poptop_ads_howto_7.htm 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  2. "http://www.w3.org/TR/html4/loose.dtd">
  3. <html>
  4. <head>
  5. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  6. <title>Poptop MSCHAP2 ADS Howto</title>
  7. </head>
  8. <body>
  9. <p><strong>12. pptpd and winbindd </strong></p>
  10. <p>The section covers how to configure pptpd + winbindd + AD. If you are working on the freeradius configuration, you may skip this section and go to the <a href="poptop_ads_howto_8.htm">next one</a>. </p>
  11. <p>Most of the hard work has been done in the previous sections. You are very close to the final stage.</p>
  12. <hr>
  13. <strong><a name="wbtest"></a>12.1 Enable and Test winbindd</strong>
  14. <p>For Fedora 8, start samba and winbindd with the <em>&quot;service&quot;</em> command.</p>
  15. <blockquote>
  16. <pre>[root@pptp ~]# service smb start<br>Starting SMB services: [ OK ]
  17. [root@pptp ~]# service nmb start<br>Starting NMB services: [ OK ]
  18. [root@pptp ~]# service winbind start<br>Starting Winbind services: [ OK ] </pre>
  19. </blockquote>
  20. <p>For older version of Fedora, the <em>&quot;service smb start</em>&quot; will start both smb and nmb.</p>
  21. <blockquote>
  22. <pre>[root@pptp ~]# service smb start<br>Starting SMB services: [ OK ]<br>Starting NMB services: [ OK ]
  23. [root@pptp ~]# service winbind start<br>Starting Winbind services: [ OK ] </pre>
  24. </blockquote>
  25. <p>Winbind starts and spawns two threads. </p>
  26. <blockquote>
  27. <pre>[root@pptp ~]# ps -ef | grep winbind | grep -v grep<br>root 18762 1 0 15:59 ? 00:00:00 winbindd<br>root 18763 18762 0 15:59 ? 00:00:00 winbindd</pre>
  28. </blockquote>
  29. <p>Wait a few minutes for winbindd to contact the domain controller. Then we can test if winbindd is working fine. If you see no error messages from the wbinfo command, you are in business. </p>
  30. <blockquote>
  31. <pre>[root@acna-pptp etc]# wbinfo -t<br>checking the trust secret via RPC calls succeeded
  32. <br>[root@acna-pptp etc]# wbinfo -u<br>EXAMPLE+Administrator<br>EXAMPLE+Guest<br>EXAMPLE+SUPPORT_388945a0<br>EXAMPLE+DC1$<br>EXAMPLE+krbtgt<br>EXAMPLE+skwok<br>EXAMPLE+ldapuser<br>EXAMPLE+pptpdsvr$
  33. </pre>
  34. </blockquote>
  35. <p>To enable samba, nmb and winbind on bootup, use the chkconfig command.</p>
  36. <blockquote>
  37. <pre>[root@pptp ~]# chkconfig winbind on
  38. [root@pptp ~]# chkconfig nmb on
  39. [root@pptp ~]# chkconfig smb on </pre>
  40. </blockquote>
  41. <p>Please note that for older version of Fedora, smb will spawn nmb automatically. But for F8, they are separated.</p>
  42. <hr>
  43. <strong><a name="pptpconf"></a>12.2 Configure pptpd </strong>
  44. <p>There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections. </p>
  45. <blockquote>
  46. <pre>localip 10.0.0.10<br>remoteip 10.0.0.101-200 </pre>
  47. </blockquote>
  48. <p>10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections. If you are running FC6 or above, please refer to <a href="poptop_ads_howto_4.htm#pptpd">Section 8.2</a> for details on the logwtmp option. </p>
  49. <p>Please note that pptpd by default has a 100 connections limit. You can override it by the &quot;connections&quot; parameter in the pptp.conf file. Read the remarks in the file. </p>
  50. <p>The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:</p>
  51. <blockquote>
  52. <pre>name pptpd
  53. refuse-pap<br>refuse-chap<br>refuse-mschap<br>require-mschap-v2<br>require-mppe-128
  54. ms-dns 10.0.0.1
  55. ms-wins 10.0.0.1
  56. proxyarp
  57. lock
  58. nobsdcomp
  59. novj
  60. novjccomp
  61. nologfd
  62. auth
  63. nodefaultroute
  64. plugin winbind.so
  65. ntlm_auth-helper &quot;/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1&quot;</pre>
  66. </blockquote>
  67. <p>If you have Windows XP clients, you may want to reduce the MTU size. Add the line, /sbin/ifconfig $1 mtu 1400, to /etc/ppp/ip-up as shown in the following list.</p>
  68. <blockquote>
  69. <pre>[root@pptp ppp]# cat ip-up
  70. #!/bin/bash
  71. # This file should not be modified -- make local changes to
  72. # /etc/ppp/ip-up.local instead
  73. PATH=/sbin:/usr/sbin:/bin:/usr/bin
  74. export PATH
  75. LOGDEVICE=$6
  76. REALDEVICE=$1
  77. [ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}
  78. /etc/ppp/ip-up.ipv6to4 ${LOGDEVICE}
  79. [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
  80. <strong>/sbin/ifconfig $1 mtu 1400</strong>
  81. exit 0</pre>
  82. </blockquote>
  83. <p>The above example reduces the MTU size to 1400. In my environment, I found that XP will connect the VPN and ping all servers without problems, however, it cannot connect to the Microsoft Exchange server properly. Reduce the MTU size to 1400 fixed the problem.</p>
  84. <p>After fixing the files, we can start pptpd and connect to it from remote client. To start it:</p>
  85. <blockquote>
  86. <pre>[root@pptp ~]# chkconfig pptpd on<br><br>[root@pptp ~]# service pptpd start<br>Starting pptpd: [ OK ]</pre>
  87. </blockquote><p></p>
  88. <hr>
  89. <strong><a name="access"></a>11.3 PPTP Access Control </strong>
  90. <p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth-helper line in the /etc/ppp/options.pptpd:</p>
  91. <blockquote>
  92. <pre>ntlm_auth-helper &quot;/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 <span class="790285904-18102005">--require-membership-of=EXAMPLE+VPN-Allowed</span>&quot; </pre>
  93. </blockquote>
  94. <p>That's all on the server side. If winbind works for you, you can proceed to configure the client. The client PCs require special configurations and is discussed in <a href="poptop_ads_howto_11.htm">here</a>.</p>
  95. <hr>
  96. <a href="poptop_ads_howto_8.htm">Next</a> &nbsp;&nbsp;<a href="poptop_ads_howto_6.htm">Previous</a>&nbsp;&nbsp;<a href="poptop_ads_howto_1.htm#toc">Content</a></body>
  97. </html>