SHOW:
|
|
- or go back to the newest paste.
1 | # -*- text -*- | |
2 | # | |
3 | # $Id: 18f600589b67177679b9521feb65b7fbb0200ac2 $ | |
4 | ||
5 | # Microsoft CHAP authentication | |
6 | # | |
7 | # This module supports MS-CHAP and MS-CHAPv2 authentication. | |
8 | # It also enforces the SMB-Account-Ctrl attribute. | |
9 | # | |
10 | mschap { | |
11 | # | |
12 | # If you are using /etc/smbpasswd, see the 'passwd' | |
13 | # module for an example of how to use /etc/smbpasswd | |
14 | ||
15 | # if use_mppe is not set to no mschap will | |
16 | # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and | |
17 | # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 | |
18 | # | |
19 | # use_mppe = no | |
20 | ||
21 | # if mppe is enabled require_encryption makes | |
22 | # encryption moderate | |
23 | # | |
24 | # require_encryption = yes | |
25 | ||
26 | # require_strong always requires 128 bit key | |
27 | # encryption | |
28 | # | |
29 | # require_strong = yes | |
30 | ||
31 | # The module can perform authentication itself, OR | |
32 | # use a Windows Domain Controller. This configuration | |
33 | # directive tells the module to call the ntlm_auth | |
34 | # program, which will do the authentication, and return | |
35 | # the NT-Key. Note that you MUST have "winbindd" and | |
36 | # "nmbd" running on the local machine for ntlm_auth | |
37 | # to work. See the ntlm_auth program documentation | |
38 | # for details. | |
39 | # | |
40 | # If ntlm_auth is configured below, then the mschap | |
41 | # module will call ntlm_auth for every MS-CHAP | |
42 | # authentication request. If there is a cleartext | |
43 | # or NT hashed password available, you can set | |
44 | # "MS-CHAP-Use-NTLM-Auth := No" in the control items, | |
45 | # and the mschap module will do the authentication itself, | |
46 | # without calling ntlm_auth. | |
47 | # | |
48 | # Be VERY careful when editing the following line! | |
49 | # | |
50 | # You can also try setting the user name as: | |
51 | # | |
52 | # ... --username=%{mschap:User-Name} ... | |
53 | # | |
54 | # In that case, the mschap module will look at the User-Name | |
55 | # attribute, and do prefix/suffix checks in order to obtain | |
56 | # the "best" user name for the request. | |
57 | # | |
58 | - | #ntlm_auth = "/usr/bin/systemd-run -q -M nsdc -t /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" |
58 | + | ntlm_auth = "/usr/bin/nsdc-run -e /usr/bin/ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}" |
59 | - | ntlm_auth = "nsdc-run -e /ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}" |
59 | + | |
60 | # complete. This is a long time, and if it's taking that | |
61 | # long then you likely have other problems in your domain. | |
62 | # The length of time can be decreased with the following | |
63 | # option, which can save clients waiting if your ntlm_auth | |
64 | # usually finishes quicker. Range 1 to 10 seconds. | |
65 | # | |
66 | # ntlm_auth_timeout = 10 | |
67 | ||
68 | # An alternative to using ntlm_auth is to connect to the | |
69 | # winbind daemon directly for authentication. This option | |
70 | # is likely to be faster and may be useful on busy systems, | |
71 | # but is less well tested. | |
72 | # | |
73 | # Using this option requires libwbclient from Samba 4.2.1 | |
74 | # or later to be installed. Make sure that ntlm_auth above is | |
75 | # commented out. | |
76 | # | |
77 | # winbind_username = "%{mschap:User-Name}" | |
78 | # winbind_domain = "%{mschap:NT-Domain}" | |
79 | ||
80 | # When using single sign-on with a winbind connection and the | |
81 | # client uses a different casing for the username than the | |
82 | # casing is according to the backend, reauth may fail because | |
83 | # of some Windows internals. This switch tries to find the | |
84 | # user in the correct casing in the backend, and retry | |
85 | # authentication with that username. | |
86 | # | |
87 | # winbind_retry_with_normalised_username = no | |
88 | ||
89 | # | |
90 | # Information for the winbind connection pool. The configuration | |
91 | # items below are the same for all modules which use the new | |
92 | # connection pool. | |
93 | # | |
94 | pool { | |
95 | # Connections to create during module instantiation. | |
96 | # If the server cannot create specified number of | |
97 | # connections during instantiation it will exit. | |
98 | # Set to 0 to allow the server to start without the | |
99 | # winbind daemon being available. | |
100 | start = ${thread[pool].start_servers} | |
101 | ||
102 | # Minimum number of connections to keep open | |
103 | min = ${thread[pool].min_spare_servers} | |
104 | ||
105 | # Maximum number of connections | |
106 | # | |
107 | # If these connections are all in use and a new one | |
108 | # is requested, the request will NOT get a connection. | |
109 | # | |
110 | # Setting 'max' to LESS than the number of threads means | |
111 | # that some threads may starve, and you will see errors | |
112 | # like 'No connections available and at max connection limit' | |
113 | # | |
114 | # Setting 'max' to MORE than the number of threads means | |
115 | # that there are more connections than necessary. | |
116 | max = ${thread[pool].max_servers} | |
117 | ||
118 | # Spare connections to be left idle | |
119 | # | |
120 | # NOTE: Idle connections WILL be closed if "idle_timeout" | |
121 | # is set. This should be less than or equal to "max" above. | |
122 | spare = ${thread[pool].max_spare_servers} | |
123 | ||
124 | # Number of uses before the connection is closed | |
125 | # | |
126 | # 0 means "infinite" | |
127 | uses = 0 | |
128 | ||
129 | # The number of seconds to wait after the server tries | |
130 | # to open a connection, and fails. During this time, | |
131 | # no new connections will be opened. | |
132 | retry_delay = 30 | |
133 | ||
134 | # The lifetime (in seconds) of the connection | |
135 | # | |
136 | # NOTE: A setting of 0 means infinite (no limit). | |
137 | lifetime = 86400 | |
138 | ||
139 | # The pool is checked for free connections every | |
140 | # "cleanup_interval". If there are free connections, | |
141 | # then one of them is closed. | |
142 | cleanup_interval = 300 | |
143 | ||
144 | # The idle timeout (in seconds). A connection which is | |
145 | # unused for this length of time will be closed. | |
146 | # | |
147 | # NOTE: A setting of 0 means infinite (no timeout). | |
148 | idle_timeout = 600 | |
149 | ||
150 | # NOTE: All configuration settings are enforced. If a | |
151 | # connection is closed because of "idle_timeout", | |
152 | # "uses", or "lifetime", then the total number of | |
153 | # connections MAY fall below "min". When that | |
154 | # happens, it will open a new connection. It will | |
155 | # also log a WARNING message. | |
156 | # | |
157 | # The solution is to either lower the "min" connections, | |
158 | # or increase lifetime/idle_timeout. | |
159 | } | |
160 | ||
161 | passchange { | |
162 | # This support MS-CHAPv2 (not v1) password change | |
163 | # requests. See doc/mschap.rst for more IMPORTANT | |
164 | # information. | |
165 | # | |
166 | # Samba/ntlm_auth - if you are using ntlm_auth to | |
167 | # validate passwords, you will need to use ntlm_auth | |
168 | # to change passwords. Uncomment the three lines | |
169 | # below, and change the path to ntlm_auth. | |
170 | # | |
171 | # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" | |
172 | # ntlm_auth_username = "username: %{mschap:User-Name}" | |
173 | # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" | |
174 | ||
175 | # To implement a local password change, you need to | |
176 | # supply a string which is then expanded, so that the | |
177 | # password can be placed somewhere. e.g. passed to a | |
178 | # script (exec), or written to SQL (UPDATE/INSERT). | |
179 | # We give both examples here, but only one will be | |
180 | # used. | |
181 | # | |
182 | # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" | |
183 | # | |
184 | # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" | |
185 | } | |
186 | ||
187 | # For Apple Server, when running on the same machine as | |
188 | # Open Directory. It has no effect on other systems. | |
189 | # | |
190 | # use_open_directory = yes | |
191 | ||
192 | # On failure, set (or not) the MS-CHAP error code saying | |
193 | # "retries allowed". | |
194 | # allow_retry = yes | |
195 | ||
196 | # An optional retry message. | |
197 | # retry_msg = "Re-enter (or reset) the password" | |
198 | } |