PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto
Copyright © 2005 Wing S Kwok
by: Wing S Kwok
email: skwok (at) acnielsen.com.au
Revision History:
- Release 0.8 - 5 March 2006
- - Updated information on pptpd, samba version
- - Updated information on FC4 kernel version
- - Added info on changing MTU size
- Release 0.71 - 3 February 2006
- - Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.
- Release 0.7 -- 1 February 2006
- - Section 12.2 has been rewritten.
- - Updated information on Samba version.
- - Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5
- Release 0.6 -- 5 January 2006
- - Added a new section on pptp server administration.
- - Updated information on Samba version.
- Release 0.5 -- 17 November 2005
- - Included info on kernel 2.6.15-rc1 and MPPE support
- Release 0.4 -- 30 October 2005
- - Updated kernel-ppp-mppe version number
- Release 0.3 -- 23 October 2005
- - added the Acknowledgements section
- - added information on problem with FC4 2.6.13 kernel and mppe kernel module
- - added information on kernel upgrade and dkms_autoinstaller
- - added information on pptp access control
- - updated the software version info to reflect the latest available version
- Release 0.2 -- 23 September 2005
- - Rewrote part of the pptp client configuration section and included split tunneling information.
- Release 0.1 -- 12 September 2005
- - added Kerberos version information
- - added the full path of winbindd_privileged directory
- - fixed the VBScript which had a few lines missing
- - corrected a few typos
- First Release -- 5 September 2005
This document covers how to integrate Poptop with Microsoft Active Directory on Fedora Core 4. Two different implementations are described: a) winbind; and b) freeradius.
Table of Contents
- 1. Introduction
- 2. Disclaimer
- 3. Acknowledgements
- 4. The Test Environment
- 5. Network Configuration
- 5.1 Default Route and Static Routes
- 5.2 Enable Packet Forwarding
- 6. Install MPPE Kernel Module
- 6.1 Kernel Upgrade and dkms_autoinstaller
- 7. pppd and pptpd
- 7.1 Upgrade pppd
- 7.2 Install pptpd
- 8. Kerberos
- 8.1 Configure Kerberos
- 8.2 Test Kerberos
- 9. Samba
- 9.1 Configure Samba
- 9.2 Join the AD Domain
- 10. pptpd and winbindd
- 10.1 Enable and Test winbindd
- 10.2 Configure pptpd
- 10.3 PPTP Access Control
- 11. Software for Radius Setup
- 12. Radiusclient
- 12.1 radiusclient.conf
- 12.2 dictionary.microsoft
- 13. Freeradius
- 13.1 Configure Freeradius for MSCHAPv2
- 13.2 PPTP Access Control
- 14 pptpd and freeradius
- 14.1 Enable freeradius
- 14.2 Configure pptpd
- 15. pptp Client Installation
- 15.1 Split Tunneling
- 16. pptp Server Administration
- 16.1 Who is Online?
- 16.2 Accounting
- 16.3 Disconnect a User
1. Introduction
This document descibes how to build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the Replacing a Windows PPTP Server with Linux Howto maintained by Matt Alexander. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.
The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.
To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.
Note: this howto is based on Fedora Core 4 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.
2. Disclaimer
This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk.
I will greatly appreciate any comments on this document.
3. Acknowledgements
Thanks to the following individuals who provided feedback and suggestions to make this document better.
Peter Mueller - suggested to add information on Kerberos version (R0.1)
Francis Lessard - provided details on implementing pptp access control (R0.3)
James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5)
Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71)
Next
Content