[pptp-server] Is anyone interested in authenticating against an NT PDC?
Vladimir Strezhnev
vlast at indivisuallearning.com
Fri Jul 26 09:48:52 CDT 2002
Pam-enabled pppd can be configured to authenticate against NT (W2K) PDC
only with pap.
MSCHAP would not work. See muliple explanations in this list archives.
So the best that can be done with ppp in this context is to configure
dialups to authenticate rasusers via NT PDC.
We use Samba with winbind, configured as a member server in W2K PDC
controlled domain.
With /etc/pam.d/ppp and /etc/ppp/ppplogin configured as follows it is
possible, for example, to use
MS Exchange e-mail accounts to authenticate dialups.
No accounts, passwords or pap-secrests on Linux raserver.
You do not even need to actually run smbd. Only nmbd and winbindd is enough.
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
# to deny dialup to selected e-mail accounts
auth required pam_listfile.so item=user sense=deny
file=/etc/rasusers
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth use_first_pass
nullok
account required pam_winbind.so
session required pam_stack.so service=system-auth
session optional pam_sessionlog.so service=dial
#!/bin/sh
#/etc/ppp/ppplogin
mesg n
stty -echo
/usr/sbin/pppd silent auth -chap +pap login
More information about the pptp-server
mailing list