poptop_ads_howto_3.htm 4.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  2. "http://www.w3.org/TR/html4/loose.dtd">
  3. <html>
  4. <head>
  5. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  6. <title>Poptop MSCHAP2 ADS Howto</title>
  7. <style type="text/css">
  8. <!--
  9. .style1 {
  10. font-family: "Courier New", Courier, mono;
  11. font-size: 12px;
  12. }
  13. -->
  14. </style>
  15. </head>
  16. <body>
  17. <p><strong><a name="selinux"></a>5. Fedora and SELINUX</strong></p>
  18. <p>There is a report from Frederick Chapleau on SELINUX causing problem on PPTPD. It affects user authentication with Winbind and Radius. SELINUX is enabled by default on Fedora, you may very likely run into this problem if you take all default settings when installing Fedora. </p>
  19. <p>Frederick said in his email:</p>
  20. <blockquote>
  21. <p>&quot;This issue was not appearing with plain text file (chap.secret) or with CHAPv1 authentication. Only in the combination of MS-CHAPv2 and Winbind (with or without radius)&quot;</p>
  22. </blockquote>
  23. <p>Disabling SELINUX may be an easy fix but you may want to consider the security implication too.</p>
  24. <p>For more information on this issue, please go to <a href="http://yaoblogs.com/blogs/fchapleau/archive/2007/04/24/pptp-and-the-bug.aspx">here</a>.</p>
  25. <p></p>
  26. <hr>
  27. <a name="network"><strong>6. Network Configuration </strong></a>
  28. <p>Microsoft AD depends heavily on DNS. You should have the DNS server working first. </p>
  29. <p>The pptp gateway should use the Active Directory DNS server instead of the one provided by your ISP. Otherwise, the gateway may have problems to locate the domain controller. Here is the /etc/resolv.conf in my test gateway. </p>
  30. <blockquote>
  31. <pre>search examplenet.org
  32. nameserver 10.0.0.1</pre>
  33. </blockquote><p></p>
  34. <hr>
  35. <a name="defaultroute"><strong>6.1 Default Gateway and Static Routes</strong></a>
  36. <p>The pptp gateway has two network cards. It is important that the default gateway is pointing to the Internet, your ISP router. Make sure that the internal network card does not have a default gateway address configured. Check the network card configuration files in /etc/sysconfig/network-scripts. </p>
  37. <p>In my test setup, eth0 is the internal card and eth1 is the external one. In the /etc/sysconfig/network-scripts/ifcfg-eth0, it does not have the line GATEWAY=&quot;x.x.x.x&quot;. In the ifcfg-eth1, it has an entry GATEWAY=&quot;x.x.x.x&quot; pointing to the ISP router ip address.</p>
  38. <p>My test internal network has multiple subnets, static routes are set up to direct traffic correctly. If you have a simple single segment internal network, you can skip the following step and go to <a href="#pforward">step 6.2</a>.</p>
  39. <p>To set up static routes in Fedora, create a file static-routes in /etc/sysconfig directory. My static-routes file has one line: </p>
  40. <blockquote>
  41. <pre>any net 172.16.0.0 netmask 255.255.255.0 dev eth0</pre>
  42. </blockquote>
  43. <p>The syntax of the line is important. The line must start with the word &quot;any&quot;.</p>
  44. <p>Check your routing table with the netstat command.</p>
  45. <blockquote>
  46. <pre class="style1">[root@pptp sysconfig]# netstat -nr<br>Kernel IP routing table<br>Destination Gateway Genmask Flags MSS Window irtt Iface
  47. 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1<br>172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0<br>0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0 eth1</pre>
  48. </blockquote>
  49. <p><hr>
  50. <strong><a name="pforward"></a>6.2 Enable Packet Forwarding</strong>
  51. <p>For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:</p>
  52. <blockquote>
  53. <pre>net.ipv4.ip_forward = 0</pre>
  54. </blockquote>
  55. <p>to</p>
  56. <blockquote>
  57. <pre>net.ipv4.ip_forward = 1 </pre>
  58. </blockquote>
  59. <p>The change will be effective on the next reboot. To enable it immediately:</p>
  60. <blockquote>
  61. <pre>[root@pptp etc]# sysctl -p</pre>
  62. </blockquote><p></p>
  63. <hr>
  64. <a href="poptop_ads_howto_4.htm">Next</a> &nbsp;&nbsp;<a href="poptop_ads_howto_2.htm">Previous</a>&nbsp;&nbsp;<a href="poptop_ads_howto_1.htm#toc">Content</a>
  65. </body>
  66. </html>