1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 2"http://www.w3.org/TR/html4/loose.dtd"> 3<html> 4<head> 5<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 6<title>Poptop MSCHAP2 ADS Howto</title> 7</head> 8 9<body> 10<h3>PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto</h3> 11<p align="left">Copyright © 2005 Wing S Kwok </p> 12<p align="right">by: Wing S Kwok<br> 13 email: skwok (at) acnielsen.com.au </p> 14<p align="left"><strong>Revision History</strong>:</p> 15<dl> 16 <dt>Release 0.8 - 5 March 2006</dt> 17 <dd>- Updated information on pptpd, samba version</dd> 18 <dd>- Updated information on FC4 kernel version</dd> 19 <dd>- Added info on changing MTU size</dd> 20 <br> 21 <dt>Release 0.71 - 3 February 2006</dt> 22 <dd>- Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.</dd> 23 <br> 24 <dt>Release 0.7 -- 1 February 2006</dt> 25 <dd>- Section 12.2 has been rewritten.</dd> 26 <dd>- Updated information on Samba version.</dd> 27 <dd>- Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5</dd> 28 <br> 29 <dt>Release 0.6 -- 5 January 2006</dt> 30 <dd>- Added a new section on pptp server administration.</dd> 31 <dd>- Updated information on Samba version. </dd> 32 <br> 33 <dt>Release 0.5 -- 17 November 2005</dt> 34 <dd>- Included info on kernel 2.6.15-rc1 and MPPE support</dd><br> 35 <dt>Release 0.4 -- 30 October 2005</dt> 36 <dd>- Updated kernel-ppp-mppe version number</dd><br> 37 <dt>Release 0.3 -- 23 October 2005</dt> 38 <dd>- added the Acknowledgements section</dd> 39 <dd>- added information on problem with FC4 2.6.13 kernel and mppe kernel module </dd> 40 <dd>- added information on kernel upgrade and dkms_autoinstaller</dd> 41 <dd>- added information on pptp access control</dd> 42 <dd>- updated the software version info to reflect the latest available version</dd><br> 43 <dt>Release 0.2 -- 23 September 2005</dt> 44 <dd>- Rewrote part of the pptp client configuration section and included split tunneling information.</dd><br> 45 <dt>Release 0.1 -- 12 September 2005</dt> 46 <dd>- added Kerberos version information</dd> 47 <dd>- added the full path of winbindd_privileged directory</dd> 48 <dd>- fixed the VBScript which had a few lines missing</dd> 49 <dd>- corrected a few typos </dd> 50</dl> 51<dl> 52 <dt>First Release -- 5 September 2005</dt> 53</dl> 54<p align="left">This document covers how to integrate Poptop with Microsoft Active Directory on Fedora Core 4. Two different implementations are described: a) winbind; and b) freeradius.</p> 55<hr> 56<a name="toc"></a>Table of Contents 57<dl><dt>1. <a href="#introduction">Introduction</a></dt> 58 <dt>2. <a href="#disclaimer">Disclaimer</a></dt> 59 <dt>3. <a href="#acknowledgement">Acknowledgements</a></dt> 60 <dt>4. <a href="poptop_ads_howto_2.htm">The Test Environment</a></dt> 61 <dt>5. <a href="poptop_ads_howto_3.htm#network">Network Configuration</a></dt> 62 <dd>5.1 <a href="poptop_ads_howto_3.htm#defaultroute">Default Route and Static Routes</a></dd> 63 <dd>5.2 <a href="poptop_ads_howto_3.htm#pforward">Enable Packet Forwarding</a></dd> 64 <dt>6. <a href="poptop_ads_howto_4.htm#mppe">Install MPPE Kernel Module</a></dt> 65 <dd>6.1 <a href="poptop_ads_howto_4.htm#autoinstaller">Kernel Upgrade and dkms_autoinstaller</a></dd> 66 <dt>7. <a href="poptop_ads_howto_4.htm#pppd_pptpd">pppd and pptpd</a></dt> 67 <dd>7.1 <a href="poptop_ads_howto_4.htm#pppd">Upgrade pppd</a></dd> 68 <dd>7.2 <a href="poptop_ads_howto_4.htm#pptpd">Install pptpd</a></dd> 69 <dt>8. <a href="poptop_ads_howto_5.htm">Kerberos</a></dt> 70 <dd>8.1 <a href="poptop_ads_howto_5.htm#krbconf">Configure Kerberos</a></dd> 71 <dd>8.2 <a href="poptop_ads_howto_5.htm#krbtest">Test Kerberos</a></dd> 72 <dt>9. <a href="poptop_ads_howto_6.htm">Samba</a></dt> 73 <dd>9.1 <a href="poptop_ads_howto_6.htm#smbconf">Configure Samba</a></dd> 74 <dd>9.2 <a href="poptop_ads_howto_6.htm#smbjoin">Join the AD Domain</a></dd> 75 <dt>10. <a href="poptop_ads_howto_7.htm">pptpd and winbindd</a></dt> 76 <dd>10.1 <a href="poptop_ads_howto_7.htm#wbtest">Enable and Test winbindd</a></dd> 77 <dd>10.2 <a href="poptop_ads_howto_7.htm#pptpconf">Configure pptpd</a></dd> 78 <dd>10.3 <a href="poptop_ads_howto_7.htm#access">PPTP Access Control</a></dd> 79 <dt>11. <a href="poptop_ads_howto_8.htm">Software for Radius Setup</a></dt> 80 <dt>12. <a href="poptop_ads_howto_8.htm#rclient">Radiusclient</a></dt> 81 <dd>12.1 <a href="poptop_ads_howto_8.htm#rclientconf">radiusclient.conf</a></dd> 82 <dd>12.2 <a href="poptop_ads_howto_8.htm#dict">dictionary.microsoft</a></dd> 83 <dt>13. <a href="poptop_ads_howto_9.htm">Freeradius</a></dt> 84 <dd>13.1 <a href="poptop_ads_howto_9.htm#mschap2">Configure Freeradius for MSCHAPv2</a></dd> 85 <dd>13.2 <a href="poptop_ads_howto_9.htm#access">PPTP Access Control</a></dd> 86 <dt>14 <a href="poptop_ads_howto_10.htm">pptpd and freeradius</a></dt> 87 <dd>14.1 <a href="poptop_ads_howto_10.htm#radiusd">Enable freeradius</a></dd> 88 <dd>14.2 <a href="poptop_ads_howto_10.htm#pptpdradius">Configure pptpd</a></dd> 89 <dt>15. <a href="poptop_ads_howto_11.htm">pptp Client Installation</a></dt> 90 <dd>15.1 <a href="poptop_ads_howto_11.htm#splittunnel">Split Tunneling</a></dd> 91 <dt>16. <a href="poptop_ads_howto_12.htm">pptp Server Administration </a></dt> 92 <dd>16.1 <a href="poptop_ads_howto_12.htm#whoisonline">Who is Online?</a></dd> 93 <dd>16.2 <a href="poptop_ads_howto_12.htm#accounting">Accounting</a></dd> 94 <dd>16.3 <a href="poptop_ads_howto_12.htm#disconnect">Disconnect a User</a></dd> 95</dl> 96 97<hr> 98<strong><a name="introduction"></a>1. Introduction</strong> 99<p>This document descibes how to build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the <a href="http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml">Replacing a Windows PPTP Server with Linux Howto</a> maintained by Matt Alexander. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.</p> 100<p align="left">The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.</p> 101<p align="left">To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.</p> 102<p align="left"><strong>Note</strong>: this howto is based on Fedora Core 4 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.</p> 103<hr> 104<strong><a name="disclaimer"></a>2. Disclaimer</strong> 105<p>This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk. </p> 106<p>I will greatly appreciate any comments on this document. </p> 107<hr> 108<a name="acknowledgement"></a><strong>3. Acknowledgements 109</strong> 110<p>Thanks to the following individuals who provided feedback and suggestions to make this document better.</p> 111<blockquote> 112 <p>Peter Mueller - suggested to add information on Kerberos version (R0.1) <br> 113 Francis Lessard - provided details on implementing pptp access control (R0.3)<br> 114 James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5) <br> 115 Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71) </p> 116</blockquote> 117<hr> 118 119<a href="poptop_ads_howto_2.htm">Next</a> 120 <a href="#toc">Content</a> 121 122</body> 123</html> 124