1# -*- text -*- 2# 3# $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $ 4 5# 6# Microsoft CHAP authentication 7# 8# This module supports MS-CHAP and MS-CHAPv2 authentication. 9# It also enforces the SMB-Account-Ctrl attribute. 10# 11mschap { 12 # 13 # If you are using /etc/smbpasswd, see the 'passwd' 14 # module for an example of how to use /etc/smbpasswd 15 # 16 17 # 18 # If use_mppe is not set to no mschap, will 19 # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and 20 # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 21 # 22# use_mppe = no 23 24 # 25 # If MPPE is enabled, require_encryption makes 26 # encryption moderate 27 # 28# require_encryption = yes 29 30 # 31 # require_strong always requires 128 bit key 32 # encryption 33 # 34# require_strong = yes 35 36 # 37 # This module can perform authentication itself, OR 38 # use a Windows Domain Controller. This configuration 39 # directive tells the module to call the ntlm_auth 40 # program, which will do the authentication, and return 41 # the NT-Key. Note that you MUST have "winbindd" and 42 # "nmbd" running on the local machine for ntlm_auth 43 # to work. See the ntlm_auth program documentation 44 # for details. 45 # 46 # If ntlm_auth is configured below, then the mschap 47 # module will call ntlm_auth for every MS-CHAP 48 # authentication request. If there is a cleartext 49 # or NT hashed password available, you can set 50 # "MS-CHAP-Use-NTLM-Auth := No" in the control items, 51 # and the mschap module will do the authentication itself, 52 # without calling ntlm_auth. 53 # 54 # Be VERY careful when editing the following line! 55 # 56 # You can also try setting the user name as: 57 # 58 # ... --username=%{mschap:User-Name} ... 59 # 60 # In that case, the mschap module will look at the User-Name 61 # attribute, and do prefix/suffix checks in order to obtain 62 # the "best" user name for the request. 63 # 64 # For Samba 4, you should also set the "ntlm auth" parameter 65 # in the Samba configuration: 66 # 67 # ntlm auth = yes 68 # 69 # or 70 # 71 # ntlm auth = mschapv2-and-ntlmv2-only 72 # 73 # This will let Samba 4 accept the MS-CHAP authentication 74 # method that is needed by FreeRADIUS. 75 # 76 # Depending on the Samba version, you may also need to add: 77 # 78 # --allow-mschapv2 79 # 80 # to the command-line parameters. 81 # 82# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" 83 84 # 85 # The default is to wait 10 seconds for ntlm_auth to 86 # complete. This is a long time, and if it's taking that 87 # long then you likely have other problems in your domain. 88 # The length of time can be decreased with the following 89 # option, which can save clients waiting if your ntlm_auth 90 # usually finishes quicker. Range 1 to 10 seconds. 91 # 92# ntlm_auth_timeout = 10 93 94 # 95 # An alternative to using ntlm_auth is to connect to the 96 # winbind daemon directly for authentication. This option 97 # is likely to be faster and may be useful on busy systems, 98 # but is less well tested. 99 # 100 # Using this option requires libwbclient from Samba 4.2.1 101 # or later to be installed. Make sure that ntlm_auth above is 102 # commented out. 103 # 104# winbind_username = "%{mschap:User-Name}" 105# winbind_domain = "%{mschap:NT-Domain}" 106 107 # 108 # When using single sign-on with a winbind connection and the 109 # client uses a different casing for the username than the 110 # casing is according to the backend, reauth may fail because 111 # of some Windows internals. This switch tries to find the 112 # user in the correct casing in the backend, and retry 113 # authentication with that username. 114 # 115# winbind_retry_with_normalised_username = no 116 117 # 118 # Information for the winbind connection pool. The configuration 119 # items below are the same for all modules which use the new 120 # connection pool. 121 # 122 pool { 123 # 124 # Connections to create during module instantiation. 125 # If the server cannot create specified number of 126 # connections during instantiation it will exit. 127 # Set to 0 to allow the server to start without the 128 # winbind daemon being available. 129 # 130 start = ${thread[pool].start_servers} 131 132 # 133 # Minimum number of connections to keep open 134 # 135 min = ${thread[pool].min_spare_servers} 136 137 # 138 # Maximum number of connections 139 # 140 # If these connections are all in use and a new one 141 # is requested, the request will NOT get a connection. 142 # 143 # Setting 'max' to LESS than the number of threads means 144 # that some threads may starve, and you will see errors 145 # like 'No connections available and at max connection limit' 146 # 147 # Setting 'max' to MORE than the number of threads means 148 # that there are more connections than necessary. 149 # 150 max = ${thread[pool].max_servers} 151 152 # 153 # Spare connections to be left idle 154 # 155 # NOTE: Idle connections WILL be closed if "idle_timeout" 156 # is set. This should be less than or equal to "max" above. 157 # 158 spare = ${thread[pool].max_spare_servers} 159 160 # 161 # Number of uses before the connection is closed 162 # 163 # 0 means "infinite" 164 # 165 uses = 0 166 167 # 168 # The number of seconds to wait after the server tries 169 # to open a connection, and fails. During this time, 170 # no new connections will be opened. 171 # 172 retry_delay = 30 173 174 # 175 # The lifetime (in seconds) of the connection 176 # 177 # NOTE: A setting of 0 means infinite (no limit). 178 # 179 lifetime = 86400 180 181 # 182 # The pool is checked for free connections every 183 # "cleanup_interval". If there are free connections, 184 # then one of them is closed. 185 # 186 cleanup_interval = 300 187 188 # 189 # The idle timeout (in seconds). A connection which is 190 # unused for this length of time will be closed. 191 # 192 # NOTE: A setting of 0 means infinite (no timeout). 193 # 194 idle_timeout = 600 195 196 # 197 # NOTE: All configuration settings are enforced. If a 198 # connection is closed because of "idle_timeout", 199 # "uses", or "lifetime", then the total number of 200 # connections MAY fall below "min". When that 201 # happens, it will open a new connection. It will 202 # also log a WARNING message. 203 # 204 # The solution is to either lower the "min" connections, 205 # or increase lifetime/idle_timeout. 206 # 207 } 208 209 passchange { 210 # 211 # This support MS-CHAPv2 (not v1) password change 212 # requests. See doc/mschap.rst for more IMPORTANT 213 # information. 214 # 215 # Samba/ntlm_auth - if you are using ntlm_auth to 216 # validate passwords, you will need to use ntlm_auth 217 # to change passwords. Uncomment the three lines 218 # below, and change the path to ntlm_auth. 219 # 220# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" 221# ntlm_auth_username = "username: %{mschap:User-Name}" 222# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" 223 224 # 225 # To implement a local password change, you need to 226 # supply a string which is then expanded, so that the 227 # password can be placed somewhere. e.g. passed to a 228 # script (exec), or written to SQL (UPDATE/INSERT). 229 # We give both examples here, but only one will be 230 # used. 231 # 232# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" 233 # 234# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" 235 } 236 237 # 238 # For Apple Server, when running on the same machine as 239 # Open Directory. It has no effect on other systems. 240 # 241# use_open_directory = yes 242 243 # 244 # On failure, set (or not) the MS-CHAP error code saying 245 # "retries allowed". 246 # 247# allow_retry = yes 248 249 # 250 # An optional retry message. 251 # 252# retry_msg = "Re-enter (or reset) the password" 253} 254