diff options
Diffstat (limited to 'pptpd-1.3.3/html/poptop_ads_howto')
17 files changed, 0 insertions, 936 deletions
diff --git a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Entries b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Entries deleted file mode 100644 index 43e96a3..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Entries +++ /dev/null @@ -1,15 +0,0 @@ -/diagram1.jpg/1.1/Tue Oct 25 03:08:14 2005// -/poptop_ads_howto_2.htm/1.1/Tue Oct 25 03:08:14 2005// -/poptop_ads_howto_3.htm/1.2/Thu Jan 5 00:21:15 2006// -/poptop_ads_howto_5.htm/1.2/Thu Jan 5 00:21:15 2006// -/poptop_ads_howto_9.htm/1.2/Thu Jan 5 00:21:15 2006// -/poptop_ads_howto_11.htm/1.3/Tue Feb 14 00:15:52 2006// -/poptop_ads_howto_12.htm/1.2/Tue Feb 14 00:15:52 2006// -/poptop_ads_howto_8.htm/1.3/Tue Feb 14 00:15:52 2006// -/poptop_ads_howto_1.htm/1.7/Tue Apr 18 03:02:30 2006// -/poptop_ads_howto_10.htm/1.2/Tue Apr 18 03:02:31 2006// -/poptop_ads_howto_4.htm/1.7/Tue Apr 18 03:02:31 2006// -/poptop_ads_howto_6.htm/1.4/Tue Apr 18 03:02:31 2006// -/poptop_ads_howto_7.htm/1.2/Tue Apr 18 03:02:31 2006// -/test.txt/1.1/Tue Apr 18 03:02:31 2006// -D diff --git a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Repository b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Repository deleted file mode 100644 index c7b8123..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Repository +++ /dev/null @@ -1 +0,0 @@ -poptop/html/poptop_ads_howto diff --git a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Root b/pptpd-1.3.3/html/poptop_ads_howto/CVS/Root deleted file mode 100644 index 6f952a5..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/CVS/Root +++ /dev/null @@ -1 +0,0 @@ -:ext:quozl@poptop.cvs.sourceforge.net:/cvsroot/poptop diff --git a/pptpd-1.3.3/html/poptop_ads_howto/diagram1.jpg b/pptpd-1.3.3/html/poptop_ads_howto/diagram1.jpg Binary files differdeleted file mode 100644 index 16490fc..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/diagram1.jpg +++ /dev/null diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_1.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_1.htm deleted file mode 100644 index 2a5a969..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_1.htm +++ /dev/null @@ -1,123 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<h3>PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto</h3> -<p align="left">Copyright © 2005 Wing S Kwok </p> -<p align="right">by: Wing S Kwok<br> - email: skwok (at) acnielsen.com.au </p> -<p align="left"><strong>Revision History</strong>:</p> -<dl> - <dt>Release 0.8 - 5 March 2006</dt> - <dd>- Updated information on pptpd, samba version</dd> - <dd>- Updated information on FC4 kernel version</dd> - <dd>- Added info on changing MTU size</dd> - <br> - <dt>Release 0.71 - 3 February 2006</dt> - <dd>- Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.</dd> - <br> - <dt>Release 0.7 -- 1 February 2006</dt> - <dd>- Section 12.2 has been rewritten.</dd> - <dd>- Updated information on Samba version.</dd> - <dd>- Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5</dd> - <br> - <dt>Release 0.6 -- 5 January 2006</dt> - <dd>- Added a new section on pptp server administration.</dd> - <dd>- Updated information on Samba version. </dd> - <br> - <dt>Release 0.5 -- 17 November 2005</dt> - <dd>- Included info on kernel 2.6.15-rc1 and MPPE support</dd><br> - <dt>Release 0.4 -- 30 October 2005</dt> - <dd>- Updated kernel-ppp-mppe version number</dd><br> - <dt>Release 0.3 -- 23 October 2005</dt> - <dd>- added the Acknowledgements section</dd> - <dd>- added information on problem with FC4 2.6.13 kernel and mppe kernel module </dd> - <dd>- added information on kernel upgrade and dkms_autoinstaller</dd> - <dd>- added information on pptp access control</dd> - <dd>- updated the software version info to reflect the latest available version</dd><br> - <dt>Release 0.2 -- 23 September 2005</dt> - <dd>- Rewrote part of the pptp client configuration section and included split tunneling information.</dd><br> - <dt>Release 0.1 -- 12 September 2005</dt> - <dd>- added Kerberos version information</dd> - <dd>- added the full path of winbindd_privileged directory</dd> - <dd>- fixed the VBScript which had a few lines missing</dd> - <dd>- corrected a few typos </dd> -</dl> -<dl> - <dt>First Release -- 5 September 2005</dt> -</dl> -<p align="left">This document covers how to integrate Poptop with Microsoft Active Directory on Fedora Core 4. Two different implementations are described: a) winbind; and b) freeradius.</p> -<hr> -<a name="toc"></a>Table of Contents -<dl><dt>1. <a href="#introduction">Introduction</a></dt> - <dt>2. <a href="#disclaimer">Disclaimer</a></dt> - <dt>3. <a href="#acknowledgement">Acknowledgements</a></dt> - <dt>4. <a href="poptop_ads_howto_2.htm">The Test Environment</a></dt> - <dt>5. <a href="poptop_ads_howto_3.htm#network">Network Configuration</a></dt> - <dd>5.1 <a href="poptop_ads_howto_3.htm#defaultroute">Default Route and Static Routes</a></dd> - <dd>5.2 <a href="poptop_ads_howto_3.htm#pforward">Enable Packet Forwarding</a></dd> - <dt>6. <a href="poptop_ads_howto_4.htm#mppe">Install MPPE Kernel Module</a></dt> - <dd>6.1 <a href="poptop_ads_howto_4.htm#autoinstaller">Kernel Upgrade and dkms_autoinstaller</a></dd> - <dt>7. <a href="poptop_ads_howto_4.htm#pppd_pptpd">pppd and pptpd</a></dt> - <dd>7.1 <a href="poptop_ads_howto_4.htm#pppd">Upgrade pppd</a></dd> - <dd>7.2 <a href="poptop_ads_howto_4.htm#pptpd">Install pptpd</a></dd> - <dt>8. <a href="poptop_ads_howto_5.htm">Kerberos</a></dt> - <dd>8.1 <a href="poptop_ads_howto_5.htm#krbconf">Configure Kerberos</a></dd> - <dd>8.2 <a href="poptop_ads_howto_5.htm#krbtest">Test Kerberos</a></dd> - <dt>9. <a href="poptop_ads_howto_6.htm">Samba</a></dt> - <dd>9.1 <a href="poptop_ads_howto_6.htm#smbconf">Configure Samba</a></dd> - <dd>9.2 <a href="poptop_ads_howto_6.htm#smbjoin">Join the AD Domain</a></dd> - <dt>10. <a href="poptop_ads_howto_7.htm">pptpd and winbindd</a></dt> - <dd>10.1 <a href="poptop_ads_howto_7.htm#wbtest">Enable and Test winbindd</a></dd> - <dd>10.2 <a href="poptop_ads_howto_7.htm#pptpconf">Configure pptpd</a></dd> - <dd>10.3 <a href="poptop_ads_howto_7.htm#access">PPTP Access Control</a></dd> - <dt>11. <a href="poptop_ads_howto_8.htm">Software for Radius Setup</a></dt> - <dt>12. <a href="poptop_ads_howto_8.htm#rclient">Radiusclient</a></dt> - <dd>12.1 <a href="poptop_ads_howto_8.htm#rclientconf">radiusclient.conf</a></dd> - <dd>12.2 <a href="poptop_ads_howto_8.htm#dict">dictionary.microsoft</a></dd> - <dt>13. <a href="poptop_ads_howto_9.htm">Freeradius</a></dt> - <dd>13.1 <a href="poptop_ads_howto_9.htm#mschap2">Configure Freeradius for MSCHAPv2</a></dd> - <dd>13.2 <a href="poptop_ads_howto_9.htm#access">PPTP Access Control</a></dd> - <dt>14 <a href="poptop_ads_howto_10.htm">pptpd and freeradius</a></dt> - <dd>14.1 <a href="poptop_ads_howto_10.htm#radiusd">Enable freeradius</a></dd> - <dd>14.2 <a href="poptop_ads_howto_10.htm#pptpdradius">Configure pptpd</a></dd> - <dt>15. <a href="poptop_ads_howto_11.htm">pptp Client Installation</a></dt> - <dd>15.1 <a href="poptop_ads_howto_11.htm#splittunnel">Split Tunneling</a></dd> - <dt>16. <a href="poptop_ads_howto_12.htm">pptp Server Administration </a></dt> - <dd>16.1 <a href="poptop_ads_howto_12.htm#whoisonline">Who is Online?</a></dd> - <dd>16.2 <a href="poptop_ads_howto_12.htm#accounting">Accounting</a></dd> - <dd>16.3 <a href="poptop_ads_howto_12.htm#disconnect">Disconnect a User</a></dd> -</dl> - -<hr> -<strong><a name="introduction"></a>1. Introduction</strong> -<p>This document descibes how to build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the <a href="http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml">Replacing a Windows PPTP Server with Linux Howto</a> maintained by Matt Alexander. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.</p> -<p align="left">The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.</p> -<p align="left">To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.</p> -<p align="left"><strong>Note</strong>: this howto is based on Fedora Core 4 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.</p> -<hr> -<strong><a name="disclaimer"></a>2. Disclaimer</strong> -<p>This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk. </p> -<p>I will greatly appreciate any comments on this document. </p> -<hr> -<a name="acknowledgement"></a><strong>3. Acknowledgements -</strong> -<p>Thanks to the following individuals who provided feedback and suggestions to make this document better.</p> -<blockquote> - <p>Peter Mueller - suggested to add information on Kerberos version (R0.1) <br> - Francis Lessard - provided details on implementing pptp access control (R0.3)<br> - James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5) <br> - Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71) </p> -</blockquote> -<hr> - -<a href="poptop_ads_howto_2.htm">Next</a> - <a href="#toc">Content</a> - -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_10.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_10.htm deleted file mode 100644 index df14d19..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_10.htm +++ /dev/null @@ -1,87 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>14. pptpd and freeradius </strong></p> -<p>The section covers the configuration of pptpd + freeradius + AD. If you are looking at the integration via winbind. Go to <a href="poptop_ads_howto_7.htm">this section</a>.</p> -<hr> -<a name="radiusd"></a><strong>14.1 Enable freeradius</strong> -<p>To enable radiusd on bootup, use the chkconfig command.</p> -<blockquote> - <pre>[root@pptp ~]# chkconfig radiusd on </pre> -</blockquote> -<p>To start radiusd in daemon mode: -</p> -<blockquote> - <pre>[root@pptp ~]# service radiusd start -Starting RADIUS server: Sun Sep 4 11:26:24 2005 : Info: Starting - reading configuration files ...<br>[ OK ]</pre> -</blockquote> -<p></p> -<hr> -<a name="pptpdradius"></a><strong>14.2 Configure pptpd </strong> -<p>There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections. </p> -<blockquote> - <pre>localip 10.0.0.10<br>remoteip 10.0.0.101-200 </pre> -</blockquote> -<p>10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections. </p> -<p>The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:</p> -<blockquote> - <pre>name pptpd -refuse-pap<br>refuse-chap<br>refuse-mschap<br>require-mschap-v2<br>require-mppe-128 -ms-dns 10.0.0.1 -ms-wins 10.0.0.1 -proxyarp -lock -nobsdcomp -novj -novjccomp -nologfd -auth -nodefaultroute -plugin radius.so -plugin radattr.so</pre> -</blockquote> -<p>There are two plugins we used in here. The first one radius.so is required while the second one radattr.so is optional. Radattr.so basically records the parameters passed from radius to pppd in a file. Check the man page of pppd-radattr for details. </p> -<p>Then, we need to fix the permission of a winbind directory.</p> -<blockquote> - <pre>[root@pptp ~]# chgrp radiusd /var/cache/samba/winbindd_privileged/</pre> -</blockquote> -<p>If you have Windows XP clients, you may want to reduce the MTU size. Add the line, /sbin/ifconfig $1 mtu 1400, to /etc/ppp/ip-up as shown in the following list.</p> -<blockquote> - <pre>[root@pptp ppp]# cat ip-up -#!/bin/bash -# This file should not be modified -- make local changes to -# /etc/ppp/ip-up.local instead - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -export PATH - -LOGDEVICE=$6 -REALDEVICE=$1 - -[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} - -/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE} - -[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" - -<strong>/sbin/ifconfig $1 mtu 1400</strong> -exit 0</pre> -</blockquote> -<p>The above example reduces the MTU size to 1400. In my environment, I found that XP will connect the VPN and ping all servers without problems, however, it cannot connect to the Microsoft Exchange server properly. Reduce the MTU size to 1400 fixed the problem.</p> -<p>After fixing the files and permission, we can start pptpd and connect to it from remote client. To start it:</p> -<blockquote> - <pre>[root@pptp ~]# chkconfig pptpd on<br><br>[root@pptp ~]# service pptpd start<br>Starting pptpd: [ OK ] </pre> -</blockquote> -<p>That's all on the server side. </p> -<p><strong>Note</strong>: The client PCs require special configurations. It will be discussed in <a href="poptop_ads_howto_11.htm">here</a>.</p> -<hr> -<a href="poptop_ads_howto_11.htm">Next</a> <a href="poptop_ads_howto_9.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -<p> </p> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_11.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_11.htm deleted file mode 100644 index 868dcc9..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_11.htm +++ /dev/null @@ -1,83 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>15. pptp Client Installation</strong></p> -<p>I will only describe the Windows XP pptp client installation. For other operating system, please see the documents in <a href="http://poptop.sourceforge.net/dox/">here</a>. </p> -<ul> - <li>Start -> Settings -> Control Panels -> Network Connections.</li> - <li>Click on "Create a new connection" on the left pane. </li> - <li>A Winzard starts. Click on Next.</li> - <li>Choose "Connect to the network at my workplace". Next.</li> - <li> Choose "Virtual Private Network Connection". Next.</li> - <li>Key in the company name. Next.</li> - <li>Choose "Do not dial the initial connection". Next</li> - <li>Type in the external IP address of Hostname of the pptpd gateway. Next.</li> - <li>Choose "Anyone's use". Next</li> - <li>Check the "Add a shortcut to this connection to my desktop". Finish.</li> - <li>A new icon appears on the Network Connections under the header Virtual Private Network. Right click on it and choose Properties.</li> - <li>Click on the Security tab. Check "Advanced (custom settings)" and then click the Settings button.</li> - <li> Choose "Maximum strength encryption (disconnect if server declines)" on Data Encryption.</li> - <li>In the same tab, choose "Allow these protocols" and undo all except "Microsoft CHAP Version 2 (MS-CHAP v2)". Click OK and click OK again to close the window.</li> -</ul> -<p>That's all for a standard configuration. All traffic from the PC will pipe through the pptp tunnel except those for the local attached network segment. This is the recommended way of implementing VPN for security reasons.</p> -<hr> -<strong><a name="splittunnel"></a>15.1 Split Tunneling</strong> -<p>Split Tunneling allows you to configure the network so that only selected traffic is directed to the VPN tunnel. For instance, you want browsing traffic to go to the Internet directly but corporate traffic goes via the VPN, then you will need split tunneling. It is also important if your ISP requires a heatbeat from your machine to keep the connection alive. </p> -<p>While split tunneling provides convenience, it causes security problems because <span name="intelliTxt" id="intelliTxt">it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network. Check your company security policy before inplementing split tunneling. </span></p> -<p>To set up split tunneling:</p> -<ul> - <li>Right click on the icon which you created in section 15 and choose Properties.</li> - <li>Choose the Networking tab. Highligth the Internet Protocol (TCP/IP) and click on the Properties button.</li> - <li>Click on the Advanced Button and then deselect "Use default gateway on remote network". Click OK. Click OK and then click OK.</li> -</ul> -<p>If you have a simple private network which has only one single segment, you have finished the configuration. Take a break and enjoy you day.</p> -<p>If you have multiple subnets in the private network, there are still works to do. By not using the PPP as the default gateway, we introduce another problem. The PPP client will set up routing only to the subnet that is directly attached to the pptp gateway. Traffic will not route to the other subnets. In our test environment, you can only access 10.0.0.0 but not 172.16.0.0. To resolve this problem, I created a VBScript to add the extra routes. </p> -<p>The VBScript is listed here: </p> -<blockquote> - <pre>Option Explicit<br>Dim IP_Address<br>Dim TmpFile : TmpFile = "c:\ip.txt"<br>Dim route1 - -<strong>route1 = "route add 172.16.0.0 mask 255.255.255.0 "</strong> - -SaveIP<br>IP_Address = GetIP()<br>route1 = route1 & IP_Address<br>AddRoute - -Sub SaveIP<br> Dim ws : Set ws = CreateObject("WScript.Shell")<br> ws.run "%comspec% /c ipconfig > " & TmpFile, 0, True<br> Set ws = Nothing<br>End Sub - -Function GetIP()<br> Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")<br> Dim re : Set re = New RegExp<br> re.Global = TRUE - - Dim file, fileline, matches<br> Dim pppsection : pppsection = FALSE - - If fso.FileExists(TmpFile) Then<br> Set file = fso.OpenTextFile(TmpFile)<br> - Do While Not file.AtEndOfStream<br> fileline = file.ReadLine - - If Not pppsection Then - If left(fileline,3) = "PPP" Then - pppsection = TRUE - End If - Else - re.Pattern = "IP Address[\. ]+: " - If re.Test(fileline) Then - matches = split(fileline,":") - GetIP = right(matches(1),len(matches(1))-1) - End If - End If - - Loop<br> file.Close<br> End If - - Set re = Nothing<br> Set fso = Nothing<br>End Function - -Sub AddRoute<br> Dim ws : Set ws = CreateObject("WScript.Shell")<br> ws.run "%comspec% /c " & route1, 0, True<br> Set ws = Nothing<br>End Sub -</pre> -</blockquote> -<p>Create the VBScript file somewhere in your PC and create a shortcut on the desktop. When the PPP connects, double click on the shortcut will add the route accordingly.</p> -<p><strong>Note</strong>: you will need to modify the line in bold for your environment. </p> -<hr> -<a href="poptop_ads_howto_12.htm">Next</a> <a href="poptop_ads_howto_10.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a><p> </p> -<p> </p> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_12.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_12.htm deleted file mode 100644 index eeaa16b..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_12.htm +++ /dev/null @@ -1,70 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>16. pptp Server Administration </strong></p> -<p>This section covers a few tricks on pptp server management. It is far from a complete guide. Any suggestions are welcome.</p> -<p>The packages <strong>psacct</strong> and <strong>SysVinit</strong> are required for the utilities used in here. They should be installed by default. If they are not, please install them through yum.</p> -<blockquote> - <pre>[root@pptp ~]# yum install psacct SysVinit </pre> -</blockquote><p></p> -<hr> -<strong><a name="whoisonline"></a>16.1 Who is Online?</strong> -<p>To check who is online, the "last" command is used:</p> -<blockquote> - <pre>[root@pptp ~]# last | grep ppp | grep still -James ppp3 202.xx.xxx.xxx Sat Nov 19 17:38 still logged in <br>Andrew ppp1 220.xxx.xxx.xx Sat Nov 19 17:23 still logged in <br>Mary ppp2 1.2.3.4 Sat Nov 19 16:59 still logged in <br>Sue ppp0 202.xx.xxx.xxx Sat Nov 19 16:43 still logged in <br>Mark ppp7 203.xxx.xxx.xxx Sat Nov 19 14:59 still logged in</pre> -</blockquote> -<p><strong><em>last</em></strong> is from SysVinit. It reads the information from /var/log/wtmp. </p> -<p><strong>Note:</strong> for <em><strong>last</strong></em> to work properly, the logwtmp option in the /etc/pptpd.conf must be enabled. If you are sure there are pptp connections but see no output from the above mentioned command, check the logwtmp option in the pptpd.conf file is enabled. </p> -<hr> -<strong><a name="accounting"></a>16.2 Accounting </strong> -<p>The "ac" utility from package psacct will provide a report on the connection time.</p> -<blockquote> - <pre>[root@pptp ~]# ac -d -p - Amy 3.77 - George 0.08 - Mark 1.78 - Richard 0.35 - Lee 3.66 - Simon 5.78 - Nicole 1.05 -Nov 1 total 16.46 - Amy 2.43 - Nicole 8.61 - Richard 4.77 - Mark 0.90 - Lee 4.68 - Keith 1.84 -Nov 2 total 23.23</pre> -</blockquote> -<p>The <em><strong>ac</strong></em> command reads the information from /var/log/wtmp. It has a lot of options. Read the man page for details. </p> -<p><strong>Note</strong>: <br> - 1. -If you want the statistics from older version of wtmp, use the -f parameter in "ac" to specify the file. <br> -2. If users use shell to log in the server as well, the ac will return the connection time of both pptp and shell connections. -</p> -<hr> -<strong><a name="disconnect"></a>16.3 Disconnect a User</strong> -<p>To disconnect an active connection, you will have to kill the pppd process associate with it. Firstly, run the command in section 16.1 to find out the remote ip address of the user. Say you want to disconnect Mary, her ip address in the above example is 1.2.3.4. Then, find the PID of the pppd process. -</p> -<blockquote> - <pre>[root@pptp /]# ps -ef | grep 1.2.3.4 | grep pppd -root 8672 8671 0 16:59 ? 00:00:00 /usr/sbin/pppd local file /etc/ppp/options.pptpd 115200 - 10.0.0.10:10.0.0.124 ipparam 1.2.3.4. - plugin /usr/lib/pptpd/pptpd-logwtmp.so - pptpd-original-ip 1.2.3.4</pre> -</blockquote> -<p>The second field of the output, 8672 in our example, is the PID of the pppd process. Kill the process will disconnect the user.</p> -<blockquote> - <pre>[root@pptp /]# kill 8672</pre> -</blockquote><br> -<hr> -<a href="poptop_ads_howto_11.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_2.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_2.htm deleted file mode 100644 index 0bda62f..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_2.htm +++ /dev/null @@ -1,46 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><a name="test"></a><strong>4. The Test Environment</strong></p> -<p>I have built a test environment as shown in the diagram. In the rest of the howto, the configurations of software are based on this topology. </p> -<p><img src="diagram1.jpg"></p> -<p>A Windows 2003 SP1 Server is set up as the AD domain controller, DNS server and WINS server. The pptp gateway is the Linux box which has 2 network cards. One connects to the internal network, 10.0.0.0/24, and the other one connects to the Internet with ip address 192.168.0.10/24. The internal network has two subnets, 10.0.0.0/24 and 172.16.0.0/24. </p> -<p>The domain name of the Windows AD domain is EXAMPLENET.ORG and the corresponding netbios name is EXAMPLE. </p> -<p><strong>Windows Domain Summary</strong>:</p> -<table width="558" border="0"> - <tr> - <td width="266">Domain Controller Name </td> - <td width="282">dc1.examplenet.org</td> - </tr> - <tr> - <td>Domain Controller IP Address </td> - <td>10.0.0.1</td> - </tr> - <tr> - <td>DNS IP Address </td> - <td>10.0.0.1</td> - </tr> - <tr> - <td>WINS IP Address </td> - <td>10.0.0.1</td> - </tr> - <tr> - <td>AD Domain Name </td> - <td>examplenet.org</td> - </tr> - <tr> - <td>AD Netbios Domain Name</td> - <td>example</td> - </tr> -</table> - -</p> -<hr> -<a href="poptop_ads_howto_3.htm">Next</a> <a href="poptop_ads_howto_1.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a></body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_3.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_3.htm deleted file mode 100644 index 591f993..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_3.htm +++ /dev/null @@ -1,58 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -<style type="text/css"> -<!-- -.style1 { - font-family: "Courier New", Courier, mono; - font-size: 12px; -} ---> -</style> -</head> - -<body> -<p><a name="network"><strong>5. Network Configuration </strong></a></p> -<p>Microsoft AD depends heavily on DNS. You should have the DNS server working first. </p> -<p>The pptp gateway should use the Active Directory DNS server instead of the one provided by your ISP. Otherwise, the gateway may have problems to locate the domain controller. Here is the /etc/resolv.conf in my test gateway. </p> -<blockquote> -<pre>search examplenet.org -nameserver 10.0.0.1</pre> -</blockquote><p></p> -<hr> -<a name="defaultroute"><strong>5.1 Default Gateway and Static Routes</strong></a> -<p>The pptp gateway has two network cards. It is important that the default gateway is pointing to the Internet, your ISP router. Make sure that the internal network card does not have a default gateway address configured. Check the network card configuration files in /etc/sysconfig/network-scripts. </p> -<p>In my test setup, eth0 is the internal card and eth1 is the external one. In the /etc/sysconfig/network-scripts/ifcfg-eth0, it does not have the line GATEWAY="x.x.x.x". In the ifcfg-eth1, it has an entry GATEWAY="x.x.x.x" pointing to the ISP router ip address.</p> -<p>My test internal network has multiple subnets, static routes are set up to direct traffic correctly. If you have a simple single segment internal network, you can skip the following step and go to <a href="#pforward">step 5.2</a>.</p> -<p>To set up static routes in FC4, create a file static-routes in /etc/sysconfig directory. My static-routes file has one line: </p> -<blockquote> - <pre>any net 172.16.0.0 netmask 255.255.255.0 dev eth0</pre> -</blockquote> -<p>The syntax of the line is important. The line must start with the word "any".</p> -<p>Check your routing table with the netstat command.</p> -<blockquote> - <pre class="style1">[root@pptp sysconfig]# netstat -nr<br>Kernel IP routing table<br>Destination Gateway Genmask Flags MSS Window irtt Iface -192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1<br>172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0<br>0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0 eth1</pre> -</blockquote> -<p><hr> -<strong><a name="pforward"></a>5.2 Enable Packet Forwarding</strong> -<p>For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:</p> -<blockquote> - <pre>net.ipv4.ip_forward = 0</pre><p></p> -</blockquote> -<p>to</p> -<blockquote> - <pre>net.ipv4.ip_forward = 1 </pre> -</blockquote> -<p>The change will be effective on the next reboot. To enable it immediately:</p> -<blockquote> - <pre>[root@pptp etc]# sysctl -p</pre> -</blockquote><p></p> -<hr> -<a href="poptop_ads_howto_4.htm">Next</a> <a href="poptop_ads_howto_2.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -</body> - -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_4.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_4.htm deleted file mode 100644 index bc9bcc0..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_4.htm +++ /dev/null @@ -1,56 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong><a name="mppe"></a>6. Install MPPE Kernel Module </strong></p> -<p>MPPE support is required for MSCHAPv2. Depending on the kernel version, you may or may not require to perform this step. Kernel version 2.6.15 or above has MPPE built-in. If you are using the latest FC4 2.6.15 kernel, you can go to <a href="#pppd_pptpd">step 7</a> now. If you are using an older kernel which does not support MPPE, you will have to add this feature to it. </p> -<p>To test if your kernel supports MPPE:</p> -<blockquote> - <pre>[root@pptp ~]# modprobe ppp-compress-18 && echo ok</pre> -</blockquote> -<p>If it returns an "ok", you can safely skip this step and move to <a href="#pppd_pptpd">step 7</a>. If you see "FATAL: Module ppp_mppe not found.", install MPPE support as described in the following procedure:</p> -<p> Download the MPPE module builder in rpm format from <a href="http://sourceforge.net/project/showfiles.php?group_id=44827">here</a>. The required RPMs are::</p> -<blockquote> - <pre>dkms-2.0.6-1.noarch.rpm -kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm</pre> -</blockquote> -<p>Install them with command "rpm -ivh".</p> -<blockquote> - <pre>[root@pptp ~]# rpm -ivh dkms-2.0.6-1.noarch.rpm -[root@pptp ~]# rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm </pre> -</blockquote> -<p>If you upgrade your kernel to 2.6.13 or above, kernel_ppp_mppe version 1.0.2 or above must be used. Otherwise, the pptp tunnel will not connect and you will see error message "This system lacks kernel support for PPP." in /var/log/messages.</p> -<dt><strong>Note:</strong></dt> -<dd>(1) Fedora Extra provides also a dkms rpm, dkms-2.0.6-3.fc4.noarch.rpm. I have not tested it. You may want to use the one I mentioned above to make sure the installation will work. </dd> -<br><hr> -<strong><a name="autoinstaller"></a>6.1 Kernel Upgrade and dkms_autoinstaller</strong> -<p>If you upgrade your kernel after installing dkms, thanks to the dkms_autoinstaller service, you will not have to worry about the dkms kernel module. dkms_autoinstaller runs on every bootup. It checks the dkms module to ensure it match the kernel version. If a mismatch is found, it will create a proper one for the boot kernel. </p> -<p>For dkms_autoinstaller to work, you will need the correct kernel-devel version installed in your system. It is always a good idea to install the kernel-devel rpm alongside with your new kernel. </p> -<hr> -<strong><a name="pppd_pptpd" id="pppd_pptpd"></a>7. pppd and pptpd</strong> -<p><a name="pppd"><strong>7.1 Upgrade pppd </strong></a></p> -<p>FC4 comes with ppp-2.4.2-7. It is required to be upgraded to a patched version which supports MPPE. The patched version can be found in <a href="http://sourceforge.net/project/showfiles.php?group_id=44827">here</a>. Download the rpm for FC4. At the time of writing, the latest version is 2.4.3-5. Get the FC4 rpm: </p> -<blockquote> - <pre>ppp-2.4.3-5.fc4.i386.rpm</pre> -</blockquote> -<p>Upgrade the ppp with the downloaded version:</p> -<blockquote> - <pre>[root@pptp ~]# rpm -Uvh ppp-2.4.3-5.fc4.i386.rpm</pre> -</blockquote> -<p><strong>Note</strong>: If you are a Gentoo user, and are using kernel v2.6.15, the ppp-2.4.3-5 does NOT work because of MPPC. You may find more information from <a href="http://kernel-bugs.osdl.org/show_bug.cgi?id=5827">here</a>.</p> -<hr> -<a name="pptpd"></a><strong>7.2 Install pptpd</strong> -<p>In the <a href="http://sourceforge.net/project/showfiles.php?group_id=44827">same page</a> download the pptpd rpm, pptpd-1.3.1-0.i386.rpm, and install it.</p> -<blockquote> - <pre>[root@pptp ~]# rpm -ivh pptpd-1.3.1-0.i386.rpm</pre> -</blockquote> -<p><strong>Note</strong>: pptpd-1.3.1 is an experimental version. The stable version is 1.3.0. Both versions work fine for me. It is up to you to choose which one to use. </p> -<hr> -<a href="poptop_ads_howto_5.htm">Next</a> <a href="poptop_ads_howto_3.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_5.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_5.htm deleted file mode 100644 index c038a30..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_5.htm +++ /dev/null @@ -1,66 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>8. Kerberos</strong></p> -<p>There are two different versions of the Kerberos client, version 4 from KTH and 5 from MIT. As Microsoft uses version 5, you should use the MIT version. FC4 includes the MIT one so you will be ok to use the stock standard one.</p> -<p>Packages krb5-lib and krb5-workstation are required. They are installed by default. If they are not, please get the latest version from yum.</p> -<hr> -<a name="krbconf"></a><strong>8.1 Configure Kerberos</strong> -<p>The configuration file of Kerberos is /etc/krb5.conf. To connect to AD, the settings must match the domain configuration.</p> -<blockquote> - <pre>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log</pre> - <p>[libdefaults]<br> - <strong>default_realm = EXAMPLENET.ORG</strong><br> - dns_lookup_realm = false<br> - dns_lookup_kdc = false<br> - ticket_lifetime = 24h<br> - forwardable = yes</p> - <p>[realms]<br> - <strong>EXAMPLENET.ORG = {</strong><br> - <strong>kdc = dc1.examplenet.org:88</strong><br> - # admin_server = kerberos.example.com:749<br> - <strong>default_domain = examplenet.org</strong><br> - }</p> - <p>[domain_realm]<br> - <strong>.examplenet.org = EXAMPLENET.ORG<br> - examplenet.org = EXAMPLENET.ORG</strong></p> - <p>[kdc]<br> - profile = /var/kerberos/krb5kdc/kdc.conf</p> - <p>[appdefaults]<br> - pam = {<br> - debug = false<br> - ticket_lifetime = 36000<br> - renew_lifetime = 36000<br> - forwardable = true<br> - krb4_convert = false<br> - }</p> -</blockquote> -<p>Lines shown in bold are the ones you should pay attention to. Use uppercase as shown. </p> -<hr> -<a name="krbtest"></a><strong>8.2 Test Kerberos</strong> -<p>Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A record, on your Windows DNS server, click Start -> Administrative Tools -> DNS. The dnsmgmt window pops up. Click on the "+" of "Forward Lookup Zones". Right click on AD Domain name, in our test environment is EXAMPLENET.ORG, and choose "New Host (A)...". Put in the server name and ip address and then press the "Add Host" button.</p> -<p>When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital. </p> -<blockquote> - <pre>[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG<br>Password for skwok@EXAMPLENET.ORG: <br>Authenticated to Kerberos v5 </pre> -</blockquote> -<p>To check the Kerberos tickets:</p> -<blockquote> - <pre>[root@pptp etc]# klist<br>Ticket cache: FILE:/tmp/krb5cc_0<br>Default principal: skwok@EXAMPLENET.ORG</pre> - <pre>Valid starting Expires Service principal - 09/03/05 14:43:47 09/04/05 00:43:04 krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG - renew until 09/04/05 14:43:47</pre> - <pre>Kerberos 4 ticket cache: /tmp/tkt0 - klist: You have no tickets cached</pre> -</blockquote> -<p></p> -<hr> -<a href="poptop_ads_howto_6.htm">Next</a> <a href="poptop_ads_howto_4.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -<p> </p> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_6.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_6.htm deleted file mode 100644 index 7346959..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_6.htm +++ /dev/null @@ -1,93 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>9. Samba -</strong></p> -<p>FC4 comes with samba v3.0.14a. The samba project released v3.0.20 on 20 August 2005. Here is a quote from the v3.0.20 release note about winbind.</p> -<blockquote> - <p>-- quote --<br> - Winbindd has been completely rewritten in this release to support -an almost completely non-blocking, asynchronous request/reply -model. This means that winbindd will scale much better in -large domain environments and on high latency networks.<br> --- quote -- - </p> -</blockquote> -<p>It is highly recommended to upgrade samba to v3.0.20 or above. The latest samba v3.0.21c rpms for FC4 can be found in <a href="http://us5.samba.org/samba/ftp/Binary_Packages/Fedora/RPMS/i386/core/4/">here</a>. Download a copy and then update samba with command "rpm -Uvh samba*.rpm". </p> -<p><strong>Note: </strong> -Samba v3.0.21 has a bug on the oplock code. Avoid this version. Use v3.0.21a or above. </p> -<hr> -<strong><a name="smbconf"></a>9.1 Configure Samba</strong> -<p>No matter you choose to use winbind or freeradius to connect to Active Directory, you will have to configure samba properly. The configuration file of samba is in /etc/samba and is called smb.conf. The file should have at least the following lines. </p> -<blockquote> - <pre>[global] -# define the netbios name of the domain -<strong>workgroup = EXAMPLE</strong> -# define the pptp server netbios name -<strong>netbios name = PPTPDSVR</strong> -# define the AD domain name -<strong>realm = EXAMPLENET.ORG</strong> -# server description -server string = pptpd Server -# printer stuff -printcap name = /etc/printcap -load printers = no -cups options = raw -# log file stuff -log file = /var/log/samba/%m.log -max log size = 50 -# must set to ads -<strong>security = ads</strong> -# address of domain controller -<strong>password server = 10.0.0.1</strong> -# enable encrypt passwords -<strong>encrypt passwords = yes</strong> -# default setting -socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 -# not to be a master browser -domain master = no -preferred master = no -# address of the WINS server -<strong>wins server = 10.0.0.1</strong> -dns proxy = no -# require this line to join the domain -<strong>client use spnego = yes</strong> -# winbind stuff -<strong>idmap uid = 50001-550000 -idmap gid = 50001-550000 -winbind separator = + -winbind nested groups = Yes -winbind enum users=yes -winbind enum groups=yes</strong> -template shell = /bin/false -winbind use default domain = no</pre> -</blockquote> -<p>The lines in bold are the important ones that you should pay attention to. Execute "testparm" to check the configuration. Correct any errors before proceeding to the next step.</p> -<hr> -<a name="smbjoin"></a><strong>9.2 Join the AD Domain</strong> -<p>Once the Kerberos and Samba are configured, it's time to add the pptpd server to the AD domain.</p> -<blockquote> - <pre>[root@pptp ~]# net ads join -U skwok@EXAMPLENET.ORG "Asiapac/Australia/Sydney/Servers"<br>skwok@EXAMPLENET.ORG's password: <br>Using short domain name -- EXAMPLE<br>Joined 'PPTPDSVR' to realm 'EXAMPLENET.ORG' -</pre> -</blockquote> -<p>The above net ads join command create the server in the container</p> -<p>"OU=Servers,OU=Sydney,OU=Australia,OU=Asiapac,DC=EXAMPLENET,DC=ORG"</p> -<p>The user must have admin right on the container to create the server object. If the operation is successful, you will see a new server object created in the AD.</p> -<p>Another test to see if the trust between the pptpd server and the domain is working is smbclient.</p> -<blockquote> - <pre>[root@pptp ~]# smbclient //dc1/c$ -k<br>OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]<br>smb: \> dir<br> AUTOEXEC.BAT A 0 Wed Jul 20 10:53:47 2005<br> boot.ini AHSR 208 Fri Jul 22 10:41:57 2005<br> CONFIG.SYS A 0 Wed Jul 20 10:53:47 2005<br> Documents and Settings D 0 Fri Jul 22 16:25:51 2005<br> download D 0 Thu Aug 4 17:31:28 2005<br> IO.SYS AHSR 0 Wed Jul 20 10:53:47 2005<br> MSDOS.SYS AHSR 0 Wed Jul 20 10:53:47 2005<br> NTDETECT.COM AHSR 47772 Fri Jul 22 10:16:32 2005<br> ntldr AHSR 295536 Fri Jul 22 10:16:32 2005<br> pagefile.sys AHS 805306368 Fri Aug 12 11:24:27 2005<br> Program Files DR 0 Wed Jul 20 10:51:09 2005<br> shared1 D 0 Thu Jul 21 17:06:28 2005<br> System Volume Information DHS 0 Fri Jul 22 10:52:09 2005<br> WINDOWS D 0 Tue Aug 16 14:33:36 2005<br> wmpub D 0 Wed Jul 20 10:55:13 2005</pre> - <p> 39064 blocks of size 524288. 31129 blocks available<br> - smb: \> </p> -</blockquote> -<p><strong>Note</strong>: With Samba v3.0.14a or v3.0.20, everytime I run "net ads join", the command crash at the end with message "*** glibc detected *** net: free(): invalid pointer: 0x001cddb0 ***" and then a dump to the screen. The join seems to be working fine though. Samba v3.0.21a does not have this problem. </p> -<hr> -<a href="poptop_ads_howto_7.htm">Next</a> <a href="poptop_ads_howto_5.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -<p> </p> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_7.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_7.htm deleted file mode 100644 index 54536f1..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_7.htm +++ /dev/null @@ -1,93 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>10. pptpd and winbindd </strong></p> -<p>The section covers how to configure pptpd + winbindd + AD. If you are working on the freeradius configuration, you may skip this section and go to the <a href="poptop_ads_howto_8.htm">next one</a>. </p> -<p>Most of the hard work has been done in the previous sections. You are very close to the final stage.</p> -<hr> -<strong><a name="wbtest"></a>10.1 Enable and Test winbindd</strong> -<p>pptpd requires only winbindd but not smbd. If you are not using the pptpd server as a samba file server, you will not need to run smbd. Start winbindd with the "service" command.</p> -<blockquote> - <pre>[root@pptp ~]# service winbind start<br>Starting Winbind services: [ OK ] </pre> -</blockquote> -<p>Winbind starts and spawns two threads. </p> -<blockquote> - <pre>[root@pptp ~]# ps -ef | grep winbind | grep -v grep<br>root 18762 1 0 15:59 ? 00:00:00 winbindd<br>root 18763 18762 0 15:59 ? 00:00:00 winbindd</pre> -</blockquote> -<p>Wait a few minutes for winbindd to contact the domain controller. Then we can test if winbindd is working fine. If you see no error messages from the wbinfo command, you are in business. </p> -<blockquote> - <pre>[root@acna-pptp etc]# wbinfo -t<br>checking the trust secret via RPC calls succeeded -<br>[root@acna-pptp etc]# wbinfo -u<br>EXAMPLE+Administrator<br>EXAMPLE+Guest<br>EXAMPLE+SUPPORT_388945a0<br>EXAMPLE+DC1$<br>EXAMPLE+krbtgt<br>EXAMPLE+skwok<br>EXAMPLE+ldapuser<br>EXAMPLE+pptpdsvr$ -</pre> -</blockquote> -<p>To enable winbind on bootup, use the chkconfig command.</p> -<blockquote> - <pre>[root@pptp ~]# chkconfig winbind on </pre> -</blockquote><p></p> -<hr> -<strong><a name="pptpconf"></a>10.2 Configure pptpd </strong> -<p>There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections. </p> -<blockquote> - <pre>localip 10.0.0.10<br>remoteip 10.0.0.101-200 </pre> -</blockquote> -<p>10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections. </p> -<p>The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:</p> -<blockquote> - <pre>name pptpd -refuse-pap<br>refuse-chap<br>refuse-mschap<br>require-mschap-v2<br>require-mppe-128 -ms-dns 10.0.0.1 -ms-wins 10.0.0.1 -proxyarp -lock -nobsdcomp -novj -novjccomp -nologfd -auth -nodefaultroute -plugin winbind.so -ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"</pre> -</blockquote> -<p>If you have Windows XP clients, you may want to reduce the MTU size. Add the line, /sbin/ifconfig $1 mtu 1400, to /etc/ppp/ip-up as shown in the following list.</p> -<blockquote> - <pre>[root@pptp ppp]# cat ip-up -#!/bin/bash -# This file should not be modified -- make local changes to -# /etc/ppp/ip-up.local instead - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -export PATH - -LOGDEVICE=$6 -REALDEVICE=$1 - -[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE} - -/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE} - -[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" - -<strong>/sbin/ifconfig $1 mtu 1400</strong> -exit 0</pre> -</blockquote> -<p>The above example reduces the MTU size to 1400. In my environment, I found that XP will connect the VPN and ping all servers without problems, however, it cannot connect to the Microsoft Exchange server properly. Reduce the MTU size to 1400 fixed the problem.</p> -<p>After fixing the files, we can start pptpd and connect to it from remote client. To start it:</p> -<blockquote> - <pre>[root@pptp ~]# chkconfig pptpd on<br><br>[root@pptp ~]# service pptpd start<br>Starting pptpd: [ OK ]</pre> -</blockquote><p></p> -<hr> -<strong><a name="access"></a>10.3 PPTP Access Control </strong> -<p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth-helper line in the /etc/ppp/options.pptpd:</p> -<blockquote> - <pre>ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 <span class="790285904-18102005">--require-membership-of=EXAMPLE+VPN-Allowed</span>" </pre> -</blockquote> -<p>That's all on the server side. If winbind works for you, you can proceed to configure the client. The client PCs require special configurations and is discussed in <a href="poptop_ads_howto_11.htm">here</a>.</p> -<hr> -<a href="poptop_ads_howto_8.htm">Next</a> <a href="poptop_ads_howto_6.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a></body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_8.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_8.htm deleted file mode 100644 index 68f6608..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_8.htm +++ /dev/null @@ -1,91 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>11. Software for R</strong><strong>adius Setup</strong></p> -<p>In additional to the software we installed in the previous sections, we need two more. Freeradius is one of them. FC4 comes with freeradius-1.0.2-2 but it is broken. At the time of writing, the latest one is freeradius-1.0.4-1.FC4.1. Get it from yum as it has quite a few dependences. yum will resolve all required dependences automagically.</p> -<blockquote> - <pre>[root@pptp ~]# yum install freeradius </pre> -</blockquote> -<p>The second software you will need is radiusclient. Get the FC4 rpm, radiusclient-0.3.2-0.2.fc4.rf.i386.rpm, from <a href="http://rpmforge.net/user/packages/radiusclient/">RPMforge</a>. Install it with "rpm -ivh".</p> -<hr> -<p><strong><a name="rclient"></a>12. Radiusclient</strong></p> -<p>Radiusclient is required because the pppd radius plugin relies on it. There are a few configuration files in /etc/radiusclient to look at. The first one is /etc/radiusclient/servers which specify the radius server name and key. We have the radius server in the same box. So the file is like this:</p> -<blockquote> - <pre>#Server Name or Client/Server pair Key<br>#---------------- ---------------<br>localhost testing123 </pre> -</blockquote> -<p>The key is the secret of the radius server which is specified in /etc/raddb/clients.conf. The default is testing123. Of course, it is a bad idea to use the default.</p> -<hr> -<a name="rclientconf"></a><strong>12.1 radiusclient.conf</strong> -<p>The main configuration file for radiusclient is /etc/radiusclient/radiusclient.conf. Here is how it should be when all remarks are stripped off:</p> -<blockquote> - <pre>auth_order radius -login_tries 4 -login_timeout 60 -nologin /etc/nologin -issue /etc/radiusclient/issue -authserver localhost -acctserver localhost -servers /etc/radiusclient/servers -dictionary /etc/radiusclient/dictionary -login_radius /usr/sbin/login.radius -seqfile /var/run/radius.seq -mapfile /etc/radiusclient/port-id-map -default_realm -radius_timeout 10 -radius_retries 3</pre> -</blockquote> -<p>Basically, all of the lines are default. I have not changed anything.</p> -<hr> -<strong><a name="dict"></a>12.2 dictionary.microsoft</strong> -<p>In /etc/radiusclient, there is a file called dictionary. Add the following line to the end of the file.</p> -<blockquote> - <pre>INCLUDE /etc/radiusclient/dictionary.microsoft</pre> -</blockquote> -<p>The file, dictionary.microsoft, is not included in the radiusclient. We can modify the one from freeradius so that it can be used by pppd.</p> -<p>First of all, copy the freeradius one, /usr/share/freeradius/dictionary.microsoft, to /etc/radiusclient. Then change the word "octets" to "string" in the file. Add the word Microsoft to all attributes. Here is my version: </p> -<blockquote> - <pre>#<br># Microsoft's VSA's, from RFC 2548<br>#<br># $Id: poptop_ads_howto_8.htm,v 1.3 2006/02/01 22:13:34 wskwok Exp $<br># - -VENDOR Microsoft 311 Microsoft - -ATTRIBUTE MS-CHAP-Response 1 string Mircosoft<br>ATTRIBUTE MS-CHAP-Error 2 string Mircosoft<br>ATTRIBUTE MS-CHAP-CPW-1 3 string Mircosoft<br>ATTRIBUTE MS-CHAP-CPW-2 4 string Mircosoft<br>ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Mircosoft<br>ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Mircosoft<br>ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft<br># This is referred to as both singular and plural in the RFC.<br># Plural seems to make more sense.<br>ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft<br>ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft<br>ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft<br>ATTRIBUTE MS-CHAP-Domain 10 string Mircosoft<br>ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft<br>ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1<br>ATTRIBUTE MS-BAP-Usage 13 integer Microsoft<br>ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft<br>ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft<br>ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft<br>ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft<br>ATTRIBUTE MS-RAS-Version 18 string Microsoft<br>ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft<br>ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft<br>ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft - -ATTRIBUTE MS-Filter 22 string Mircosoft<br>ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft<br>ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft<br> -ATTRIBUTE MS-CHAP2-Response 25 string Microsoft<br>ATTRIBUTE MS-CHAP2-Success 26 string Microsoft<br>ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft - -ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr<br>ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr<br>ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr<br>ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr - -#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft - -#<br># Integer Translations<br># - -# MS-BAP-Usage Values - -VALUE MS-BAP-Usage Not-Allowed 0<br>VALUE MS-BAP-Usage Allowed 1<br>VALUE MS-BAP-Usage Required 2 - -# MS-ARAP-Password-Change-Reason Values - -VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1<br>VALUE MS-ARAP-PW-Change-Reason Expired-Password 2<br>VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3<br>VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 - -# MS-Acct-Auth-Type Values - -VALUE MS-Acct-Auth-Type PAP 1<br>VALUE MS-Acct-Auth-Type CHAP 2<br>VALUE MS-Acct-Auth-Type MS-CHAP-1 3<br>VALUE MS-Acct-Auth-Type MS-CHAP-2 4<br>VALUE MS-Acct-Auth-Type EAP 5 - -# MS-Acct-EAP-Type Values - -VALUE MS-Acct-EAP-Type MD5 4<br>VALUE MS-Acct-EAP-Type OTP 5<br>VALUE MS-Acct-EAP-Type Generic-Token-Card 6<br>VALUE MS-Acct-EAP-Type TLS 13 - -END-VENDOR Microsoft -</pre> -</blockquote><p></p> -<hr> -<a href="poptop_ads_howto_9.htm">Next</a> <a href="poptop_ads_howto_7.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> -<p></p> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_9.htm b/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_9.htm deleted file mode 100644 index 8b9c023..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/poptop_ads_howto_9.htm +++ /dev/null @@ -1,52 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" -"http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> -<title>Poptop MSCHAP2 ADS Howto</title> -</head> - -<body> -<p><strong>13. Freeradius</strong></p> -<p>Freeradius has a massive 57KB configuration file. Fortunately, we only have to change a few lines. </p> -<hr> -<a name="mschap2"></a><strong>13.1 Configure Freeradius for MSCHAPv2 -</strong> -<p>Edit /etc/raddb/radiusd.conf to enable MSCAHP2. Open the file and locate the module section and then the mschap subsection.</p> -<blockquote> - <pre>modules {<br> - ....[snip]....<br> - mschap { - authtype = MS-CHAP - use_mppe = yes - require_encryption = yes - require_strong = yes - ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br> }<br> - ....[snip]....<br> -}</pre> -</blockquote> -<p>Save the file. The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. </p> -<p>The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf. </p> -<blockquote> - <pre>client 127.0.0.1 {<br> #<br> # The shared secret use to "encrypt" and "sign" packets between<br> # the NAS and FreeRADIUS. You MUST change this secret from the<br> # default, otherwise it's not a secret any more!<br> #<br> # The secret can be any string, up to 32 characters in length.<br> #<br> secret = testing123 - - ....[snip].... -</pre> -</blockquote> -<p><strong>Note</strong>: if you change the secret key, you must modify the /etc/radiusclient/servers so that they match each other. -</p> -<hr> -<p><strong><a name="access"></a>13.2 PPTP Access Control </strong></p> -<p>The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth line in /etc/raddb/radius.conf to include the parameter "--require-membership-of=EXAMPLE+VPN_Allowed". </p> -<p>In the example, I split the line into multiple lines for clarity. It should be one continuous line in the configuration file. </p> -<blockquote> - <pre>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key - --username=%{Stripped-User-Name:-%{User-Name:-None}} - --challenge=%{mschap:Challenge:-00} - --nt-response=%{mschap:NT-Response:-00} - --require-membership-of=EXAMPLE+VPN_Allowed"</pre> -</blockquote><p></p> -<hr> -<a href="poptop_ads_howto_10.htm">Next</a> <a href="poptop_ads_howto_8.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a><p> </p> -</body> -</html> diff --git a/pptpd-1.3.3/html/poptop_ads_howto/test.txt b/pptpd-1.3.3/html/poptop_ads_howto/test.txt deleted file mode 100644 index 9daeafb..0000000 --- a/pptpd-1.3.3/html/poptop_ads_howto/test.txt +++ /dev/null @@ -1 +0,0 @@ -test |
