Rev 4 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# -*- text -*-## $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $# Microsoft CHAP authentication## This module supports MS-CHAP and MS-CHAPv2 authentication.# It also enforces the SMB-Account-Ctrl attribute.#mschap {## If you are using /etc/smbpasswd, see the 'passwd'# module for an example of how to use /etc/smbpasswd# if use_mppe is not set to no mschap will# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2## use_mppe = no# if mppe is enabled require_encryption makes# encryption moderate## require_encryption = yes# require_strong always requires 128 bit key# encryption## require_strong = yes# Windows sends us a username in the form of# DOMAIN\user, but sends the challenge response# based on only the user portion. This hack# corrects for that incorrect behavior.## with_ntdomain_hack = no# The module can perform authentication itself, OR# use a Windows Domain Controller. This configuration# directive tells the module to call the ntlm_auth# program, which will do the authentication, and return# the NT-Key. Note that you MUST have "winbindd" and# "nmbd" running on the local machine for ntlm_auth# to work. See the ntlm_auth program documentation# for details.## If ntlm_auth is configured below, then the mschap# module will call ntlm_auth for every MS-CHAP# authentication request. If there is a cleartext# or NT hashed password available, you can set# "MS-CHAP-Use-NTLM-Auth := No" in the control items,# and the mschap module will do the authentication itself,# without calling ntlm_auth.## Be VERY careful when editing the following line!## You can also try setting the user name as:## ... --username=%{mschap:User-Name} ...## In that case, the mschap module will look at the User-Name# attribute, and do prefix/suffix checks in order to obtain# the "best" user name for the request.## ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"# The default is to wait 10 seconds for ntlm_auth to# complete. This is a long time, and if it's taking that# long then you likely have other problems in your domain.# The length of time can be decreased with the following# option, which can save clients waiting if your ntlm_auth# usually finishes quicker. Range 1 to 10 seconds.## ntlm_auth_timeout = 10# For Apple Server, when running on the same machine as# Open Directory. It has no effect on other systems.## use_open_directory = yes# On failure, set (or not) the MS-CHAP error code saying# "retries allowed".# allow_retry = yes# An optional retry message.# retry_msg = "Re-enter (or reset) the password"}