Table of Contents

About

VPN users through pptp can be authenticated to samba using the smbpasswd RADIUS module. The tutorial focuses on Debian but should be similar for all Debian-based distributions.

Configuring FreeRADIUS

First install the radiusclient1 package which will be used to authenticate the pptp users: 

aptitude install freeradius radiusclient1

Next, radiusclient must be configured to authenticate to the RADIUS server - in this case, the RADIUS server is on the same host. We edit /etc/radiusclient/servers to add RADIUS server: 

# Make sure that this file is mode 600 (readable only to owner)!
#
#Server Name or Client/Server pair              Key
#----------------                               ---------------
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone

HOSTNAME       SECRET

where HOSTNAME is the hostname of the RADIUS server and SECRET is the secret defined in /etc/freeradius/clients.conf.

Now, we configure FreeRADIUS by editing /etc/freeradius/clients.conf and adding the secret: 

client HOSTNAME {
    ...
    ipaddr = 127.0.0.1
    secret = SECRET
    ...
}

where HOSTNAME is the hostname configured for radiusclient previously.

Then, enable the smbpasswd module in sites-enabled/default. Note that on Debian this is called etc_smbpasswd but should be named smbpasswd instead: 

authorize {
    ...
    # renamed from etc_smbpasswd to smbpasswd
    smbpasswd
    ...
}

The next step is to configure the smbpasswd module, which can be found in /etc/freeradius/modules/smbpasswd in order to point to the samba password file: 

passwd smbpasswd {
    ...
    filename = /etc/samba/smbpasswd
    ...
}

Configuring Samba

Samba should be configured to use the smbpasswd password backend instead of the default tdbsam backend. This can be done by editing /etc/samba/smb.conf: 

   ...
   passdb backend = smbpasswd
   ...

Also remember to set permissions on /etc/samba/smbpasswd appropriately so that FreeRADIUS can read it: 

chown root:freerad /etc/samba/smbpasswd

this is assuming that FreeRADIUS group name is freerad.

Configuring PPTP

Finally, pptp must have two modules enabled, radius.so and radattr.so. A good configuration file is something like the following: 

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 172.16.2.1
ms-wins 172.16.2.1
proxyarp
nodefaultroute
lock
nobsdcomp 
plugin radius.so
plugin radattr.so
lcp-echo-failure 10
lcp-echo-interval 60

Note that we use mschap here and additionally MPPE encryption.

Finalizing

Now that everything is set-up, we can restart the services: 

service samba restart
service freeradius restart
service pptpd restart

to pick-up all the changes.