[pptp-server] pppd smb authentication (was: truly newbie)

John Van Ostrand john at netdirect.ca
Mon Apr 24 08:00:39 CDT 2000 

Setting up WINS is easy if you have Samba. Simply put the following line in
the [global] section of the /etc/smb.conf file:

	wins support = yes

This line is likely already there but commented out.

Alternatively if you have an NT server you can add in the WINS service.

Then to use WINS you'll have to setup each Windows workstations (and non
WINS Samba server) to use your new WINS server. This is required because
each system needs to register itself with the WINS server. This is how WINS
works. You can either manually configure the WINS server in the Network
Control Panel applet or, if you have a DHCP server setup the "option netbios
name servers" line. A DHCP server is available for Linux, watch out though,
one is a DHCP client daemon - dhcpcd, the other is the server. If you
install this read the dhcp-options man page.

John.

> -----Original Message-----
> From: Iván Montoro Ten [mailto:ivanm at knowgate.com]
> Sent: Sunday, April 23, 2000 1:26 PM
> To: 'John Van Ostrand'; Pptp-List (E-mail)
> Subject: RE: [pptp-server] pppd smb authentication (was: truly newbie)
> 
> 
> Hi John,
> 
> I've just solved the problem with ipchains, no proxyarp 
> argument needed :)
> Thinking about NT authentication I've just seen a tiny module 
> for Apache
> called mod_auth_smb that, without samba, can authenticate a 
> NT Domain user.
> I know anything about programming, but I'll investigate if I 
> can add an
> authentication schema to PPPD to invoke that methods mod_auth_smb has.
> 
> >> The only thing I'm not sure if it's my fault
> >> or document's is I have to insmod mppe each 
> >> time I start VPN daemon via pptpd.init.
> > Sounds like you forgot to add the following line to the 
> > /etc/conf.modules file: alias ppp-compress-18 ppp_mppe
> A little typo. I wrote mpee, not mppe :)
>  
> >> I can also telnet linux box to check out connection, and 
> >> snooping I see crypted data. But then I can't ping any 
> >> other host on my network and can't open \\SERVER\resource. 
> > Sounds like you need to add the "proxyarp" argument to your
> /etc/ppp/options
> > file. You might also want to add "ms-wins w.x.y.z" 
> arguments using your
> WINS
> > address instead of w.x.y.z. Check pppd man page for more 
> info on these.
> Well, since I thing WINS stands for Windows Internet Name 
> Service I think
> this
> will be some kind of DNS for Windows. How can I setup a WINS 
> server? I've
> just
> installed SAMBA in the same machine for my own file upload 
> (hate windows ftp
> :)
> 
> >> I think I need to setup also ipchains to masquerade this IP...
> > This shouldn't be a problem...
> Well, it was for me :)
> 
> >> Another little thing is if I can use my domain security to 
> >> feed in some way
> >> /etc/ppp/chap.secrets, so security is managed through my PDC. 
> >> That's a minor
> >> problem, but anti-linux people here will attack penguin's OS 
> >> by that way.
> 
> > I've been thinking about this problem for a while and 
> haven't come up with
> a
> > solution yet. The real limitation here is that in order to use CHAP
> > authentication PPPD must have the clear text form of the 
> password. WinNT
> > stores the password in a hash that can be reveresed, 
> Linux/Unix does not.
> > This is why CHAP cannot be used with the "login" pppd option.
> 
> > The only way around this, that I can think of, is to put a 
> RADIUS server
> on
> > WinNT and compile pppd with the radius authentication extensions. I
> haven't
> > tried this, nor have I spent much time investigating this 
> so at this point
> > it's just a theory.
> 
> > Can anyone add to this RADIUS theory???
> 
> > The work-around (until I can figure out how to do this) is 
> to setup you
> > chap-secrets file with the domain and logon that is used on 
> the PDC. The
> > password could be different. If this is setup then Win9x 
> and WinNT users
> > will be able to access the resources on the NT domain. If 
> the password is
> > not the same they may have to logon again when first 
> accessing. Here is an
> > example chap-secrets file:
> 
> > SALES_DOM\\JSMITH		*	"mypasswd"	*
> 
> Greetings
> Iván Montoro Ten
>

More information about the pptp-server mailing list