Привет всем!
Настраиваю связку xl2tpd+winbindd.Версии ПО:
CentOS release 6.5 (Final)
xl2tpd.i686 1.3.1-7.el6
ppp.i686 2.4.5-5.el6
samba-winbind.i686 3.6.9-167.el6_5
Авторизация по "/etc/ppp/chap-secrets" работает.
#wbinfo -u
#wbinfo -g
показывают пользователей и группы.
#ntlm_auth --username testuser
password: *****
NT_STATUS_OK: Success (0x0)
Однако, при подключении к vpn доменного пользователя авторизовать отказывается.
Привожу логи, ниже будут конфиги.
/var/log/messages
===============================================================================
Jan 20 19:58:28 vpn-srv xl2tpd[7867]: Connection established to 10.0.0.10, 1701. Local: 4757, Remote: 44 (ref=0/0). LNS session is 'default'
Jan 20 19:58:28 vpn-srv xl2tpd[7867]: Call established with 10.0.0.10, Local: 29152, Remote: 1, Serial: 0
Jan 20 19:58:28 vpn-srv pppd[8144]: Warning: can't open options file /root/.ppprc: Permission denied
Jan 20 19:58:28 vpn-srv pppd[8144]: Plugin winbind.so loaded.
Jan 20 19:58:28 vpn-srv pppd[8144]: WINBIND plugin initialized.
Jan 20 19:58:28 vpn-srv pppd[8144]: pppd options in effect:
Jan 20 19:58:28 vpn-srv pppd[8144]: debug debug#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: nodetach#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: logfile /var/log/xl2tpd.log#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: dump#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: plugin winbind.so#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: auth#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: refuse-pap#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: refuse-chap#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: name l2tp#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: remotenumber 10.0.0.10#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: ntlm_auth-helper xxx # [don't know how to print value]#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: /dev/pts/1#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: lock#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: mru 1280#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: mtu 1280#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: passive#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: novj#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: novjccomp#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: ms-dns xxx # [don't know how to print value]#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: 10.0.15.2:10.0.15.11#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: nobsdcomp#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: pppd 2.4.5 started by user1, uid 0
Jan 20 19:58:28 vpn-srv pppd[8144]: Using interface ppp0
Jan 20 19:58:28 vpn-srv pppd[8144]: Connect: ppp0 <--> /dev/pts/1
Jan 20 19:58:30 vpn-srv pppd[8144]: Peer testuser failed CHAP authentication
Jan 20 19:58:30 vpn-srv pppd[8144]: Connection terminated.
Jan 20 19:58:30 vpn-srv pppd[8144]: Exit.
Jan 20 19:58:30 vpn-srv xl2tpd[7867]: call_close: Call 29152 to 10.0.0.10 disconnected
Jan 20 19:58:30 vpn-srv xl2tpd[7867]: control_finish: Connection closed to 10.0.0.10, port 1701 (), Local: 4757, Remote: 44
===============================================================================
/var/log/xl2tpd
===============================================================================
Plugin winbind.so loaded.
WINBIND plugin initialized.
pppd options in effect:
debug debug # (from /etc/ppp/options.xl2tpd)
nodetach # (from command line)
logfile /var/log/xl2tpd.log # (from /etc/ppp/options.xl2tpd)
dump # (from /etc/ppp/options.xl2tpd)
plugin winbind.so # (from /etc/ppp/options.xl2tpd)
auth # (from /etc/ppp/options.xl2tpd)
refuse-pap # (from command line)
refuse-chap # (from command line)
name l2tp # (from /etc/ppp/options.xl2tpd)
remotenumber 10.0.0.10 # (from command line)
ntlm_auth-helper xxx # [don't know how to print value] # (from /etc/ppp/options.xl2tpd)
/dev/pts/1 # (from command line)
lock # (from /etc/ppp/options.xl2tpd)
mru 1280 # (from /etc/ppp/options.xl2tpd)
mtu 1280 # (from /etc/ppp/options.xl2tpd)
passive # (from command line)
novj # (from /etc/ppp/options.xl2tpd)
novjccomp # (from /etc/ppp/options.xl2tpd)
ms-dns xxx # [don't know how to print value] # (from /etc/ppp/options.xl2tpd)
10.0.15.2:10.0.15.11 # (from command line)
nobsdcomp # (from /etc/ppp/options.xl2tpd)
using channel 57
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <mru 1280> <asyncmap 0x0> <auth chap MS-v2> <magic 0x29f76916> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <mru 1280> <asyncmap 0x0> <auth chap MS-v2> <magic 0x29f76916> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x1a692fac> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x1a692fac> <pcomp> <accomp>]
sent [CHAP Challenge id=0x63 <1e34fdbcf7fc791996361a977c0d2029>, name = "l2tp"]
rcvd [CHAP Response id=0x63 <5af73019800ac16a024fdcd2c97c50c50000000000000000fcb8fce6da74104b94d22f3804f417193350d2f271a550c600>, name = "testuser"]
Peer testuser failed CHAP authentication
sent [CHAP Failure id=0x63 "E=691 R=1 C=1e34fdbcf7fc791996361a977c0d2029 V=0 M=Access denied"]
sent [LCP TermReq id=0x2 "Authentication failed"]
rcvd [LCP TermAck id=0x2 "Authentication failed"]
Connection terminated.
===============================================================================
Конфиги.
/etc/samba/smb.conf
===============================================================================
[global]
workgroup = DOMAIN1
realm = DOMAIN1.LOCAL
netbios name = vpn-srv
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
#winbind use default domain = yes
winbind separator = +
===============================================================================
/etc/xl2tpd/xl2tpd.conf
===============================================================================
[global]
ipsec saref = yes
listen-addr = 10.0.15.2
[lns default]
ip range = 10.0.15.11-10.0.15.240
local ip = 10.0.15.2
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
===============================================================================
/etc/ppp/options.xl2tpd
===============================================================================
name l2tp
require-mschap-v2
mru 1280
mtu 1280
#require-mppe-128
ms-dns 10.0.0.99
logfile /var/log/xl2tpd.log
auth
debug
dump
lock
nobsdcomp
novj
novjccomp
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=DOMAIN1+vpn_users"
===============================================================================
Настраивал по следующему ману: http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth...
Также, ознакомился с обсуждением здесь на opennet: http://www.opennet.dev/openforum/vsluhforumID10/4896.html
Тамошнее решение, к сожалению, не прокатило.
Если что-то забыл из конфигов приложить - указывайте.
Помогайте, други, у меня идеи закончились.