporarily disabled the firewall and tried to connect from Vista which worked perfectly.

Once I knew the VPN server was authenticating connections using the local chap-secrets file I decided to try setting up Windows AD authentication via my Windows 2008 domain controller.

I installed Samba, checked that I was using the latest version of PPP, configured Samba, Kerbos & Winbind using the guide at http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm from point 9. onwards.

After completing the steps outlined in the guide I had a fully functioning Linux PPTP server authenticating with my Windows 2008 Server. One problem, point 11.3 of the guide above shows how to allow connections from only specific user groups, this does not work. (at least it doesn’t for me!)

I spent hours looking into the Samba ntlm_auth helper and it’s switches but I could not get pptpd to authenticate connections to a specific group, however if I removed the switch:

–require-membership-of=My_User_group

 from the ntlm_auth-helper line in /etc/ppp/options.pptpd it would authenticate any valid username within the domain.

After trying multiple variations of the user group name within the options.pptpd file (ie. MYDOMAIN\MY_GROUP, MYDOMAIN.LOCAL\MY_GROUP, CN=MY_GROUP,OU=Users …. etc) I ran out of options and decided to re-read the Samba documentation. Instead of the group name you can use the group SID, I fired up ADSI Edit on my domain controller and retrieved the groups SID and swapped the group name for the SID within the options.pptpd file, re-booted the pptpd server and tried to reconnect. This works and only authenticates valid members of the group I have created.

My ntlm_auth-helper line now looks like this:

ntlm_auth-helper “/usr/bin/ntlm_auth –helper-protocol=ntlm-server-1 –require-membership-of=S-1-5-21-2406473510-3779966998-1008200024-1611”

rather than

ntlm_auth-helper “/usr/bin/ntlm_auth –helper-protocol=ntlm-server-1 –require-membership-of=MYDOMAIN+MYGROUPNAME”

There are three methods to get a groups SID that I am aware of:

1)

Open ADSIEdit (Download the Windows Server resource kit), connect to the domain, browse to the group object, right 
 
click & select properties.  Scroll down to the object sid. 

2)

Grab adfind – http://www.joeware.net/win/free/tools/adfind.htm 
 
then run the following command 
 
adfind -gc -b “” -f samaccountname=groupname objectsid  
  
3)
 
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/getsid-o.asp 

I found these methods at: http://www.eggheadcafe.com/forumarchives/windowsserveractive_directory/nov2005/post24729942.asp

I found the SID solution at:
http://www.nabble.com/ntlm_auth—require-membership-of-td8456581.html