[pptp-server] Is anyone interested in authenticating against an NT PDC?

[Vladimir Strezhnev]

Pam-enabled pppd can be configured to authenticate against NT (W2K) PDC 
only with pap.
MSCHAP would not work. See muliple explanations in this list archives.
So the best that can be done  with ppp in this context is to configure 
dialups to authenticate rasusers via NT PDC.

We use Samba with winbind, configured as a member server in W2K PDC 
controlled domain.
With /etc/pam.d/ppp and /etc/ppp/ppplogin configured as follows it is 
possible, for example, to use
MS Exchange e-mail accounts to authenticate dialups.
No accounts, passwords or pap-secrests on Linux raserver.
You do not even need to actually run smbd. Only nmbd and winbindd is enough.

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_nologin.so
# to deny dialup to selected e-mail accounts
auth       required     pam_listfile.so item=user sense=deny 
file=/etc/rasusers
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth use_first_pass 
nullok
account    required     pam_winbind.so
session    required     pam_stack.so service=system-auth
session    optional     pam_sessionlog.so service=dial


#!/bin/sh
#/etc/ppp/ppplogin
mesg n
stty -echo
/usr/sbin/pppd silent auth -chap +pap login