We describe how to replace a Windows PPTP server with a Linux one,
with the same authentication and encryption capability. The
instructions are generic, but some file names are specific to Fedora
Core 3, as we used that to verify the process.
2005-02-26 |
Note: if you don't need Active Directory support, please see our HOWTO for conventional configurations.
2005-05-06 |
Note: if you are trying this with an older distribution version,
ensure that you have a recent version of Kerberos. This is required
for interoperability with Active Directory. We know krb5-1.3.4 works.
We believe Kerberos in anything Red Hat 9 or later should work. Note: the system time on the Linux host must be kept in reasonable sync with the Active Directory server, or Kerberos authentication will fail.
2005-02-23 |
Note: purple highlight shows text you must change
for your environment.
2005-02-28 |
Note: ppp-2.4.3-5 or later includes a fix that prevents authentication of some
usernames.
2005-05-13 |
Note: these are the versions for Fedora Core 3, but you should choose
appropriate versions from the files available. PPP has a version for
each distribution.
2005-02-28 |
Note: DKMS is the Dynamic Kernel Module Support package. It builds
kernel modules such as MPPE that were not part of the kernel source
below version 2.6.15-rc1. The kernel_ppp_mppe package contains the
module source. See Dell's Linux community Projects list, the DKMS project page or
the Ottawa Linux
Symposium paper on DKMS.
2005-11-16 |
Note: the released version 2.4.3 of PPP contains the required winbind
feature, some CVS versions prior to that release do not.
2005-02-22 |
[global] workgroup = YOURDOMAIN realm = YOURDOMAIN.COM server string = your-server-name load printers = no log file = /var/log/samba/%m.log security = ads socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no wins server = your-wins-server-ip-address dns proxy = no winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes interfaces = your-server-ip lo |
The details of configuring a firewall are outside the scope of this
paper, but it should be set to allow;
For example, on Red Hat the iptables rules for talking with the Active Directory are:
where source is the subnet or IP address of the Active Directory server.
2005-02-23 |
Note: the domain needs to be in uppercase.
2005-02-23 |
net join -U somedomainadmin |
Note: this only needs to be done once, not on every boot. It's a one
time thing to join the computer to the Active Directory domain.
Authenticating users with winbind won't work unless the computer is
part of the domain.
2005-02-22 |
option /etc/ppp/options.pptpd ppp /usr/local/sbin/pppd localip your-tunnel-local-ip-address remoteip your-tunnel-remote-ip-address-range |
lock debug nologfd name pptpdev nobsdcomp proxyarp refuse-pap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns your-first-domain-name-server-ip-address ms-dns your-second-domain-name-server-ip-address plugin winbind.so ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1" |
net.ipv4.ip_forward = 1 |
Note: the change to sysctl.conf is effective on reboot, to make the
change now "echo 1 > /proc/sys/net/ipv4/ip_forward" .
2005-05-11 |
chkconfig winbind on && service winbind start |
Note: winbind is provided by the samba-common RPM on Fedora Core 3.
The Samba smbd service doesn't need to be running, however. Just
winbind and nmbd. No file service is required.
2005-02-22 |
/usr/local/sbin/pptpd |
Note: this needs to be done on reboot, so you may want to script it.
2005-02-22 |
Note: sample init.d scripts are supplied in the .tar.gz, and are
deployed by the pptpd RPM.
2005-02-23 |
Date | Change |
---|---|
2005-11-16 | Remove defaultroute and noauth, clarify nmbd requirement. Reported by Earl Tom. |
2005-11-16 | Skip MPPE kernel module if reader is using kernel 2.6.15-rc1 or later. |
2005-08-15 | In options.pptpd add nologfd option, to prevent serial line loopbacked problem, discussed on mailing list. Without nologfd any output by a plugin may be sent to the pty thus releasing the packet stream from the client. |
2005-05-12 | In smb.conf add interfaces clause, requested by Peter Mueller on mailing list. |
2005-05-11 | Change to ip_forward in sysctl.conf is not effective until reboot, so we show a workaround. |
2004-12-23 | Integrated comments from Peter Mueller. |
2004-12-22 | Adopted from mailing list posting, and followups in the thread. |