[pptp-server] pppd smb authentication (was: truly newbie)

Iván Montoro Ten ivanm at knowgate.com
Sun Apr 23 12:26:24 CDT 2000


Hi John,

I've just solved the problem with ipchains, no proxyarp argument needed :)
Thinking about NT authentication I've just seen a tiny module for Apache
called mod_auth_smb that, without samba, can authenticate a NT Domain user.
I know anything about programming, but I'll investigate if I can add an
authentication schema to PPPD to invoke that methods mod_auth_smb has.

>> The only thing I'm not sure if it's my fault
>> or document's is I have to insmod mppe each 
>> time I start VPN daemon via pptpd.init.
> Sounds like you forgot to add the following line to the 
> /etc/conf.modules file: alias ppp-compress-18 ppp_mppe
A little typo. I wrote mpee, not mppe :)
 
>> I can also telnet linux box to check out connection, and 
>> snooping I see crypted data. But then I can't ping any 
>> other host on my network and can't open \\SERVER\resource. 
> Sounds like you need to add the "proxyarp" argument to your
/etc/ppp/options
> file. You might also want to add "ms-wins w.x.y.z" arguments using your
WINS
> address instead of w.x.y.z. Check pppd man page for more info on these.
Well, since I thing WINS stands for Windows Internet Name Service I think
this
will be some kind of DNS for Windows. How can I setup a WINS server? I've
just
installed SAMBA in the same machine for my own file upload (hate windows ftp
:)

>> I think I need to setup also ipchains to masquerade this IP...
> This shouldn't be a problem...
Well, it was for me :)

>> Another little thing is if I can use my domain security to 
>> feed in some way
>> /etc/ppp/chap.secrets, so security is managed through my PDC. 
>> That's a minor
>> problem, but anti-linux people here will attack penguin's OS 
>> by that way.

> I've been thinking about this problem for a while and haven't come up with
a
> solution yet. The real limitation here is that in order to use CHAP
> authentication PPPD must have the clear text form of the password. WinNT
> stores the password in a hash that can be reveresed, Linux/Unix does not.
> This is why CHAP cannot be used with the "login" pppd option.

> The only way around this, that I can think of, is to put a RADIUS server
on
> WinNT and compile pppd with the radius authentication extensions. I
haven't
> tried this, nor have I spent much time investigating this so at this point
> it's just a theory.

> Can anyone add to this RADIUS theory???

> The work-around (until I can figure out how to do this) is to setup you
> chap-secrets file with the domain and logon that is used on the PDC. The
> password could be different. If this is setup then Win9x and WinNT users
> will be able to access the resources on the NT domain. If the password is
> not the same they may have to logon again when first accessing. Here is an
> example chap-secrets file:

> SALES_DOM\\JSMITH		*	"mypasswd"	*

Greetings
Iván Montoro Ten



More information about the pptp-server mailing list