Advertisement
Guest User

multiotpmschap

a guest
Jul 23rd, 2018
310
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # -*- text -*-
  2. #
  3. # $Id: 18f600589b67177679b9521feb65b7fbb0200ac2 $
  4.  
  5. # Microsoft CHAP authentication
  6. #
  7. # This module supports MS-CHAP and MS-CHAPv2 authentication.
  8. # It also enforces the SMB-Account-Ctrl attribute.
  9. #
  10. mschap multiotpmschap {
  11. #
  12. # If you are using /etc/smbpasswd, see the 'passwd'
  13. # module for an example of how to use /etc/smbpasswd
  14.  
  15. # if use_mppe is not set to no mschap will
  16. # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
  17. # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
  18. #
  19. # use_mppe = no
  20.  
  21. # if mppe is enabled require_encryption makes
  22. # encryption moderate
  23. #
  24. # require_encryption = yes
  25.  
  26. # require_strong always requires 128 bit key
  27. # encryption
  28. #
  29. # require_strong = yes
  30.  
  31. # The module can perform authentication itself, OR
  32. # use a Windows Domain Controller. This configuration
  33. # directive tells the module to call the ntlm_auth
  34. # program, which will do the authentication, and return
  35. # the NT-Key. Note that you MUST have "winbindd" and
  36. # "nmbd" running on the local machine for ntlm_auth
  37. # to work. See the ntlm_auth program documentation
  38. # for details.
  39. #
  40. # If ntlm_auth is configured below, then the mschap
  41. # module will call ntlm_auth for every MS-CHAP
  42. # authentication request. If there is a cleartext
  43. # or NT hashed password available, you can set
  44. # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
  45. # and the mschap module will do the authentication itself,
  46. # without calling ntlm_auth.
  47. #
  48. # Be VERY careful when editing the following line!
  49. #
  50. # You can also try setting the user name as:
  51. #
  52. # ... --username=%{mschap:User-Name} ...
  53. #
  54. # In that case, the mschap module will look at the User-Name
  55. # attribute, and do prefix/suffix checks in order to obtain
  56. # the "best" user name for the request.
  57. #
  58. # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  59.  
  60. ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
  61.  
  62. # The default is to wait 10 seconds for ntlm_auth to
  63. # complete. This is a long time, and if it's taking that
  64. # long then you likely have other problems in your domain.
  65. # The length of time can be decreased with the following
  66. # option, which can save clients waiting if your ntlm_auth
  67. # usually finishes quicker. Range 1 to 10 seconds.
  68. #
  69. # ntlm_auth_timeout = 10
  70.  
  71. # An alternative to using ntlm_auth is to connect to the
  72. # winbind daemon directly for authentication. This option
  73. # is likely to be faster and may be useful on busy systems,
  74. # but is less well tested.
  75. #
  76. # Using this option requires libwbclient from Samba 4.2.1
  77. # or later to be installed. Make sure that ntlm_auth above is
  78. # commented out.
  79. #
  80. # winbind_username = "%{mschap:User-Name}"
  81. # winbind_domain = "%{mschap:NT-Domain}"
  82.  
  83. # When using single sign-on with a winbind connection and the
  84. # client uses a different casing for the username than the
  85. # casing is according to the backend, reauth may fail because
  86. # of some Windows internals. This switch tries to find the
  87. # user in the correct casing in the backend, and retry
  88. # authentication with that username.
  89. #
  90. # winbind_retry_with_normalised_username = no
  91.  
  92. #
  93. # Information for the winbind connection pool. The configuration
  94. # items below are the same for all modules which use the new
  95. # connection pool.
  96. #
  97. pool {
  98. # Connections to create during module instantiation.
  99. # If the server cannot create specified number of
  100. # connections during instantiation it will exit.
  101. # Set to 0 to allow the server to start without the
  102. # winbind daemon being available.
  103. start = ${thread[pool].start_servers}
  104.  
  105. # Minimum number of connections to keep open
  106. min = ${thread[pool].min_spare_servers}
  107.  
  108. # Maximum number of connections
  109. #
  110. # If these connections are all in use and a new one
  111. # is requested, the request will NOT get a connection.
  112. #
  113. # Setting 'max' to LESS than the number of threads means
  114. # that some threads may starve, and you will see errors
  115. # like 'No connections available and at max connection limit'
  116. #
  117. # Setting 'max' to MORE than the number of threads means
  118. # that there are more connections than necessary.
  119. max = ${thread[pool].max_servers}
  120.  
  121. # Spare connections to be left idle
  122. #
  123. # NOTE: Idle connections WILL be closed if "idle_timeout"
  124. # is set. This should be less than or equal to "max" above.
  125. spare = ${thread[pool].max_spare_servers}
  126.  
  127. # Number of uses before the connection is closed
  128. #
  129. # 0 means "infinite"
  130. uses = 0
  131.  
  132. # The number of seconds to wait after the server tries
  133. # to open a connection, and fails. During this time,
  134. # no new connections will be opened.
  135. retry_delay = 30
  136.  
  137. # The lifetime (in seconds) of the connection
  138. #
  139. # NOTE: A setting of 0 means infinite (no limit).
  140. lifetime = 86400
  141.  
  142. # The pool is checked for free connections every
  143. # "cleanup_interval". If there are free connections,
  144. # then one of them is closed.
  145. cleanup_interval = 300
  146.  
  147. # The idle timeout (in seconds). A connection which is
  148. # unused for this length of time will be closed.
  149. #
  150. # NOTE: A setting of 0 means infinite (no timeout).
  151. idle_timeout = 600
  152.  
  153. # NOTE: All configuration settings are enforced. If a
  154. # connection is closed because of "idle_timeout",
  155. # "uses", or "lifetime", then the total number of
  156. # connections MAY fall below "min". When that
  157. # happens, it will open a new connection. It will
  158. # also log a WARNING message.
  159. #
  160. # The solution is to either lower the "min" connections,
  161. # or increase lifetime/idle_timeout.
  162. }
  163.  
  164. passchange {
  165. # This support MS-CHAPv2 (not v1) password change
  166. # requests. See doc/mschap.rst for more IMPORTANT
  167. # information.
  168. #
  169. # Samba/ntlm_auth - if you are using ntlm_auth to
  170. # validate passwords, you will need to use ntlm_auth
  171. # to change passwords. Uncomment the three lines
  172. # below, and change the path to ntlm_auth.
  173. #
  174. # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
  175. # ntlm_auth_username = "username: %{mschap:User-Name}"
  176. # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
  177.  
  178. # To implement a local password change, you need to
  179. # supply a string which is then expanded, so that the
  180. # password can be placed somewhere. e.g. passed to a
  181. # script (exec), or written to SQL (UPDATE/INSERT).
  182. # We give both examples here, but only one will be
  183. # used.
  184. #
  185. # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
  186. #
  187. # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
  188. }
  189.  
  190. # For Apple Server, when running on the same machine as
  191. # Open Directory. It has no effect on other systems.
  192. #
  193. # use_open_directory = yes
  194.  
  195. # On failure, set (or not) the MS-CHAP error code saying
  196. # "retries allowed".
  197. # allow_retry = yes
  198.  
  199. # An optional retry message.
  200. # retry_msg = "Re-enter (or reset) the password"
  201. }
Advertisement
RAW Paste Data Copied
Advertisement