5 # Microsoft CHAP authentication
7 # This module supports MS-CHAP and MS-CHAPv2 authentication.
8 # It also enforces the SMB-Account-Ctrl attribute.
12 # If you are using /etc/smbpasswd, see the 'passwd'
13 # module for an example of how to use /etc/smbpasswd
15 # if use_mppe is not set to no mschap will
16 # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
17 # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
21 # if mppe is enabled require_encryption makes
24 # require_encryption = yes
26 # require_strong always requires 128 bit key
29 # require_strong = yes
31 # The module can perform authentication itself, OR
32 # use a Windows Domain Controller. This configuration
33 # directive tells the module to call the ntlm_auth
34 # program, which will do the authentication, and return
35 # the NT-Key. Note that you MUST have "winbindd" and
36 # "nmbd" running on the local machine for ntlm_auth
37 # to work. See the ntlm_auth program documentation
40 # If ntlm_auth is configured below, then the mschap
41 # module will call ntlm_auth for every MS-CHAP
42 # authentication request. If there is a cleartext
43 # or NT hashed password available, you can set
44 # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
45 # and the mschap module will do the authentication itself,
46 # without calling ntlm_auth.
48 # Be VERY careful when editing the following line!
50 # You can also try setting the user name as:
52 # ... --username=%{mschap:User-Name} ...
54 # In that case, the mschap module will look at the User-Name
55 # attribute, and do prefix/suffix checks in order to obtain
56 # the "best" user name for the request.
58 # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
60 # The default is to wait 10 seconds for ntlm_auth to
61 # complete. This is a long time, and if it's taking that
62 # long then you likely have other problems in your domain.
63 # The length of time can be decreased with the following
64 # option, which can save clients waiting if your ntlm_auth
65 # usually finishes quicker. Range 1 to 10 seconds.
67 # ntlm_auth_timeout = 10
69 # An alternative to using ntlm_auth is to connect to the
70 # winbind daemon directly for authentication. This option
71 # is likely to be faster and may be useful on busy systems,
72 # but is less well tested.
74 # Using this option requires libwbclient from Samba 4.2.1
75 # or later to be installed. Make sure that ntlm_auth above is
78 # winbind_username = "%{mschap:User-Name}"
79 # winbind_domain = "%{mschap:NT-Domain}"
81 # When using the winbind daemon directly, it is possible to
82 # force accepting MSCHAPv2 authentication. This makes it
83 # possible to authenticate to an Active Directory that uses
84 # the local security policy 'Network Security: LAN Manager
85 # authentication level' setting was changed to 'Send NTLMv2
86 # Response Only. Refuse LM & NTLM'
87 # winbind_allow_mschapv2 = no
90 # Information for the winbind connection pool. The configuration
91 # items below are the same for all modules which use the new
95 # Connections to create during module instantiation.
96 # If the server cannot create specified number of
97 # connections during instantiation it will exit.
98 # Set to 0 to allow the server to start without the
99 # winbind daemon being available.
100 start = ${thread[pool].start_servers}
102 # Minimum number of connections to keep open
103 min = ${thread[pool].min_spare_servers}
105 # Maximum number of connections
107 # If these connections are all in use and a new one
108 # is requested, the request will NOT get a connection.
110 # Setting 'max' to LESS than the number of threads means
111 # that some threads may starve, and you will see errors
112 # like 'No connections available and at max connection limit'
114 # Setting 'max' to MORE than the number of threads means
115 # that there are more connections than necessary.
116 max = ${thread[pool].max_servers}
118 # Spare connections to be left idle
120 # NOTE: Idle connections WILL be closed if "idle_timeout"
121 # is set. This should be less than or equal to "max" above.
122 spare = ${thread[pool].max_spare_servers}
124 # Number of uses before the connection is closed
129 # The number of seconds to wait after the server tries
130 # to open a connection, and fails. During this time,
131 # no new connections will be opened.
134 # The lifetime (in seconds) of the connection
136 # NOTE: A setting of 0 means infinite (no limit).
139 # The pool is checked for free connections every
140 # "cleanup_interval". If there are free connections,
141 # then one of them is closed.
142 cleanup_interval = 300
144 # The idle timeout (in seconds). A connection which is
145 # unused for this length of time will be closed.
147 # NOTE: A setting of 0 means infinite (no timeout).
150 # NOTE: All configuration settings are enforced. If a
151 # connection is closed because of "idle_timeout",
152 # "uses", or "lifetime", then the total number of
153 # connections MAY fall below "min". When that
154 # happens, it will open a new connection. It will
155 # also log a WARNING message.
157 # The solution is to either lower the "min" connections,
158 # or increase lifetime/idle_timeout.
162 # This support MS-CHAPv2 (not v1) password change
163 # requests. See doc/mschap.rst for more IMPORTANT
166 # Samba/ntlm_auth - if you are using ntlm_auth to
167 # validate passwords, you will need to use ntlm_auth
168 # to change passwords. Uncomment the three lines
169 # below, and change the path to ntlm_auth.
171 # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
172 # ntlm_auth_username = "username: %{mschap:User-Name}"
173 # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
175 # To implement a local password change, you need to
176 # supply a string which is then expanded, so that the
177 # password can be placed somewhere. e.g. passed to a
178 # script (exec), or written to SQL (UPDATE/INSERT).
179 # We give both examples here, but only one will be
182 # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
184 # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
187 # For Apple Server, when running on the same machine as
188 # Open Directory. It has no effect on other systems.
190 # use_open_directory = yes
192 # On failure, set (or not) the MS-CHAP error code saying
196 # An optional retry message.
197 # retry_msg = "Re-enter (or reset) the password"