Poptop MSCHAP2 ADS Howto

10. pptpd and winbindd

The section covers how to configure pptpd + winbindd + AD. If you are working on the freeradius configuration, you may skip this section and go to the next one.

Most of the hard work has been done in the previous sections. You are very close to the final stage.

10.1 Enable and Test winbindd

pptpd requires only winbindd but not smbd. If you are not using the pptpd server as a samba file server, you will not need to run smbd. Start winbindd with the "service" command.

[root@pptp ~]# service winbind start
Starting Winbind services: [  OK  ]

Winbind starts and spawns two threads.

[root@pptp ~]# ps -ef | grep winbind | grep -v grep
root     18762     1  0 15:59 ?        00:00:00 winbindd
root     18763 18762  0 15:59 ?        00:00:00 winbindd

Wait a few minutes for winbindd to contact the domain controller. Then we can test if winbindd is working fine. If you see no error messages from the wbinfo command, you are in business.

[root@acna-pptp etc]# wbinfo -t
checking the trust secret via RPC calls succeeded

[root@acna-pptp etc]# wbinfo -u
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+SUPPORT_388945a0
EXAMPLE+DC1$
EXAMPLE+krbtgt
EXAMPLE+skwok
EXAMPLE+ldapuser
EXAMPLE+pptpdsvr$

To enable winbind on bootup, use the chkconfig command.

[root@pptp ~]# chkconfig winbind on

10.2 Configure pptpd

There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections.

localip 10.0.0.10
remoteip 10.0.0.101-200

10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections.

The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 10.0.0.1
ms-wins 10.0.0.1
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
auth
nodefaultroute
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

After fixing the two files, we can start pptpd and connect to it from remote client. To start it:

[root@pptp ~]# chkconfig pptpd on

[root@pptp ~]# service pptpd start
Starting pptpd: [  OK  ]

10.3 PPTP Access Control

The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth-helper line in the /etc/ppp/options.pptpd:

ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=EXAMPLE+VPN-Allowed"

That's all on the server side. If winbind works for you, you can proceed to configure the client. The client PCs require special configurations and is discussed in here.

Next Previous Content