The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"xl2tpd/openswan + winbindd + AD (windows2008)"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Информационная безопасность (Авторизация и аутентификация / Linux)
Изначальное сообщение [ Отслеживать ]

"xl2tpd/openswan + winbindd + AD (windows2008)"  +/
Сообщение от doutside email(ok) on 20-Янв-14, 20:37 
Привет всем!
Настраиваю связку xl2tpd+winbindd.

Версии ПО:
CentOS release 6.5 (Final)
xl2tpd.i686 1.3.1-7.el6
ppp.i686 2.4.5-5.el6
samba-winbind.i686 3.6.9-167.el6_5

Авторизация по "/etc/ppp/chap-secrets" работает.
#wbinfo -u
#wbinfo -g
показывают пользователей и группы.

#ntlm_auth --username testuser
password: *****
NT_STATUS_OK: Success (0x0)

Однако, при подключении к vpn доменного пользователя авторизовать отказывается.
Привожу логи, ниже будут конфиги.

/var/log/messages
===============================================================================
Jan 20 19:58:28 vpn-srv xl2tpd[7867]: Connection established to 10.0.0.10, 1701.  Local: 4757, Remote: 44 (ref=0/0).  LNS session is 'default'
Jan 20 19:58:28 vpn-srv xl2tpd[7867]: Call established with 10.0.0.10, Local: 29152, Remote: 1, Serial: 0
Jan 20 19:58:28 vpn-srv pppd[8144]: Warning: can't open options file /root/.ppprc: Permission denied
Jan 20 19:58:28 vpn-srv pppd[8144]: Plugin winbind.so loaded.
Jan 20 19:58:28 vpn-srv pppd[8144]: WINBIND plugin initialized.
Jan 20 19:58:28 vpn-srv pppd[8144]: pppd options in effect:
Jan 20 19:58:28 vpn-srv pppd[8144]: debug debug#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: nodetach#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: logfile /var/log/xl2tpd.log#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: dump#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: plugin winbind.so#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: auth#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: refuse-pap#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: refuse-chap#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: name l2tp#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: remotenumber 10.0.0.10#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: ntlm_auth-helper xxx # [don't know how to print value]#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: /dev/pts/1#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: lock#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: mru 1280#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: mtu 1280#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: passive#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: novj#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: novjccomp#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: ms-dns xxx # [don't know how to print value]#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: 10.0.15.2:10.0.15.11#011#011# (from command line)
Jan 20 19:58:28 vpn-srv pppd[8144]: nobsdcomp#011#011# (from /etc/ppp/options.xl2tpd)
Jan 20 19:58:28 vpn-srv pppd[8144]: pppd 2.4.5 started by user1, uid 0
Jan 20 19:58:28 vpn-srv pppd[8144]: Using interface ppp0
Jan 20 19:58:28 vpn-srv pppd[8144]: Connect: ppp0 <--> /dev/pts/1
Jan 20 19:58:30 vpn-srv pppd[8144]: Peer testuser failed CHAP authentication
Jan 20 19:58:30 vpn-srv pppd[8144]: Connection terminated.
Jan 20 19:58:30 vpn-srv pppd[8144]: Exit.
Jan 20 19:58:30 vpn-srv xl2tpd[7867]: call_close: Call 29152 to 10.0.0.10 disconnected
Jan 20 19:58:30 vpn-srv xl2tpd[7867]: control_finish: Connection closed to 10.0.0.10, port 1701 (), Local: 4757, Remote: 44
===============================================================================

/var/log/xl2tpd
===============================================================================
Plugin winbind.so loaded.
WINBIND plugin initialized.
pppd options in effect:
debug debug             # (from /etc/ppp/options.xl2tpd)
nodetach                # (from command line)
logfile /var/log/xl2tpd.log             # (from /etc/ppp/options.xl2tpd)
dump            # (from /etc/ppp/options.xl2tpd)
plugin winbind.so               # (from /etc/ppp/options.xl2tpd)
auth            # (from /etc/ppp/options.xl2tpd)
refuse-pap              # (from command line)
refuse-chap             # (from command line)
name l2tp               # (from /etc/ppp/options.xl2tpd)
remotenumber 10.0.0.10          # (from command line)
ntlm_auth-helper xxx # [don't know how to print value]          # (from /etc/ppp/options.xl2tpd)
/dev/pts/1              # (from command line)
lock            # (from /etc/ppp/options.xl2tpd)
mru 1280                # (from /etc/ppp/options.xl2tpd)
mtu 1280                # (from /etc/ppp/options.xl2tpd)
passive         # (from command line)
novj            # (from /etc/ppp/options.xl2tpd)
novjccomp               # (from /etc/ppp/options.xl2tpd)
ms-dns xxx # [don't know how to print value]            # (from /etc/ppp/options.xl2tpd)
10.0.15.2:10.0.15.11          # (from command line)
nobsdcomp               # (from /etc/ppp/options.xl2tpd)
using channel 57
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <mru 1280> <asyncmap 0x0> <auth chap MS-v2> <magic 0x29f76916> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <mru 1280> <asyncmap 0x0> <auth chap MS-v2> <magic 0x29f76916> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x1a692fac> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x1a692fac> <pcomp> <accomp>]
sent [CHAP Challenge id=0x63 <1e34fdbcf7fc791996361a977c0d2029>, name = "l2tp"]
rcvd [CHAP Response id=0x63 <5af73019800ac16a024fdcd2c97c50c50000000000000000fcb8fce6da74104b94d22f3804f417193350d2f271a550c600>, name = "testuser"]
Peer testuser failed CHAP authentication
sent [CHAP Failure id=0x63 "E=691 R=1 C=1e34fdbcf7fc791996361a977c0d2029 V=0 M=Access denied"]
sent [LCP TermReq id=0x2 "Authentication failed"]
rcvd [LCP TermAck id=0x2 "Authentication failed"]
Connection terminated.
===============================================================================

Конфиги.

/etc/samba/smb.conf
===============================================================================
[global]
workgroup = DOMAIN1
realm = DOMAIN1.LOCAL
netbios name = vpn-srv
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
#winbind use default domain = yes
winbind separator = +
===============================================================================

/etc/xl2tpd/xl2tpd.conf
===============================================================================
[global]
ipsec saref = yes
listen-addr = 10.0.15.2

[lns default]
ip range = 10.0.15.11-10.0.15.240
local ip = 10.0.15.2
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
===============================================================================

/etc/ppp/options.xl2tpd
===============================================================================
name l2tp
require-mschap-v2
mru 1280
mtu 1280
#require-mppe-128
ms-dns 10.0.0.99
logfile /var/log/xl2tpd.log
auth
debug
dump
lock
nobsdcomp
novj
novjccomp
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=DOMAIN1+vpn_users"
===============================================================================


Настраивал по следующему ману: http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth...

Также, ознакомился с обсуждением здесь на opennet: https://www.opennet.ru/openforum/vsluhforumID10/4896.html
Тамошнее решение, к сожалению, не прокатило.

Если что-то забыл из конфигов приложить - указывайте.
Помогайте, други, у меня идеи закончились.

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "xl2tpd/openswan + winbindd + AD (windows2008)"  +/
Сообщение от doutside email(ok) on 21-Янв-14, 19:23 
Решилось отключением SELinux.
Оставим для потомков тему.
Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Спонсоры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2022 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру