1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
2"http://www.w3.org/TR/html4/loose.dtd">
3<html>
4<head>
5<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
6<title>Poptop MSCHAP2 ADS Howto</title>
7</head>
8
9<body>
10<h3>PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto</h3>
11<p align="left">Copyright &copy; 2005 Wing S Kwok </p>
12<p align="right">by: Wing S Kwok<br>
13  email: wskwok61 (at) gmail.com</p>
14<p align="left"><strong>Revision History</strong>:</p>
15<dl>
16  <dt>Release 1.21 - 23 February 2007</dt>
17  <dd>- Fixed up typo in dictionary.microsoft</dd>
18  <br>
19  <dt>Release 1.2 - 15 January 2007</dt>
20  <dd>- Added Fedora Core 6 information</dd>
21  <br>
22  <dt>Release 1.1 - 25 September 2006</dt>
23  <dd>- Updated version information on kernel, samba and pptpd</dd>
24  <br>
25  <dt>Release 1.0 - 7 May 2006</dt>
26  <dd>- Updated the Howto to focus on Fedora Core 5</dd>
27  <dd>- Rearranged the order of steps to make the walkthrough more logical</dd>
28  <dd>- Moved Fedora Core 4 specific info to Appendix</dd>
29    <br>
30  <dt>Release 0.8 - 5 March 2006</dt>
31  <dd>- Updated information on pptpd, samba version</dd>
32  <dd>- Updated information on FC4 kernel version</dd>
33  <dd>- Added info on changing MTU size</dd>
34      <br>
35  <dt>Release 0.71 - 3 February 2006</dt>
36  <dd>- Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.</dd>
37	  <br>
38  <dt>Release 0.7 -- 1 February 2006</dt>
39      <dd>- Section 12.2 has been rewritten.</dd>
40	  <dd>- Updated information on Samba version.</dd>
41	  <dd>- Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5</dd>
42      <br>
43  <dt>Release 0.6 -- 5 January 2006</dt>
44      <dd>- Added a new section on pptp server administration.</dd>
45      <dd>- Updated information on Samba version. </dd>
46      <br>
47  <dt>Release 0.5 -- 17 November 2005</dt>
48      <dd>- Included info on kernel 2.6.15-rc1 and MPPE support</dd><br>
49  <dt>Release 0.4 -- 30 October 2005</dt>
50      <dd>- Updated kernel-ppp-mppe version number</dd><br>
51  <dt>Release 0.3 -- 23 October 2005</dt>
52      <dd>- added the Acknowledgements section</dd>
53	  <dd>- added information on problem with FC4 2.6.13 kernel and mppe kernel module </dd>
54      <dd>- added information on kernel upgrade and dkms_autoinstaller</dd>
55      <dd>- added information on pptp access control</dd>
56	  <dd>- updated the software version info to reflect the latest available version</dd><br>
57  <dt>Release 0.2 -- 23 September 2005</dt>
58      <dd>- Rewrote part of the pptp client configuration section and included split tunneling information.</dd><br>
59  <dt>Release 0.1 -- 12 September 2005</dt>
60      <dd>- added Kerberos version information</dd>
61      <dd>- added the full path of winbindd_privileged directory</dd>
62      <dd>- fixed the VBScript which had a few lines missing</dd>
63      <dd>- corrected a few typos </dd>
64</dl>
65<dl>
66   <dt>First Release -- 5 September 2005</dt>
67</dl>
68<p align="left">This document covers how to integrate Poptop with Microsoft Active Directory on Fedora Core 5/6. Two different implementations are described: a) winbind; and b) freeradius.</p>
69<hr>
70<a name="toc"></a>Table of Contents
71<dl><dt>1. <a href="#introduction">Introduction</a></dt>
72    <dt>2. <a href="#disclaimer">Disclaimer</a></dt>
73	<dt>3. <a href="#acknowledgement">Acknowledgements</a></dt>
74    <dt>4. <a href="poptop_ads_howto_2.htm">The Test Environment</a></dt>
75    <dt>5. <a href="poptop_ads_howto_3.htm#network">Network Configuration</a></dt>
76    <dd>5.1 <a href="poptop_ads_howto_3.htm#defaultroute">Default Route and Static Routes</a></dd>
77	<dd>5.2 <a href="poptop_ads_howto_3.htm#pforward">Enable Packet Forwarding</a></dd>
78    <dt>6. <a href="poptop_ads_howto_4.htm#mppe">Install MPPE Kernel Module</a></dt>
79	<dt>7. <a href="poptop_ads_howto_4.htm#pppd_pptpd">pppd and  pptpd</a></dt>
80    <dd>7.1 <a href="poptop_ads_howto_4.htm#pppd">pppd</a></dd>
81    <dd>7.2 <a href="poptop_ads_howto_4.htm#pptpd">Install pptpd</a></dd>
82	<dt>8. <a href="poptop_ads_howto_5.htm">Samba</a></dt>
83    <dd>8.1 <a href="poptop_ads_howto_5.htm#smbconf">Configure Samba</a></dd>
84	<dt>9. <a href="poptop_ads_howto_6.htm">Kerberos</a></dt>
85	<dd>9.1 <a href="poptop_ads_howto_6.htm#krbconf">Configure Kerberos</a></dd>
86	<dd>9.2 <a href="poptop_ads_howto_6.htm#krbtest">Test Kerberos</a></dd>
87    <dt>10. <a href="poptop_ads_howto_6a.htm#smbjoin">Join the AD Domain</a></dt>
88  <dt>11. <a href="poptop_ads_howto_7.htm">pptpd and winbindd</a></dt>
89  <dd>11.1 <a href="poptop_ads_howto_7.htm#wbtest">Enable and Test winbindd</a></dd>
90  <dd>11.2 <a href="poptop_ads_howto_7.htm#pptpconf">Configure pptpd</a></dd>
91  <dd>11.3 <a href="poptop_ads_howto_7.htm#access">PPTP Access Control</a></dd>
92  <dt>12. <a href="poptop_ads_howto_8.htm">Software for Radius Setup</a></dt>
93  <dt>13. <a href="poptop_ads_howto_8.htm#rclient">Radiusclient</a></dt>
94  <dd>13.1 <a href="poptop_ads_howto_8.htm#rclientconf">radiusclient.conf</a></dd>
95  <dd>13.2 <a href="poptop_ads_howto_8.htm#dict">dictionary.microsoft</a></dd>
96  <dt>14. <a href="poptop_ads_howto_9.htm">Freeradius</a></dt>
97  <dd>14.1 <a href="poptop_ads_howto_9.htm#mschap2">Configure Freeradius for MSCHAPv2</a></dd>
98  <dd>14.2 <a href="poptop_ads_howto_9.htm#access">PPTP Access Control</a></dd>
99  <dt>15<a href="poptop_ads_howto_10.htm">pptpd and freeradius</a></dt>
100  <dd>15.1 <a href="poptop_ads_howto_10.htm#radiusd">Enable freeradius</a></dd>
101  <dd>15.2 <a href="poptop_ads_howto_10.htm#pptpdradius">Configure pptpd</a></dd>
102  <dt>16. <a href="poptop_ads_howto_11.htm">pptp Client Installation</a></dt>
103  <dd>16.1 <a href="poptop_ads_howto_11.htm#splittunnel">Split Tunneling</a></dd>
104  <dt>17. <a href="poptop_ads_howto_12.htm">pptp Server Administration </a></dt>
105  <dd>17.1 <a href="poptop_ads_howto_12.htm#whoisonline">Who is Online?</a></dd>
106  <dd>17.2 <a href="poptop_ads_howto_12.htm#accounting">Accounting</a></dd>
107  <dd>17.3 <a href="poptop_ads_howto_12.htm#disconnect">Disconnect a User</a></dd>
108  <dt>A1. <a href="poptop_ads_howto_a1.htm#mppe">Install MPPE Module on Fedora Core 4</a></dt>
109  <dd>A1.1 <a href="poptop_ads_howto_a1.htm#autoinstaller">Kernel Upgrade and dkms_autoinstaller</a></dd>
110  <dt>A2. <a href="poptop_ads_howto_a1.htm#pppd">Update pppd on Fedora Core 4</a></dt>
111  <dt>A3. <a href="poptop_ads_howto_a2.htm">Samba for Fedora Core 4</a></dt>
112  <dt>A4. <a href="poptop_ads_howto_a2.htm#fc4freeradius">Software for Radius Setup on Fedora Core 4</a></dt
113></dl>
114
115<hr>
116<strong><a name="introduction"></a>1. Introduction</strong>
117<p>This document descibes how to  build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the <a href="http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml">Replacing a Windows PPTP Server with Linux Howto</a> maintained by Matt Alexander. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.</p>
118<p align="left">The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.</p>
119<p align="left">To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.</p>
120<dt align="left"><strong>Note</strong>:</dt> 
121<dd>- this howto is based on Fedora Core 5/6 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.</dt>
122<dd>- Information for Fedora Core 4 has been moved to Appendix and will not be updated anymore. </dd>
123<br>
124<hr>
125<strong><a name="disclaimer"></a>2. Disclaimer</strong>
126<p>This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk. </dd>
127<p>Any comments on this document will be greatly appreciated.. </p>
128<hr>
129<a name="acknowledgement"></a><strong>3. Acknowledgements
130</strong>
131<p>Thanks to the following individuals who provided feedback and suggestions to make this document better.</p>
132<blockquote>
133  <p>Peter Mueller - suggested to add information on Kerberos version (R0.1) <br>
134    Francis Lessard - provided details on implementing pptp access control (R0.3)<br>
135    James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5) <br>
136	Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71)<br>
137	Nicolas Ross - pointed out typo in dictionary.microsoft (R1.21) </p>
138</blockquote>
139<hr>
140
141<a href="poptop_ads_howto_2.htm">Next</a>
142&nbsp;&nbsp;<a href="#toc">Content</a>
143
144</body>
145</html>
146