10. pptpd and winbindd
The section covers how to configure pptpd + winbindd + AD. If you are working on the freeradius configuration, you may skip this section and go to the next one.
Most of the hard work has been done in the previous sections. You are very close to the final stage.
pptpd requires only winbindd but not smbd. If you are not using the pptpd server as a samba file server, you will not need to run smbd. Start winbindd with the "service" command.
[root@pptp ~]# service winbind start
Starting Winbind services: [ OK ]
Winbind starts and spawns two threads.
[root@pptp ~]# ps -ef | grep winbind | grep -v grep
root 18762 1 0 15:59 ? 00:00:00 winbindd
root 18763 18762 0 15:59 ? 00:00:00 winbindd
Wait a few minutes for winbindd to contact the domain controller. Then we can test if winbindd is working fine. If you see no error messages from the wbinfo command, you are in business.
[root@acna-pptp etc]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@acna-pptp etc]# wbinfo -u
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+SUPPORT_388945a0
EXAMPLE+DC1$
EXAMPLE+krbtgt
EXAMPLE+skwok
EXAMPLE+ldapuser
EXAMPLE+pptpdsvr$
To enable winbind on bootup, use the chkconfig command.
[root@pptp ~]# chkconfig winbind on
There are two configuration files for pptpd. The first one is /etc/pptpd.conf. You can very much keep it as it is except the ip address range for the ppp connections. Edit the file and add two lines at the bottom to specify the local ip address and the ip address pool for the remote connections.
localip 10.0.0.10
remoteip 10.0.0.101-200
10.0.0.10 is the ip address of the internal network card eth0. The remoteip is the address pool for the remote connections.
The second configuration file is /etc/ppp/options.pptpd. I stripped off all remarks from my options.pptpd and it is like this:
name pptpd refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128 ms-dns 10.0.0.1 ms-wins 10.0.0.1 proxyarp lock nobsdcomp novj novjccomp nologfd auth nodefaultroute plugin winbind.so ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
After fixing the two files, we can start pptpd and connect to it from remote client. To start it:
[root@pptp ~]# chkconfig pptpd on
[root@pptp ~]# service pptpd start
Starting pptpd: [ OK ]
The above configuration allows everyone with a valid userID in the AD to connect to the pptpd server. If you want to restrict access to a group of users, you can create a group, say VPN_Allowed, in the AD. Add users to the group and modify the ntml_auth-helper line in the /etc/ppp/options.pptpd:
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=EXAMPLE+VPN-Allowed"
That's all on the server side. If winbind works for you, you can proceed to configure the client. The client PCs require special configurations and is discussed in here.