[Samba] Re: Unified authentication

Robert Kelly robert.kelly at ebimed.com
Fri May 6 19:49:04 GMT 2005


If by unified authentication you mean just domain logons and vpn logons,
and by vpn logons you mean IPSEC/L2TP, then yes it can be done.
This site has lots of info on setting up the ipsec/l2tp end:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

>      Most of my users are Windows types.  I want to provide domain
> authentication for these users.  Using the same auth DB, I want to be
> able to authenticate some users to a VPN server using RADIUS.  All with
> teh same user/password combo.
Do you have to use radius?

We use samba as a dc with an ldapsam, freeradius using ldap auth(looking
up sambaNTPassword), openswan using x509, l2tpd and ppp. ppp uses a
radius plugin. Authentication is done using MSCHAPV2.
We have about 700 users, so ldap and radius are good choices. We also
have some wireless access points that use radius to authenticate
clients. For 50 users, yes it is probably overkill and a pita to set up.

Pam probably won't work unless you use plain text authentication.(PAP)
That means configuring all you vpn clients to use it.
Although it sounds insecure, there will already be an ipsec encryption
layer established that the plain text passwords travel across.
Try explaining that to your users.
However, if you use winbindd or radius looking up to ldap all your
client configurations will take the default parameters and all you need
to give them is the name of your vpn server.

For 50 users you can probably get away with
openswan/x509->l2tpd->ppp/winbind->samba

Rob



More information about the samba mailing list