VPN Problems with Leopard Server 10.5.3

[starbuck]

I have two servers with exactly the same problem one has been upgraded from a working 10.5.1 server to 10.5.3 and the other was a clean install updated to to 10.5.3.

The problem any users in the Open Directory cannot access the VPN the connection is dropped, but if I add the user to the local Directory they can connect with no problems so I have a workaround for now.

Here is the info from the logs.

2008-06-17 13:30:35 BST Incoming call… Address given to client = 192.168.1.216
Tue Jun 17 13:30:35 2008 : Directory Services Authentication plugin initialized
Tue Jun 17 13:30:35 2008 : Directory Services Authorization plugin initialized
Tue Jun 17 13:30:35 2008 : PPTP incoming call in progress from ‘82.43.148.161’…
Tue Jun 17 13:30:35 2008 : PPTP connection established.
Tue Jun 17 13:30:35 2008 : using link 0
Tue Jun 17 13:30:35 2008 : Using interface ppp0
Tue Jun 17 13:30:35 2008 : Connect: ppp0 <--> socket[34:17]
Tue Jun 17 13:30:35 2008 : sent [LCP ConfReq id=0x1 ]
Tue Jun 17 13:30:35 2008 : rcvd [LCP ConfReq id=0x1 ]
Tue Jun 17 13:30:35 2008 : lcp_reqci: returning CONFACK.
Tue Jun 17 13:30:35 2008 : sent [LCP ConfAck id=0x1 ]
Tue Jun 17 13:30:38 2008 : sent [LCP ConfReq id=0x1 ]
Tue Jun 17 13:30:38 2008 : rcvd [LCP ConfAck id=0x1 ]
Tue Jun 17 13:30:38 2008 : sent [LCP EchoReq id=0x0 magic=0x6394d0bd]
Tue Jun 17 13:30:38 2008 : sent [CHAP Challenge id=0x4a , name = “mail.testserver.internal”]
Tue Jun 17 13:30:38 2008 : rcvd [LCP EchoReq id=0x0 magic=0xd153511c]
Tue Jun 17 13:30:38 2008 : sent [LCP EchoRep id=0x0 magic=0x6394d0bd]
Tue Jun 17 13:30:38 2008 : rcvd [LCP EchoRep id=0x0 magic=0xd153511c]
Tue Jun 17 13:30:38 2008 : rcvd [CHAP Response id=0x4a , name = “testremote”]
Tue Jun 17 13:30:38 2008 : DSAuth plugin: Could not retrieve key agent account information.
Tue Jun 17 13:30:38 2008 : sent [CHAP Success id=0x4a “S=919ED8804589EC7DF60B4E79DBD26FC8F17CD527 M=Access granted”]
Tue Jun 17 13:30:38 2008 : CHAP peer authentication succeeded for testremote
Tue Jun 17 13:30:38 2008 : DSAccessControl plugin: User ‘testremote’ authorized for access
Tue Jun 17 13:30:38 2008 : MPPE required, but keys are not available. Possible plugin problem?
Tue Jun 17 13:30:38 2008 : sent [LCP TermReq id=0x2 “MPPE required but not available”]
Tue Jun 17 13:30:39 2008 : rcvd [CCP ConfReq id=0x1 ]
Tue Jun 17 13:30:39 2008 : rcvd [LCP TermAck id=0x2]
Tue Jun 17 13:30:39 2008 : Connection terminated.
Tue Jun 17 13:30:39 2008 : Connect time 0.1 minutes.
Tue Jun 17 13:30:39 2008 : Sent 0 bytes, received 0 bytes.
Tue Jun 17 13:30:39 2008 : PPTP disconnecting…
Tue Jun 17 13:30:39 2008 : PPTP disconnected
2008-06-17 13:30:39 BST –> Client with address = 192.168.1.216 has hungup

I’ve tried searching on the problem reported about the plugin problem but have only found a few articles about this which haven’t helped any got any ideas.

Thanks for your time.

[starbuck]

Hi MacTroll,

Under LDAP v3/127.0.0.1 I see no vpn_blahblah on the two servers, I have another server which does work and I can see 3 x vpn_blahblahblah and this one works fine.

Will I have to kill the OD to get the vpn user back ?

Thanks for your input as usual.

[starbuck]

That worked a treat!

Thank you for your quick response and help on this matter.

[undulat]

I have this same problem with server 10.5.1-3 and I can’t resolve it. When I run

>sudo /usr/sbin/vpnaddkeyagentuser /LDAPv3/127.0.0.1

I get this in the log:

7/2/08 10:52:09 PM sudo[26444] serveradmin : TTY=ttys000 ; PWD=/Users/serveradmin ; USER=root ; COMMAND=/usr/sbin/vpnaddkeyagentuser /LDAPv3/127.0.0.1
7/2/08 10:52:22 PM /usr/sbin/vpnaddkeyagentuser[26444] admin user ‘�?t|’ is not a password server user. Cannot access password server.

I can see any vpnblablabla user before or after. And I can’t log in over VPN, neither to OD users nor local ones. When I run vpnaddkeyagentuser I am promted:

Enter admin name for node /LDAPv3/127.0.0.1:

Am I not supposed to enter the same serveradmin name here? I have looked at mkpassdb but it looks scary. And I can’t see any vpn-anything user there either when I do -dump, only the normal OD users.

Lars

[undulat]

Sorry, that should have been: I [b]can’t[/b] see any vpn-blablabla users

[undulat]

The log message is the same no matter which account name I try, including the one that has been sat to ‘adminster this server’ in WGM. I tried posting the Q on Apple’s discussion boards, too, but nobody could help.
http://discussions.apple.com/thread.jspa?threadID=1590016&tstart=0
It seems to me as if the username I type in when promted somehow gets garbled.
Doing a

sudo mkpassdb -dump

shows me the same list as I see in WGM, and the diradmin user is there, too. Just weird. I think I actoually deleted those users myself, but i hope i won’t have to reinstall the whole server to get them back.

[JonThompson]

One thing that gets people on the vpnaddkeyagent user over and over is that it does two things…

1) adds a user to the ldap database.
2) adds a keychain item to the system keychain. (ras is in the name of the item)

If you have ever run it multiple times, you need to clear out _both_ before you run it again. Otherwise, you will have problems.

[undulat]

Thanks, but I still can’t get it to work. I did try to remove all the .ras entries in the System Keychain, and I don’t see any *vpn* users when doing
sudo mkpassdb -dump

When I run the vpnaddkeyagentuser command, the entry is added again to the system keychain, but no users are added to the LDAP db, and i get the same message in the log.

Lars

[Author]

Posts