You are here: start / networking / pptp / authenticate_users_to_samba_with_radius

Table of Contents

About

VPN users through pptp can be authenticated to samba using the smbpasswd RADIUS module. The tutorial focuses on Debian but should be similar for all Debian-based distributions.

Configuring FreeRADIUS

First install the radiusclient1 package which will be used to authenticate the pptp users: 

aptitude install freeradius radiusclient1

Next, radiusclient must be configured to authenticate to the RADIUS server - in this case, the RADIUS server is on the same host. We edit /etc/radiusclient/servers to add RADIUS server: 

# Make sure that this file is mode 600 (readable only to owner)!
#
#Server Name or Client/Server pair              Key
#----------------                               ---------------
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone

HOSTNAME       SECRET

where HOSTNAME is the hostname of the RADIUS server and SECRET is the secret defined in /etc/freeradius/clients.conf.

Now, we configure FreeRADIUS by editing /etc/freeradius/clients.conf and adding the secret: 

client HOSTNAME {
    ...
    ipaddr = 127.0.0.1
    secret = SECRET
    ...
}

where HOSTNAME is the hostname configured for radiusclient previously.

Then, enable the smbpasswd module in sites-enabled/default. Note that on Debian this is called etc_smbpasswd but should be named smbpasswd instead: 

authorize {
    ...
    # renamed from etc_smbpasswd to smbpasswd
    smbpasswd
    ...
}

The next step is to configure the smbpasswd module, which can be found in /etc/freeradius/modules/smbpasswd in order to point to the samba password file: 

passwd smbpasswd {
    ...
    filename = /etc/samba/smbpasswd
    ...
}

Configuring Samba

Samba should be configured to use the smbpasswd password backend instead of the default tdbsam backend. This can be done by editing /etc/samba/smb.conf: 

   ...
   passdb backend = smbpasswd
   ...

Also remember to set permissions on /etc/samba/smbpasswd appropriately so that FreeRADIUS can read it: 

chown root:freerad /etc/samba/smbpasswd

this is assuming that FreeRADIUS group name is freerad.

Configuring PPTP

Finally, pptp must have two modules enabled, radius.so and radattr.so. A good configuration file is something like the following: 

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 172.16.2.1
ms-wins 172.16.2.1
proxyarp
nodefaultroute
lock
nobsdcomp 
plugin radius.so
plugin radattr.so
lcp-echo-failure 10
lcp-echo-interval 60

Note that we use mschap here and additionally MPPE encryption.

Finalizing

Now that everything is set-up, we can restart the services: 

service samba restart
service freeradius restart
service pptpd restart

to pick-up all the changes.

networking/pptp/authenticate_users_to_samba_with_radius.txt ยท Last modified: 2022/04/19 08:27 by 127.0.0.1
You are here: start / networking / pptp / authenticate_users_to_samba_with_radius

Wizardry and Steamworks

© 2025 Wizardry and Steamworks

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.