[Samba] winbind auth pppd 2.4.3/pptpd dialup samba pdc works
Robert Schetterer
robert at schetterer.org
Tue Jan 4 19:09:25 GMT 2005
Hi @ll it works
(now a small description, please note this was only test setup to bring
me nearer to the desired function !!!)
i just compiled the new
pppd 2.4.3 in my suse 9.2 system.
( i build a suse rpm )
i ve configured a test smb pdc
------------------------------------------------
[global]
encrypt passwords = yes
unix charset = ISO8859-1
display charset = ISO8859-1
admin users = root, Administrator, rruegner
use sendfile = Yes
large readwrite = Yes
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=8192
SO_RCVBUF=8192
utmp = Yes
workgroup = robo
passdb backend = tdbsam:/etc/samba/passdb.tdb
password server = *
debuglevel = 5
interfaces = lo, eth0
bind interfaces only = true
wins support = Yes
local master = Yes
domain master = Yes
domain logons = Yes
security = user
csc policy = manual
passwd chat debug = Yes
unix password sync = True
passwd program = /usr/bin/passwd %u
passwd chat = *password* %n\n *password* %n\n *changed*
winbind separator = _
# winbind use default domain = Yes
winbind cache time = 600
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = Yes
winbind enum users = Yes
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd -r %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/bin/gpasswd -a %u %g
delete user from group script = /usr/bin/gpasswd -d %u %g
set primary group script = /usr/sbin/usermod -g '%g' '%u'
add machine script = /usr/sbin/useradd -g machines -c Machine -s
/bin/false %u
[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
inherit acls = Yes
----------------------------------------------------------------------------
and prepared a machine account for the local machine
after that i joined the pdcs own domain
net rpc join -S localhost
added a root and a testuser
smbpasswd -a root etc.
started winbind
After that i configured pam / nsswitch for winbind as described in smb
faqs.(dont know if this is really is a must here)
test winbind
linux:/var/log/samba # wbinfo -t
checking the trust secret via RPC calls succeeded
Installed pptpd from suse 9.2, configured parameters in /etc/pptpd.conf
my ppp.options file is like this
----------------------------
noauth
lock
proxyarp
#ms-dns 192.168.1.1
#ms-dns 192.168.1.2
ms-wins 10.10.100.198
#ms-wins 192.168.1.51
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
#require-mppe-128
require-mppe
nobsdcomp
defaultroute
debug
logfile /var/log/pptpd.log
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
--require-membership-of=S-1-5-21-2430330691-2538081181-1539622471-3001"
----------------------------------
for some magic the --require-membership parameter did not accept the
group name , but it works nice with sid
of my group vpnuser.
-----------------------------
linux:/var/log/samba # net groupmap list
System Operators (S-1-5-32-549) -> sys
dialup (S-1-5-21-2430330691-2538081181-1539622471-1207) -> dialup
Replicators (S-1-5-32-552) -> daemon
Guests (S-1-5-32-546) -> nobody
Domain Admins (S-1-5-21-2430330691-2538081181-1539622471-512) -> root
Domain Guests (S-1-5-21-2430330691-2538081181-1539622471-514) -> nobody
Power Users (S-1-5-32-547) -> sys
vpnuser (S-1-5-21-2430330691-2538081181-1539622471-3001) -> vpnuser
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> ntadmin
Account Operators (S-1-5-32-548) -> ntadmin
Domain Users (S-1-5-21-2430330691-2538081181-1539622471-513) -> users
Backup Operators (S-1-5-32-551) -> bin
Users (S-1-5-32-545) -> users
------------------------------------------------------------------------------------------
note : i had to use /usr/bin/ntlm_auth (samba) not
/usr/sbin/ntlm_auth(squid) .
now users which are in the group smb-nt-vpnuser are allowed to
dialup,others got rejected
My thx goes to Andrew which made this possible
this feature was very wanted .
Best Regards
More information about the samba
mailing list