samba - Oct 2003 - FW: MSCHAPv2 microsoft client/linux/Active Directory

I don't want to use a VPN to solve this one.

I am really wondering with (samba 3.x) when the linux box become part of
The AD domain does it get a special privileges?


> 
> Hi,i am not sure if i understand yor needs, but maybe this helps
> this links guide you to setup a pptp server an client for linux
> http://www.poptop.org/
> http://pptpclient.sourceforge.net/
> there are patches to use smbpasswd to auth
> users which are conect via pptpd
> and MSCHAPv2 with domain
> the pptp client should work for login in ras servers
> radius shuold work too ( radius auth to ldap should work )
> good Luck
>

On Sat, 2003-11-01 at 07:58, Ron Wahler wrote:
> 
> I don't want to use a VPN to solve this one.
So this is for dial-in only?
> I am really wondering with (samba 3.x) when the linux box become part of
> The AD domain does it get a special privileges?
It's machine trust account gains privileges to validate NTLM (and
MSCHAP/MSCHAPv2) authentication attempts against the DC, as well as any
other rights you grant it.

I have been implementing a system that allows pppd to authenticate
against an NT (and AD) domain controller, using MSCHAP/MSCHAPv2.

It will find a better home sometime, but my working copy is at:

http://hawkerc.net/staff/abartlet/comp3700

It is a patch for pppd, to use Samba 3.0's winbind, and ntlm_auth to
perform this authentication.

Andrew Bartlett
> 
> > 
> > Hi,i am not sure if i understand yor needs, but maybe this helps
> > this links guide you to setup a pptp server an client for linux
> > http://www.poptop.org/
> > http://pptpclient.sourceforge.net/
> > there are patches to use smbpasswd to auth
> > users which are conect via pptpd
> > and MSCHAPv2 with domain
> > the pptp client should work for login in ras servers
> > radius shuold work too ( radius auth to ldap should work )
> > good Luck
> > 
-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031101/18265693/attachment.bin

The authentication request comes in over RADIUS to the linux box.
I then need a way to authenticate to Active Directory with MS-CHAPv2
Passwords.
I currently use LDAP binds to authenticate the user, but that does not
Work with MS-CHAPv2.


> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet@samba.org]
> Sent: Friday, October 31, 2003 3:39 PM
> To: Ron Wahler
> Cc: samba@lists.samba.org
> Subject: Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active
Directory
> 
> On Sat, 2003-11-01 at 07:58, Ron Wahler wrote:
> >
> > I don't want to use a VPN to solve this one.
> 
> So this is for dial-in only?
> 
> > I am really wondering with (samba 3.x) when the linux box become
part of
> > The AD domain does it get a special privileges?
> 
> It's machine trust account gains privileges to validate NTLM (and
> MSCHAP/MSCHAPv2) authentication attempts against the DC, as well as
any
> other rights you grant it.
> 
> I have been implementing a system that allows pppd to authenticate
> against an NT (and AD) domain controller, using MSCHAP/MSCHAPv2.
> 
> It will find a better home sometime, but my working copy is at:
> 
> http://hawkerc.net/staff/abartlet/comp3700
> 
> It is a patch for pppd, to use Samba 3.0's winbind, and ntlm_auth to
> perform this authentication.
> 
> Andrew Bartlett
> 
> >
> > >
> > > Hi,i am not sure if i understand yor needs, but maybe this helps
> > > this links guide you to setup a pptp server an client for linux
> > > http://www.poptop.org/
> > > http://pptpclient.sourceforge.net/
> > > there are patches to use smbpasswd to auth
> > > users which are conect via pptpd
> > > and MSCHAPv2 with domain
> > > the pptp client should work for login in ras servers
> > > radius shuold work too ( radius auth to ldap should work )
> > > good Luck
> > >
> --
> Andrew Bartlett                                 abartlet@pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
> Student Network Administrator, Hawker College   abartlet@hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

Agreed this would be nice and the only option at this point
Is to proxy the radius request to IAS.

Is there a link to read up on ntlm_auth ?

Ron.
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet@samba.org]
> Sent: Tuesday, November 04, 2003 3:33 PM
> To: Ron Wahler
> Cc: samba@lists.samba.org
> Subject: Re: FW: [Samba] MSCHAPv2 microsoft client/linux/Active
Directory
> 
> On Tue, Nov 04, 2003 at 08:04:07AM -0700, Ron Wahler wrote:
> >
> >
> >
> > The authentication request comes in over RADIUS to the linux box.
> > I then need a way to authenticate to Active Directory with MS-CHAPv2
> > Passwords.
> > I currently use LDAP binds to authenticate the user, but that does
not
> > Work with MS-CHAPv2.
> 
> Your options are to either use the MS RADIUS server (IAS I think it is
> called) or to help create a plugin from FreeRADIUS that calls
> ntlm_auth.  I don't think it could be really that hard...
> 
> I want to see this work, so if there is any help I can provide (in
> particular on how to use ntlm_auth) then just yell.  The same applied
> to any FreeRADIUS developers you manage to rope into this :-)
> 
> Andrew Bartlett