PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto
FONTE: http://poptop.sourceforge.net/dox/skwok/poptop_ads_howto_6.htm
Precisara do winbindd que está no samba-common.
4. The Test Environment
I have built a test environment as shown in the diagram. In the rest of the howto, the configurations of
software are based on this topology.
A Windows 2003 R2 SP2 Server is set up as the AD domain controller, DNS server and WINS server. The
pptp gateway is the Linux box which has 2 network cards. One connects to the internal network, 10.0.0.0/24,
and the other one connects to the Internet with ip address 192.168.0.10/24. The internal network has two
subnets, 10.0.0.0/24 and 172.16.0.0/24.
The domain name of the Windows AD domain is EXAMPLENET.ORG and the corresponding netbios
name is EXAMPLE.
Windows Domain Summary:
Domain Controller Name
Domain Controller IP Address
DNS IP Address
WINS IP Address
AD Domain Name
AD Netbios Domain Name
dc1.examplenet.org
10.0.0.1
10.0.0.1
10.0.0.1
examplenet.org
example
Note: The Windows server that I used for FC4/5/6 testing was a Windows 2003 standard with SP1. In
another word, the information presented in Appendix for FC 4, 5 and 6 is not tested for Windows 2003 R2
although I believe it should work.
5. Fedora and SELINUX
There is a report from Frederick Chapleau on SELINUX causing problem on PPTPD. It affects user
authentication with Winbind and Radius. SELINUX is enabled by default on Fedora, you may very likely
run into this problem if you take all default settings when installing Fedora.
Frederick said in his email:
"This issue was not appearing with plain text file (chap.secret) or with CHAPv1 authentication. Only in the
combination of MS-CHAPv2 and Winbind (with or without radius)"
Disabling SELINUX may be an easy fix but you may want to consider the security implication too.
For more information on this issue, please go to here.
6. Network Configuration
Microsoft AD depends heavily on DNS. You should have the DNS server working first.
The pptp gateway should use the Active Directory DNS server instead of the one provided by your ISP.
Otherwise, the gateway may have problems to locate the domain controller. Here is the /etc/resolv.conf in
my test gateway.
search examplenet.org
nameserver 10.0.0.1
6.1 Default Gateway and Static Routes
The pptp gateway has two network cards. It is important that the default gateway is pointing to the Internet,
your ISP router. Make sure that the internal network card does not have a default gateway address
configured. Check the network card configuration files in /etc/sysconfig/network-scripts.
In my test setup, eth0 is the internal card and eth1 is the external one. In the /etc/sysconfig/networkscripts/ifcfg-eth0, it does not have the line GATEWAY="x.x.x.x". In the ifcfg-eth1, it has an entry
GATEWAY="x.x.x.x" pointing to the ISP router ip address.
My test internal network has multiple subnets, static routes are set up to direct traffic correctly. If you have a
simple single segment internal network, you can skip the following step and go to step 6.2.
To set up static routes in Fedora, create a file static-routes in /etc/sysconfig directory. My static-routes file
has one line:
any net 172.16.0.0 netmask 255.255.255.0 dev eth0
The syntax of the line is important. The line must start with the word "any".
Check your routing table with the netstat command.
[root@pptp sysconfig]# netstat -nr
Kernel IP routing table
Destination
Gateway
Genmask
192.168.0.0
0.0.0.0
255.255.255.0
172.16.0.0
0.0.0.0
255.255.255.0
10.0.0.0
0.0.0.0
255.255.255.0
169.254.0.0
0.0.0.0
255.255.0.0
0.0.0.0
192.168.0.2
0.0.0.0
6.2 Enable Packet Forwarding
Flags
U
U
U
U
UG
MSS
0
0
0
0
0
Window
0
0
0
0
0
irtt
0
0
0
0
0
Iface
eth1
eth0
eth0
eth0
eth1
For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and
change the line:
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
The change will be effective on the next reboot. To enable it immediately:
[root@pptp etc]# sysctl -p
7. Install MPPE Kernel Module
If you plan to use MSCHAPv2, MPPE is required. Kernel version 2.6.15 or above has already got MPPE
built-in. Fedora Core 8 kernel version on the DVD is 2.6.23.1. That means you do not need to install the
MPPE module as you have to for older kernels. Information for MPPE on FC4 / 5 / 6 is in Appendix A1.
To test if your kernel supports MPPE:
[root@pptp ~]# modprobe ppp-compress-18 && echo ok
It should return an "ok".
Note: The latest kernel for Fedora Core 8 at the time of writing is 2.6.26.3.
8. pppd and pptpd
8.1 pppd
(Pode remover os originais que vem no gateway e fazer como se sugere abaixo)
FC8 comes with ppp-2.4.4-2. MPPE support is already enabled. If ppp is not installed, use yum to install it.
[root@pptp ~]# yum install ppp
Note: Information on how to update ppp module on FC4 / 5/ 6 is in Appendix A2.
8.2 Install pptpd
From here download the pptpd tar ball, pptpd-1.3.4.tar.gz. You can make a RPM from it with the rpmbuild
command. If you don't have the rpmbuild command installed. Get the package rpm-build through yum.
[root@pptp ~]# rpmbuild -ta pptpd-1.3.4.tar.gz
The command will create a pptpd rpm in /usr/src/redhat/RPMS/i386 directory. Install the package with the
rpm commad.
[root@pptp ~]# cd /usr/src/redhat/RPMS/i386/
[root@pptp i386]# rpm -ivh pptpd-1.3.4-1.i386.rpm
Note:
The pptpd rpm package is built against ppp-2.4.3 but FC6 or above has ppp-2.4.4. It prevents the tunnel to
be established and gives the following error message is in /var/log/message.
Plugin /usr/lib/pptpd/pptpd-logwtmp.so is for pppd version 2.4.3, this is 2.4.4
The workaround is to disable the logwtmp option in /etc/pptpd.conf. The drawback is the last command
won't show the pptpd login information.
I have produced a patched RPMs for pptpd to address the problem. You can find them from the following
links.
Baixe no google um rpm do pptpd para centos e force a instalação do RPM
Ex: RPM –hiv nomedopacotepptpd --force
9. Samba
Fedora 8 comes with samba v3.0.26a. The current samba RPM version from yum at the time of writing for
F8 is v3.0.32. It is highly recommended to use the latest version.
The required RPM packages for samba in Fedora are samba, samba-client, samba-common. Install through
yum if any of them is missing.
[root@pptp ~]# yum install samba samba-common samba-client
Note: Information on Samba for FC4 / 5 / 6 can be found in Appendix A3.
9.1 Configure Samba
No matter you choose to use winbind or freeradius to connect to Active Directory, you will have to
configure samba properly. The configuration file of samba is in /etc/samba and is called smb.conf. The file
should have at least the following lines.
[global]
# define the netbios name of the domain
workgroup = EXAMPLE
# define the pptp server netbios name
netbios name = PPTPDSVR
# define the AD domain name
realm = EXAMPLENET.ORG
# server description
server string = pptpd Server
# printer stuff
printcap name = /etc/printcap
load printers = no
cups options = raw
# log file stuff
log file = /var/log/samba/%m.log
max log size = 50
# must set to ads
security = ads
# address of domain controller
password server = 10.0.0.1
# enable encrypt passwords
encrypt passwords = yes
# default socket options setting on older samba. It is not defined in v3.0.23c or above
;socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# not to be a master browser
domain master = no
preferred master = no
# address of the WINS server
wins server = 10.0.0.1
dns proxy = no
# require this line to join the domain in older samba
# I don't need this for samba v3.0.23 or above
;client use spnego = yes
# winbind stuff
idmap uid = 50001-550000
idmap gid = 50001-550000
winbind separator = +
winbind nested groups = Yes
winbind enum users=yes
winbind enum groups=yes
template shell = /bin/false
winbind use default domain = no
The lines in bold are the important ones that you should pay attention to. Execute "testparm" to check the
configuration. Correct any errors before proceeding to the next step.
10. Kerberos
There are two different versions of the Kerberos client, version 4 from KTH and 5 from MIT. As Microsoft
uses version 5, you should use the MIT version. Fedora includes the MIT one so you will be ok to use the
stock standard one.
Packages krb5-lib and krb5-workstation are required. They are installed by default. If they are not, please
get the latest version from yum.
10.1 Configure Kerberos
The configuration file of Kerberos is /etc/krb5.conf. To connect to AD, the settings must match the domain
configuration.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLENET.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLENET.ORG = {
kdc = dc1.examplenet.org:88
# admin_server = kerberos.example.com:749
default_domain = examplenet.org
}
[domain_realm]
.examplenet.org = EXAMPLENET.ORG
examplenet.org = EXAMPLENET.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Lines shown in bold are the ones you should pay attention to. Use uppercase as shown.
10.2 Test Kerberos
Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A
record, on your Windows DNS server, click Start -> Administrative Tools -> DNS. The dnsmgmt window
pops up. Click on the "+" of "Forward Lookup Zones". Right click on AD Domain name, in our test
environment is EXAMPLENET.ORG, and choose "New Host (A)...". Put in the server Netbios name which
is defined in smb.conf and the ip address. Then press the "Add Host" button.
When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital.
[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG
Password for skwok@EXAMPLENET.ORG:
Authenticated to Kerberos v5
To check the Kerberos tickets:
[root@pptp etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: skwok@EXAMPLENET.ORG
Valid starting
Expires
Service principal
09/03/05 14:43:47 09/04/05 00:43:04 krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG
renew until 09/04/05 14:43:47
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
10. Join the AD Domain
Once the Kerberos and Samba are configured, it's time to add the pptpd server to the AD domain. For Samba
version below 3.0.23:
[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG "Asiapac/Australia/Sydney/Servers"
skwok@EXAMPLENET.ORG's password:
Using short domain name -- EXAMPLE
Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG'
For Samba version 3.0.23 or above:
[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG
createcomputer="Asiapac/Australia/Sydney/Servers"
skwok@EXAMPLENET.ORG's password:
Using short domain name -- EXAMPLEE
Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG'
The above net ads join command creates the server in the container
"OU=Servers,OU=Sydney,OU=Australia,OU=Asiapac,DC=EXAMPLENET,DC=ORG"
The user must have admin right on the container to create the server object. If the operation is successful,
you will see a new server object created in the AD.
Another test to see if the trust between the pptpd server and the domain is working is smbclient.
[root@pptp ~]# smbclient //dc1/c$ -k
OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]
smb: \> dir
AUTOEXEC.BAT
A
0 Wed Jul 20 10:53:47 2005
boot.ini
AHSR
208 Fri Jul 22 10:41:57 2005
CONFIG.SYS
A
0 Wed Jul 20 10:53:47 2005
Documents and Settings
D
0 Fri Jul 22 16:25:51 2005
download
D
0 Thu Aug 4 17:31:28 2005
IO.SYS
AHSR
0 Wed Jul 20 10:53:47 2005
MSDOS.SYS
AHSR
0 Wed Jul 20 10:53:47 2005
NTDETECT.COM
AHSR
47772 Fri Jul 22 10:16:32 2005
ntldr
AHSR
295536 Fri Jul 22 10:16:32 2005
pagefile.sys
AHS 805306368 Fri Aug 12 11:24:27 2005
Program Files
DR
0 Wed Jul 20 10:51:09 2005
shared1
D
0 Thu Jul 21 17:06:28 2005
System Volume Information
DHS
0 Fri Jul 22 10:52:09 2005
WINDOWS
D
0 Tue Aug 16 14:33:36 2005
wmpub
D
0 Wed Jul 20 10:55:13 2005
39064 blocks of size 524288. 31129 blocks available
smb: \>
Note: With Samba v3.0.14a or v3.0.20, everytime I run "net ads join", the command crash at the end with
message "*** glibc detected *** net: free(): invalid pointer: 0x001cddb0 ***" and then a dump to the
screen. The join seems to be working fine though. Samba v3.0.21a or above does not have this problem.
12. pptpd and winbindd
The section covers how to configure pptpd + winbindd + AD. If you are working on the freeradius
configuration, you may skip this section and go to the next one.
Most of the hard work has been done in the previous sections. You are very close to the final stage.
12.1 Enable and Test winbindd
For Fedora 8, start samba and winbindd with the "service" command.
[root@pptp ~]# service smb start
Starting SMB services: [ OK ]
[root@pptp ~]# service nmb start
Starting NMB services: [ OK ]
[root@pptp ~]# service winbind start
Starting Winbind services: [ OK ]
For older version of Fedora, the "service smb start" will start both smb and nmb.
[root@pptp ~]# service smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@pptp ~]# service winbind start
Starting Winbind services: [ OK ]
Winbind starts and spawns two threads.
[root@pptp ~]# ps -ef | grep winbind | grep -v grep
root
18762
1 0 15:59 ?
00:00:00 winbindd
root
18763 18762 0 15:59 ?
00:00:00 winbindd
Wait a few minutes for winbindd to contact the domain controller. Then we can test if winbindd is working
fine. If you see no error messages from the wbinfo command, you are in business.
[root@acna-pptp etc]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@acna-pptp etc]# wbinfo -u
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+SUPPORT_388945a0
EXAMPLE+DC1$
EXAMPLE+krbtgt
EXAMPLE+skwok
EXAMPLE+ldapuser
EXAMPLE+pptpdsvr$
To enable samba, nmb and winbind on bootup, use the chkconfig command.
[root@pptp ~]# chkconfig winbind on
[root@pptp ~]# chkconfig nmb on
[root@pptp ~]# chkconfig smb on
Please note that for older version of Fedora, smb will spawn nmb automatically. But for F8, they are
separated.
12.2 Configure pptpd
There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it
is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify
the local ip address and the ip address pool for the remote connections.
localip 10.0.0.10
remoteip 10.0.0.101-200
10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote
connections. If you are running FC6 or above, please refer to Section 8.2 for details on the logwtmp option.
Please note that pptpd by default has a 100 connections limit. You can override it by the "connections"
parameter in the pptp.conf file. Read the remarks in the file.
The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and
it is like this:
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 10.0.0.1
ms-wins 10.0.0.1
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
auth
nodefaultroute
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
If you have Windows XP clients, you may want to reduce the MTU size. Add the line, /sbin/ifconfig $1 mtu
1400, to /etc/ppp/ip-up as shown in the following list.
[root@pptp ppp]# cat ip-up
#!/bin/bash
# This file should not be modified -- make local changes to
# /etc/ppp/ip-up.local instead
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
LOGDEVICE=$6
REALDEVICE=$1
[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/networkscripts/ifup-post ifcfg-${LOGDEVICE}
/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE}
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
/sbin/ifconfig $1 mtu 1400
exit 0
The above example reduces the MTU size to 1400. In my environment, I found that XP will connect the
VPN and ping all servers without problems, however, it cannot connect to the Microsoft Exchange server
properly. Reduce the MTU size to 1400 fixed the problem.
After fixing the files, we can start pptpd and connect to it from remote client. To start it:
[root@pptp ~]# chkconfig pptpd on
[root@pptp ~]# service pptpd start
Starting pptpd: [ OK ]
11.3 PPTP Access Control
The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If
you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add
users to the group and modify the ntml_auth-helper line in the /etc/ppp/options.pptpd:
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --requiremembership-of=EXAMPLE+VPN-Allowed"
That's all on the server side. If winbind works for you, you can proceed to configure the client. The client
PCs require special configurations and is discussed in here.