1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
# -*- text -*-
#
# $Id$
#
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
#
#
# If use_mppe is not set to no mschap, will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
#
# If MPPE is enabled, require_encryption makes
# encryption moderate
#
# require_encryption = yes
#
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
#
# This module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# For Samba 4, you should also set the "ntlm auth" parameter
# in the Samba configuration:
#
# ntlm auth = yes
#
# or
#
# ntlm auth = mschapv2-and-ntlmv2-only
#
# This will let Samba 4 accept the MS-CHAP authentication
# method that is needed by FreeRADIUS.
#
# Depending on the Samba version, you may also need to add:
#
# --allow-mschapv2
#
# to the command-line parameters.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
#
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
#
# An alternative to using ntlm_auth is to connect to the
# winbind daemon directly for authentication. This option
# is likely to be faster and may be useful on busy systems,
# but is less well tested.
#
# Using this option requires libwbclient from Samba 4.2.1
# or later to be installed. Make sure that ntlm_auth above is
# commented out.
#
# winbind_username = "%{mschap:User-Name}"
# winbind_domain = "%{mschap:NT-Domain}"
#
# When using single sign-on with a winbind connection and the
# client uses a different casing for the username than the
# casing is according to the backend, reauth may fail because
# of some Windows internals. This switch tries to find the
# user in the correct casing in the backend, and retry
# authentication with that username.
#
# winbind_retry_with_normalised_username = no
#
# Information for the winbind connection pool. The configuration
# items below are the same for all modules which use the new
# connection pool.
#
pool {
#
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# winbind daemon being available.
#
start = ${thread[pool].start_servers}
#
# Minimum number of connections to keep open
#
min = ${thread[pool].min_spare_servers}
#
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
#
max = ${thread[pool].max_servers}
#
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
#
spare = ${thread[pool].max_spare_servers}
#
# Number of uses before the connection is closed
#
# 0 means "infinite"
#
uses = 0
#
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
#
retry_delay = 30
#
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
#
lifetime = 86400
#
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
#
cleanup_interval = 300
#
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
#
idle_timeout = 600
#
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
#
}
passchange {
#
# This support MS-CHAPv2 (not v1) password change
# requests. See doc/mschap.rst for more IMPORTANT
# information.
#
# Samba/ntlm_auth - if you are using ntlm_auth to
# validate passwords, you will need to use ntlm_auth
# to change passwords. Uncomment the three lines
# below, and change the path to ntlm_auth.
#
# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
# ntlm_auth_username = "username: %{mschap:User-Name}"
# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
#
# To implement a local password change, you need to
# supply a string which is then expanded, so that the
# password can be placed somewhere. e.g. passed to a
# script (exec), or written to SQL (UPDATE/INSERT).
# We give both examples here, but only one will be
# used.
#
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
#
# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
}
#
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
#
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
#
# allow_retry = yes
#
# An optional retry message.
#
# retry_msg = "Re-enter (or reset) the password"
}
|
