[pptp-server] clients can see only some machines.... why?

[E. Jay Berkenbilt]

I have figured out the answers to my questions for NT 4.0 clients.
Since I have received no response from the list, I will post my
answers here in hopes that they will be useful to someone.  These
answers may not solve everyone's problems, of course...

The problem described below basically boiled down to a name resolution
problem.  It turned out that simply checking "Enable DNS for Windows
Resolution" in the TCP/IP protocol properties dialog under the WINS
Address tab was sufficient to get names to resolve.  Once I got this
far, I could connect to any of our servers that had static IP
addresses and names registered via DNS.

However, after doing this, I could still not connect to the samba
servers, which have domain authentication.  This is because the NT
client was sending the local domain as the domain string in the
connection attempt.  Entering DOMAIN\Username in the Connect As area
solved this problem.

I suspect that this will work for Win95 as well, except since there is
no place to override connection strings, I would probably have to have
the desired domain configured on the client....

Anyway, now I can do everything I want from NT 4.0 clients.  (Well,
actually, I can tell my users how to do everything they want -- I
access our network from Linux.... ;-])

--
E. Jay Berkenbilt (ejb at ql.org)  |  http://www.ql.org/q/

---------------------------------------------------------------------------

>   I have some clients running various combinations of Windows 95 and NT
>   4.0.  They are able to connect and authenticate, but they are only
>   able to see some hosts.  Here's my setup in detail:
>
>   I have a firewall running Linux with a 2.2.16 kernel patched with PPTP
>   masquerading support and ipfwd.  I have TCP port 1723 and IP protocol
>   47 forwarding to an internal machine which is running a PPTP server.
>   This seems to work flawlessly.
>
>   On the internal network, I have a RedHat 6.0 box with a 2.2.10 kernel,
>   a patched ppp-2.3.10 that includes the MS-CHAP and MS-style
>   encryption.  This machine is running an unmodified PoPToP 1.0.0.
>
>   My /etc/ppp/options is:
>
>     lock
>     auth
>     require-chap
>     ms-dns 192.168.0.1
>     ms-wins 192.168.0.101
>     require-chapms     
>     require-chapms-v2     
>     mppe-40     
>     mppe-128     
>     mppe-stateless     
>
>   where 192.168.0.101 is the IP address of our NT primary domain
>   controller and 192.168.0.1 is the IP address of our primary DNS
>   server.
>
>   My /etc/pptpd.conf is
>
>     localip 192.168.254.1
>     remoteip 192.168.255.1-8
>
>   Also, on the Linux box running pptp, I have
>
>     ipchains -A forward -p all 192.168.255.0/24 -j MASQ
>
>   IP masquerading, including ICMP masquerading are compiled as modules
>   and are loaded automatically.
>
>   The NT clients are all running Service pack 5.  The 95 clients are
>   running with the dialup network 1.3 patch, the VPN patch, and some
>   dialup networking y2k patch from Microsoft.
>
>   Clients have IP Header compression off, default gateway over
>   connection on, TCP enabled, NetBEUI and IPX disabled.  They connect
>   using a login and password in /etc/ppp/chap-secrets on the pptp
>   server.  The login is not necessarily the same as the login on the
>   domain, and no domain authentication is happening here to my
>   knowledge.
>
>   Here's what works:
>
>    * Authentication and connection to the network.
>
>    * ping, telnet, DNS resolutions to our internal network (works via
>      masquerading)
>
>    * START -> Run... \\ads-svr-1   -- ads-svr-1 is our primary domain
>      controller.  It is on the same subnet as the pptp server, but it is
>      not itself the pptp server.  Connecting to some machines like this
>      works.
>
>    * Outlook-2000 to access exchange server which is also on the same
>      subnet as the pptp sever.
>
>   Here's what does not work:
>
>    * Browsing via network neighborhood (no surprise here, and I don't
>      need to fix it).
>
>    * Access to some other machines in the network.
>
>   Attempts to access other machines fail with a message indicating that
>   no service recognizes the name.  It appears that name resolution must
>   not be working well.
>
>   I have yet to find a convincing pattern to which machines work and
>   which don't.  Our PDC works, as does one of our development file
>   servers.  These are both running NT Server with service pack 4 or
>   higher.  Another file server does not work.  I think it's also running
>   NT server, but there's some chances it is running NT workstation.  I
>   do not administratively control that server.  All three servers have
>   static IP addresses which are registered with DNS and are also
>   available via NMB.
>
>   I can't access any of the samba servers in this way.  The samba
>   servers all have domain authentication.