5 # Microsoft CHAP authentication
7 # This module supports MS-CHAP and MS-CHAPv2 authentication.
8 # It also enforces the SMB-Account-Ctrl attribute.
12 # If you are using /etc/smbpasswd, see the 'passwd'
13 # module for an example of how to use /etc/smbpasswd
15 # if use_mppe is not set to no mschap will
16 # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
17 # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
21 # if mppe is enabled require_encryption makes
24 # require_encryption = yes
26 # require_strong always requires 128 bit key
29 # require_strong = yes
31 # Windows sends us a username in the form of
32 # DOMAIN\user, but sends the challenge response
33 # based on only the user portion. This hack
34 # corrects for that incorrect behavior.
36 # with_ntdomain_hack = no
38 # The module can perform authentication itself, OR
39 # use a Windows Domain Controller. This configuration
40 # directive tells the module to call the ntlm_auth
41 # program, which will do the authentication, and return
42 # the NT-Key. Note that you MUST have "winbindd" and
43 # "nmbd" running on the local machine for ntlm_auth
44 # to work. See the ntlm_auth program documentation
47 # If ntlm_auth is configured below, then the mschap
48 # module will call ntlm_auth for every MS-CHAP
49 # authentication request. If there is a cleartext
50 # or NT hashed password available, you can set
51 # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
52 # and the mschap module will do the authentication itself,
53 # without calling ntlm_auth.
55 # Be VERY careful when editing the following line!
57 # You can also try setting the user name as:
59 # ... --username=%{mschap:User-Name} ...
61 # In that case, the mschap module will look at the User-Name
62 # attribute, and do prefix/suffix checks in order to obtain
63 # the "best" user name for the request.
65 # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
68 # This support MS-CHAPv2 (not v1) password change
69 # requests. See doc/mschap.rst for more IMPORTANT
72 # Samba/ntlm_auth - if you are using ntlm_auth to
73 # validate passwords, you will need to use ntlm_auth
74 # to change passwords. Uncomment the three lines
75 # below, and change the path to ntlm_auth.
77 # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
78 # ntlm_auth_username = "username: %{mschap:User-Name}"
79 # ntlm_auth_domain = "username: %{mschap:NT-Domain}"
81 # To implement a local password change, you need to
82 # supply a string which is then expanded, so that the
83 # password can be placed somewhere. e.g. passed to a
84 # script (exec), or written to SQL (UPDATE/INSERT).
85 # We give both examples here, but only one will be
88 # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
90 # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
93 # For Apple Server, when running on the same machine as
94 # Open Directory. It has no effect on other systems.
96 # use_open_directory = yes
98 # On failure, set (or not) the MS-CHAP error code saying
102 # An optional retry message.
103 # retry_msg = "Re-enter (or reset) the password"