[Samba] winbind auth pppd 2.4.3/pptpd dialup samba pdc works

Robert Schetterer robert at schetterer.org
Tue Jan 4 19:09:25 GMT 2005


Hi @ll it works
(now a small description, please note this was only test setup to bring 
me nearer to the desired function !!!)

i just compiled the new
pppd 2.4.3 in my suse 9.2 system.
( i build a suse rpm )
i ve configured a test smb pdc
------------------------------------------------
[global]
        encrypt passwords = yes
        unix charset = ISO8859-1
        display charset = ISO8859-1
        admin users = root, Administrator, rruegner
        use sendfile = Yes
        large readwrite = Yes
        socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=8192 
SO_RCVBUF=8192
        utmp = Yes
        workgroup = robo
        passdb backend = tdbsam:/etc/samba/passdb.tdb
        password server = *
        debuglevel = 5
        interfaces = lo, eth0
        bind interfaces only = true
        wins support = Yes
        local master = Yes
        domain master = Yes
        domain logons = Yes
        security = user
        csc policy = manual
        passwd chat debug = Yes
        unix password sync = True
        passwd program = /usr/bin/passwd %u
        passwd chat = *password* %n\n *password* %n\n *changed*
        winbind separator = _
#       winbind use default domain = Yes
        winbind cache time = 600
        template shell = /bin/bash
        template homedir = /home/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum groups = Yes
        winbind enum users = Yes
        add user script = /usr/sbin/useradd -m %u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd -r %g
        delete group script = /usr/sbin/groupdel %g
        add user to group script = /usr/bin/gpasswd -a %u %g
        delete user from group script = /usr/bin/gpasswd -d %u %g
        set primary group script = /usr/sbin/usermod -g '%g' '%u'
        add machine script = /usr/sbin/useradd -g machines -c Machine -s 
/bin/false %u
[homes]
        comment = Home Directories
        valid users = %S
        browseable = No
        read only = No
        inherit acls = Yes
----------------------------------------------------------------------------


and prepared a machine account for the local machine
after that i joined the pdcs own domain

net rpc join -S localhost


added a root and a testuser
smbpasswd -a root etc.

started winbind
After that i configured pam / nsswitch for winbind as described in smb 
faqs.(dont know if this is really is a must here)

test winbind
linux:/var/log/samba # wbinfo -t
checking the trust secret via RPC calls succeeded


Installed pptpd from suse 9.2, configured parameters in /etc/pptpd.conf
my  ppp.options file is like this
----------------------------
noauth
lock
proxyarp
#ms-dns 192.168.1.1
#ms-dns 192.168.1.2

ms-wins 10.10.100.198
#ms-wins 192.168.1.51

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
#require-mppe-128
require-mppe
nobsdcomp
defaultroute
debug

logfile /var/log/pptpd.log

plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 
--require-membership-of=S-1-5-21-2430330691-2538081181-1539622471-3001"
----------------------------------
for some magic the --require-membership parameter did not accept the 
group name , but it works nice with sid
of my group vpnuser.
-----------------------------
linux:/var/log/samba # net groupmap list
System Operators (S-1-5-32-549) -> sys
dialup (S-1-5-21-2430330691-2538081181-1539622471-1207) -> dialup
Replicators (S-1-5-32-552) -> daemon
Guests (S-1-5-32-546) -> nobody
Domain Admins (S-1-5-21-2430330691-2538081181-1539622471-512) -> root
Domain Guests (S-1-5-21-2430330691-2538081181-1539622471-514) -> nobody
Power Users (S-1-5-32-547) -> sys
vpnuser (S-1-5-21-2430330691-2538081181-1539622471-3001) -> vpnuser
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> ntadmin
Account Operators (S-1-5-32-548) -> ntadmin
Domain Users (S-1-5-21-2430330691-2538081181-1539622471-513) -> users
Backup Operators (S-1-5-32-551) -> bin
Users (S-1-5-32-545) -> users
------------------------------------------------------------------------------------------



note : i had to use /usr/bin/ntlm_auth (samba) not 
/usr/sbin/ntlm_auth(squid) .

now users which are in the group smb-nt-vpnuser are allowed to 
dialup,others got rejected

My thx goes to Andrew which made this possible
this feature was  very wanted .

Best Regards


More information about the samba mailing list