@Victor,
Importing a backup is a fix to the LDAP issue and not to the issue in this thread. To fix the issue in this thread you need to edit the file manually or just do a "yum update" as a fix had been released.

Peter Baldwin wrote:

Here's the solution. In /etc/samba/smb.conf, add the following to the "global" section of the configuration:

ntlm auth = yes

And then restart Winbind:

service winbind restart

I'll post a bug report and will push a quick fix.

hi i have too this problem and can not restore last backup, this error show in the screen

regards

Peter Baldwin wrote:

Here's the solution. In /etc/samba/smb.conf, add the following to the "global" section of the configuration:

ntlm auth = yes

And then restart Winbind:

service winbind restart

I'll post a bug report and will push a quick fix.

That was the fix for me. Thank you so much to all who contributed to finding this solution!!!

Hi Foeke,
Underneath the hood, app-attack-detector uses fail2ban. To whitelist an IP or subnet, create a file /etc/fail2ban/jail.local which is where you should put overrides to /etc/fail2ban/jail.conf. In it put a section like mine:

[DEFAULT]



# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

# Home IP's, Clearcenter MX Backups x3, Work x4

ignoreip = 127.0.0.1/8 172.17.2.0/23 192.168.10.0/24 192.168.30.0/24 10.8.0.0/24 67.18.3.134 173.255.233.57 159.203.59.228 194.62.204.0/22 194.62.208.0/22 194.62.212.0/23 217.243.151.200/29

I copied the block from jail.conf then modified it. Obviously change the IP's and subnets you want to whitelist. I whitelist my whole LAN and a few other IP's. Then restart app-attack-detector.

Thanks Peter! that was it.

I had a bit of a scare when the "Attackdetector" didn't trust the WinSCP login attempts at the same time with putty. So it blocked my local IP before I could restart the winbind service. And It seemed the COS box went down.
Of Course I thought the cause was changing that file.

Luckily I saw IM coming in on my phone so I knew my phone was still up, then the COS box must also be reachable. Now I can try to figure out how I can whitelist in that app.

Anyways, VPN is working again!

Nick Howitt wrote:

@Victor, Please post in the correct thread.

oks regards

@Victor, Please post in the correct thread.

hi i have too problem for begin slapd service, i execute the command "service slapd status" and watch the messange send me

[root@pptp openldap]# service slapd status
Redirecting to /bin/systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2017-10-20 14:34:12 CDT; 28s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 7097 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 7077 ExecStartPre=/usr/libexec/openldap/prestart.sh (code=exited, status=0/SUCCESS)

Oct 20 14:34:12 pptp runuser[7081]: pam_unix(runuser:session): session closed for user ldap
Oct 20 14:34:12 pptp prestart.sh[7077]: Checking configuration file failed:
Oct 20 14:34:12 pptp prestart.sh[7077]: 59ea4fb4 User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined
Oct 20 14:34:12 pptp prestart.sh[7077]: 59ea4fb4 config error processing olcOverlay={0}ppolicy,olcDatabase={3}bdb,cn=config: User Schema load failed for attribute "pwdMaxRecordedFailure". Error co... type undefined
Oct 20 14:34:12 pptp prestart.sh[7077]: slaptest: bad configuration file!
Oct 20 14:34:12 pptp slapd[7097]: @(#) $OpenLDAP: slapd 2.4.44 (Aug 12 2017 06:10:11) $
mockbuild@build64-1.clearsdn.local:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Oct 20 14:34:12 pptp systemd[1]: slapd.service: control process exited, code=exited status=1
Oct 20 14:34:12 pptp systemd[1]: Failed to start OpenLDAP Server Daemon.
Oct 20 14:34:12 pptp systemd[1]: Unit slapd.service entered failed state.
Oct 20 14:34:12 pptp systemd[1]: slapd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.


please help me my users cant be connect

LDAP was the second thing I checked and it is running. I am still dissecting the logs, so please bear with me as I make progress. I am seeing a lot of "GRE: Bad checksum from pptp" errors along with "Input/output error, usually caused by unexpected termination pptp" errors in the messages log. I am also seeing "Peer {username} failed CHAP authentication" errors. System logs are showing that incoming GRE and TCP are allowed for PPTP. Secure logs show the usual "pam_unix(ppp:session)" opening/closing for all PPTP sessions up until the start of the update at 6:15am. Nothing since then.

Don't worry about the size of the update. I understand why mine was not full - a result of a brand new installation not falling back to the community repos until 30 days have elapsed.

Can you tell me of your LDAP is running?

Exact same issue here. According to my logs, an update was performed at 6:15am today. PPTP has not functioned since. I do not have any Win10 in this network, but Win7 remote systems are prompted to re-enter credentials and eventually show the same error 619 as has been reported. Windows 8 PCs also prompt for credentials and eventually fail with "Error 734 -- PPP Link Control Protocol Was Terminated" message. PPTP service has been restarted and the router rebooted with no effect.

Can I ask how many files you got on your update? I only had a partial update with 266 packages but it missed a whole bunch I was expecting as well (all the app-* packages, kernel etc). I believe the devs are having another look at the repos to check they have the correct update.

Can you have a look in /var/log/messages, /var/log/system and /var/log/secure for other pointers (including firewall issues)?

Also check that LDAP is running ("service slapd status") as another poster is having problems with that.