PopTop + MSCHAPv2 + Samba + Radius + Microsoft Active Directory + Fedora Howto
Copyright © 2005-2009 Wing S Kwok
by: Wing S Kwok
email: wskwok18 (at) gmail.com
Revision History:
- Release 1.5 - 22 March 2009
- - Added a section on how to restrict one connection per user
- Release 1.4 - 30 September 2008
- - Updated information of the Howto to focus on Fedora 8
- - Moved FC5/FC6 specific information to Appendix
- Release 1.3 - 19 May 2007
- - Added info on potential problem of selinux on pptpd
- - Added info to build rpm from pptpd tar ball
- - Updated version information of software
- Release 1.21 - 23 February 2007
- - Fixed up typo in dictionary.microsoft
- Release 1.2 - 15 January 2007
- - Added Fedora Core 6 information
- Release 1.1 - 25 September 2006
- - Updated version information on kernel, samba and pptpd
- Release 1.0 - 7 May 2006
- - Updated the Howto to focus on Fedora Core 5
- - Rearranged the order of steps to make the walkthrough more logical
- - Moved Fedora Core 4 specific info to Appendix
- Release 0.8 - 5 March 2006
- - Updated information on pptpd, samba version
- - Updated information on FC4 kernel version
- - Added info on changing MTU size
- Release 0.71 - 3 February 2006
- - Problem with kernel 2.6.15 and ppp-2.4.3-5 is Gentoo specific. Corrected the document.
- Release 0.7 -- 1 February 2006
- - Section 12.2 has been rewritten.
- - Updated information on Samba version.
- - Provided a link to information on problem with kernel 2.6.15 and ppp-2.4.3-5
- Release 0.6 -- 5 January 2006
- - Added a new section on pptp server administration.
- - Updated information on Samba version.
- Release 0.5 -- 17 November 2005
- - Included info on kernel 2.6.15-rc1 and MPPE support
- Release 0.4 -- 30 October 2005
- - Updated kernel-ppp-mppe version number
- Release 0.3 -- 23 October 2005
- - added the Acknowledgements section
- - added information on problem with FC4 2.6.13 kernel and mppe kernel module
- - added information on kernel upgrade and dkms_autoinstaller
- - added information on pptp access control
- - updated the software version info to reflect the latest available version
- Release 0.2 -- 23 September 2005
- - Rewrote part of the pptp client configuration section and included split tunneling information.
- Release 0.1 -- 12 September 2005
- - added Kerberos version information
- - added the full path of winbindd_privileged directory
- - fixed the VBScript which had a few lines missing
- - corrected a few typos
- First Release -- 5 September 2005
This document covers how to integrate Poptop with Microsoft Active Directory on Fedora 8. Two different implementations are described: a) winbind; and b) freeradius.
Table of Contents
- 1. Introduction
- 2. Disclaimer
- 3. Acknowledgements
- 4. The Test Environment
- 5. Fedora and SELINUX
- 6. Network Configuration
- 6.1 Default Route and Static Routes
- 6.2 Enable Packet Forwarding
- 7. Install MPPE Kernel Module
- 8. pppd and pptpd
- 8.1 pppd
- 8.2 Install pptpd
- 9. Samba
- 9.1 Configure Samba
- 10. Kerberos
- 10.1 Configure Kerberos
- 10.2 Test Kerberos
- 11. Join the AD Domain
- 12. pptpd and winbindd
- 12.1 Enable and Test winbindd
- 12.2 Configure pptpd
- 12.3 PPTP Access Control
- 13. Software for Radius Setup
- 14. Radiusclient
- 14.1 radiusclient.conf
- 14.2 dictionary.microsoft
- 15. Freeradius
- 15.1 Configure Freeradius for MSCHAPv2
- 15.2 PPTP Access Control
- 16. pptpd and freeradius
- 16.1 Enable freeradius
- 16.2 Configure pptpd
- 17. pptp Client Installation
- 17.1 Split Tunneling
- 18. pptp Server Administration
- 18.1 Who is Online?
- 18.2 Accounting
- 18.3 Disconnect a User
- 18.4 Allow One Connection per User
- A1. Install MPPE Module on Fedora Core 4 / 5 / 6
- A1.1 Fedora Core 5 / 6
- A1.2 Fedora Core 4
- A1.3 Kernel Upgrade and dkms_autoinstaller
- A2. Update pppd on Fedora Core 4 / 5 / 6
- A2.1 Fedora Core 5 / 6
- A2.2 Fedora Core 4
- A3. Samba for Fedora Core 4 / 5 / 6
- A3.1 Fedora Core 5 / 6
- A3.2 Fedora Core 4
- A4. Software for Radius Setup on Fedora Core 4 / 5 / 6
- A4.1 Fedora Core 5 / 6
- A4.2 Fedora Core 4
- A5. Radiusclient Configuration for Fedora 4 / 5 / 6
- A5.1 radiusclient.conf
- A5.2 dicitonary.microsoft
- A6. Configure Freeradius for MSCHAP2 on Fedora 4 / 5 / 6
1. Introduction
This document descibes how to build a Linux PPTP server with Poptop and use Microsoft Active Directory to authenticate users. There are a few howtos on this topic, such as the Replacing a Windows PPTP Server with Linux Howto created by Matt Alexander and maintained by James Cameron. Most of them, however, concentrate on Samba and winbind. I followed them and got it working in the test environment. Unfortunately, winbind does not scale very well in a AD setup which has thousands of objects. The AD in my work is a big tree. It spans across all continents and has thousands of users and groups. Winbind simply times out before it can harvest a complete list of users/groups.
The other way of doing it is with radius. Information on how to setup pptpd with radius against Active Directory is scarce. I can only find bits and pieces information from forums but never find any comprehensive documents. I spent days to try to get it configured properly. After countless frustrations and tears, I eventually got a working setup. I therefore decided to make this howto to document it. Hopefully, you will find it useful.
To make this howto complete, I include the winbind configuration as well although it may duplicate Matt's work.
Note:
- this howto is based on Fedora 8 and use pre-packaged RPMs whenever possible. If you are using other distributions or like to compile software, you will have to make the necessary adjustments.
- Information for Fedora Core 4/5/6 has been moved to Appendix and will not be updated anymore.
2. Disclaimer
This document is provided as is. I have tried my best to make it as accurate as I can but it may contain wrong information. Use it at your own risk.
Any comments on this document will be greatly appreciated..
3. Acknowledgements
Thanks to the following individuals who provided feedback and suggestions to make this document better.
Peter Mueller - suggested to add information on Kerberos version (R0.1)
Francis Lessard - provided details on implementing pptp access control (R0.3)
James Cameron - provided info on MPPE support on kernel v2.6.15-rc1 (R0.5)
Phil Oester - pointed out the kernel-2.6.15/ppp-2.4.3-5 problem is Gentoo specific (R0.71)
Nicolas Ross - pointed out typo in dictionary.microsoft (R1.21)
Frederick Chapleau - info on the potential problem of SELINUX on PPTPD (R1.3)
Next
Content