View difference between Paste ID: <a href="/ukmRq7wP">ukmRq7wP</a> and <a href="/3C8vn1Hp">3C8vn1Hp</a>

# -*- text -*-
1		# -- text --
2		#
3		# $Id: 18f600589b67177679b9521feb65b7fbb0200ac2 $
4
5		# Microsoft CHAP authentication
6		#
7		# This module supports MS-CHAP and MS-CHAPv2 authentication.
8		# It also enforces the SMB-Account-Ctrl attribute.
9		#
10		mschap {
11		#
12		# If you are using /etc/smbpasswd, see the 'passwd'
13		# module for an example of how to use /etc/smbpasswd
14
15		# if use_mppe is not set to no mschap will
16		# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
17		# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
18		#
19		# use_mppe = no
20
21		# if mppe is enabled require_encryption makes
22		# encryption moderate
23		#
24		# require_encryption = yes
25
26		# require_strong always requires 128 bit key
27		# encryption
28		#
29		# require_strong = yes
30
31		# The module can perform authentication itself, OR
32		# use a Windows Domain Controller. This configuration
33		# directive tells the module to call the ntlm_auth
34		# program, which will do the authentication, and return
35		# the NT-Key. Note that you MUST have "winbindd" and
36		# "nmbd" running on the local machine for ntlm_auth
37		# to work. See the ntlm_auth program documentation
38		# for details.
39		#
40		# If ntlm_auth is configured below, then the mschap
41		# module will call ntlm_auth for every MS-CHAP
42		# authentication request. If there is a cleartext
43		# or NT hashed password available, you can set
44		# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
45		# and the mschap module will do the authentication itself,
46		# without calling ntlm_auth.
47		#
48		# Be VERY careful when editing the following line!
49		#
50		# You can also try setting the user name as:
51		#
52		# ... --username=%{mschap:User-Name} ...
53		#
54		# In that case, the mschap module will look at the User-Name
55		# attribute, and do prefix/suffix checks in order to obtain
56		# the "best" user name for the request.
57		#
58	-	#ntlm_auth = "/usr/bin/systemd-run -q -M nsdc -t /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
58	+	ntlm_auth = "/usr/bin/nsdc-run -e /usr/bin/ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"
59	-	ntlm_auth = "nsdc-run -e /ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"
59	+
60		# complete. This is a long time, and if it's taking that
61		# long then you likely have other problems in your domain.
62		# The length of time can be decreased with the following
63		# option, which can save clients waiting if your ntlm_auth
64		# usually finishes quicker. Range 1 to 10 seconds.
65		#
66		# ntlm_auth_timeout = 10
67
68		# An alternative to using ntlm_auth is to connect to the
69		# winbind daemon directly for authentication. This option
70		# is likely to be faster and may be useful on busy systems,
71		# but is less well tested.
72		#
73		# Using this option requires libwbclient from Samba 4.2.1
74		# or later to be installed. Make sure that ntlm_auth above is
75		# commented out.
76		#
77		# winbind_username = "%{mschap:User-Name}"
78		# winbind_domain = "%{mschap:NT-Domain}"
79
80		# When using single sign-on with a winbind connection and the
81		# client uses a different casing for the username than the
82		# casing is according to the backend, reauth may fail because
83		# of some Windows internals. This switch tries to find the
84		# user in the correct casing in the backend, and retry
85		# authentication with that username.
86		#
87		# winbind_retry_with_normalised_username = no
88
89		#
90		# Information for the winbind connection pool. The configuration
91		# items below are the same for all modules which use the new
92		# connection pool.
93		#
94		pool {
95		# Connections to create during module instantiation.
96		# If the server cannot create specified number of
97		# connections during instantiation it will exit.
98		# Set to 0 to allow the server to start without the
99		# winbind daemon being available.
100		start = ${thread[pool].start_servers}
101
102		# Minimum number of connections to keep open
103		min = ${thread[pool].min_spare_servers}
104
105		# Maximum number of connections
106		#
107		# If these connections are all in use and a new one
108		# is requested, the request will NOT get a connection.
109		#
110		# Setting 'max' to LESS than the number of threads means
111		# that some threads may starve, and you will see errors
112		# like 'No connections available and at max connection limit'
113		#
114		# Setting 'max' to MORE than the number of threads means
115		# that there are more connections than necessary.
116		max = ${thread[pool].max_servers}
117
118		# Spare connections to be left idle
119		#
120		# NOTE: Idle connections WILL be closed if "idle_timeout"
121		# is set. This should be less than or equal to "max" above.
122		spare = ${thread[pool].max_spare_servers}
123
124		# Number of uses before the connection is closed
125		#
126		# 0 means "infinite"
127		uses = 0
128
129		# The number of seconds to wait after the server tries
130		# to open a connection, and fails. During this time,
131		# no new connections will be opened.
132		retry_delay = 30
133
134		# The lifetime (in seconds) of the connection
135		#
136		# NOTE: A setting of 0 means infinite (no limit).
137		lifetime = 86400
138
139		# The pool is checked for free connections every
140		# "cleanup_interval". If there are free connections,
141		# then one of them is closed.
142		cleanup_interval = 300
143
144		# The idle timeout (in seconds). A connection which is
145		# unused for this length of time will be closed.
146		#
147		# NOTE: A setting of 0 means infinite (no timeout).
148		idle_timeout = 600
149
150		# NOTE: All configuration settings are enforced. If a
151		# connection is closed because of "idle_timeout",
152		# "uses", or "lifetime", then the total number of
153		# connections MAY fall below "min". When that
154		# happens, it will open a new connection. It will
155		# also log a WARNING message.
156		#
157		# The solution is to either lower the "min" connections,
158		# or increase lifetime/idle_timeout.
159		}
160
161		passchange {
162		# This support MS-CHAPv2 (not v1) password change
163		# requests. See doc/mschap.rst for more IMPORTANT
164		# information.
165		#
166		# Samba/ntlm_auth - if you are using ntlm_auth to
167		# validate passwords, you will need to use ntlm_auth
168		# to change passwords. Uncomment the three lines
169		# below, and change the path to ntlm_auth.
170		#
171		# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
172		# ntlm_auth_username = "username: %{mschap:User-Name}"
173		# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
174
175		# To implement a local password change, you need to
176		# supply a string which is then expanded, so that the
177		# password can be placed somewhere. e.g. passed to a
178		# script (exec), or written to SQL (UPDATE/INSERT).
179		# We give both examples here, but only one will be
180		# used.
181		#
182		# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
183		#
184		# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
185		}
186
187		# For Apple Server, when running on the same machine as
188		# Open Directory. It has no effect on other systems.
189		#
190		# use_open_directory = yes
191
192		# On failure, set (or not) the MS-CHAP error code saying
193		# "retries allowed".
194		# allow_retry = yes
195
196		# An optional retry message.
197		# retry_msg = "Re-enter (or reset) the password"
198		}