5
# Microsoft CHAP authentication
7
# This module supports MS-CHAP and MS-CHAPv2 authentication.
8
# It also enforces the SMB-Account-Ctrl attribute.
12
# If you are using /etc/smbpasswd, see the 'passwd'
13
# module for an example of how to use /etc/smbpasswd
15
# if use_mppe is not set to no mschap will
16
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
17
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
21
# if mppe is enabled require_encryption makes
24
#require_encryption = yes
26
# require_strong always requires 128 bit key
31
# Windows sends us a username in the form of
32
# DOMAIN\user, but sends the challenge response
33
# based on only the user portion. This hack
34
# corrects for that incorrect behavior.
36
#with_ntdomain_hack = no
38
# The module can perform authentication itself, OR
39
# use a Windows Domain Controller. This configuration
40
# directive tells the module to call the ntlm_auth
41
# program, which will do the authentication, and return
42
# the NT-Key. Note that you MUST have "winbindd" and
43
# "nmbd" running on the local machine for ntlm_auth
44
# to work. See the ntlm_auth program documentation
47
# If ntlm_auth is configured below, then the mschap
48
# module will call ntlm_auth for every MS-CHAP
49
# authentication request. If there is a cleartext
50
# or NT hashed password available, you can set
51
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
52
# and the mschap module will do the authentication itself,
53
# without calling ntlm_auth.
55
# Be VERY careful when editing the following line!
57
# You can also try setting the user name as:
59
# ... --username=%{mschap:User-Name} ...
61
# In that case, the mschap module will look at the User-Name
62
# attribute, and do prefix/suffix checks in order to obtain
63
# the "best" user name for the request.
65
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"