# -*- text -*-
#
#  $Id: 6608b7d3e4d89b33e717f1e071e1ced9dda2746e $

# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
	#
	#  If you are using /etc/smbpasswd, see the 'passwd'
	#  module for an example of how to use /etc/smbpasswd

	# if use_mppe is not set to no mschap will
	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
	#
#	use_mppe = no

	# if mppe is enabled require_encryption makes
	# encryption moderate
	#
#	require_encryption = yes

	# require_strong always requires 128 bit key
	# encryption
	#
#	require_strong = yes

	# The module can perform authentication itself, OR
	# use a Windows Domain Controller.  This configuration
	# directive tells the module to call the ntlm_auth
	# program, which will do the authentication, and return
	# the NT-Key.  Note that you MUST have "winbindd" and
	# "nmbd" running on the local machine for ntlm_auth
	# to work.  See the ntlm_auth program documentation
	# for details.
	#
	# If ntlm_auth is configured below, then the mschap
	# module will call ntlm_auth for every MS-CHAP
	# authentication request.  If there is a cleartext
	# or NT hashed password available, you can set
	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
	# and the mschap module will do the authentication itself,
	# without calling ntlm_auth.
	#
	# Be VERY careful when editing the following line!
	#
	# You can also try setting the user name as:
	#
	#	... --username=%{mschap:User-Name} ...
	#
	# In that case, the mschap module will look at the User-Name
	# attribute, and do prefix/suffix checks in order to obtain
	# the "best" user name for the request.
	#
#	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

	# The default is to wait 10 seconds for ntlm_auth to
	# complete.  This is a long time, and if it's taking that
	# long then you likely have other problems in your domain.
	# The length of time can be decreased with the following
	# option, which can save clients waiting if your ntlm_auth
	# usually finishes quicker. Range 1 to 10 seconds.
	#
#	ntlm_auth_timeout = 10

	# An alternative to using ntlm_auth is to connect to the
	# winbind daemon directly for authentication. This option
	# is likely to be faster and may be useful on busy systems,
	# but is less well tested.
	#
	# Using this option requires libwbclient from Samba 4.2.1
	# or later to be installed. Make sure that ntlm_auth above is
	# commented out.
	#
#	winbind_username = "%{mschap:User-Name}"
#	winbind_domain = "%{mschap:NT-Domain}"

	#
	#  Information for the winbind connection pool.  The configuration
	#  items below are the same for all modules which use the new
	#  connection pool.
	#
	pool {
		# Number of connections to start
		start = ${thread[pool].start_servers}

		# Minimum number of connections to keep open
		min = ${thread[pool].min_spare_servers}

		# Maximum number of connections
		#
		# If these connections are all in use and a new one
		# is requested, the request will NOT get a connection.
		#
		# NOTE: This should be greater than or equal to "min" above.
		max = ${thread[pool].max_servers}

		# Spare connections to be left idle
		#
		# NOTE: Idle connections WILL be closed if "idle_timeout"
		# is set.  This should be less than or equal to "max" above.
		spare = ${thread[pool].max_spare_servers}

		# Number of uses before the connection is closed
		#
		# NOTE: A setting of 0 means infinite (no limit).
		uses = 0

		# The lifetime (in seconds) of the connection
		#
		# NOTE: A setting of 0 means infinite (no limit).
		lifetime = 86400

		# The pool is checked for free connections every
		# "cleanup_interval".  If there are free connections,
		# then one of them is closed.
		cleanup_interval = 300

		# The idle timeout (in seconds).  A connection which is
		# unused for this length of time will be closed.
		#
		# NOTE: A setting of 0 means infinite (no timeout).
		idle_timeout = 600

		# NOTE: All configuration settings are enforced.  If a
		# connection is closed because of "idle_timeout",
		# "uses", or "lifetime", then the total number of
		# connections MAY fall below "min".  When that
		# happens, it will open a new connection.  It will
		# also log a WARNING message.
		#
		# The solution is to either lower the "min" connections,
		# or increase lifetime/idle_timeout.
	}

	passchange {
		# This support MS-CHAPv2 (not v1) password change
		# requests.  See doc/mschap.rst for more IMPORTANT
		# information.
		#
		# Samba/ntlm_auth - if you are using ntlm_auth to
		# validate passwords, you will need to use ntlm_auth
		# to change passwords.  Uncomment the three lines
		# below, and change the path to ntlm_auth.
		#
#		ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
#		ntlm_auth_username = "username: %{mschap:User-Name}"
#		ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"

		# To implement a local password change, you need to
		# supply a string which is then expanded, so that the
		# password can be placed somewhere.  e.g. passed to a
		# script (exec), or written to SQL (UPDATE/INSERT).
		# We give both examples here, but only one will be
		# used.
		#
#		local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
		#
#		local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
	}

	# For Apple Server, when running on the same machine as
	# Open Directory.  It has no effect on other systems.
	#
#	use_open_directory = yes

	# On failure, set (or not) the MS-CHAP error code saying
	# "retries allowed".
#	allow_retry = yes

	# An optional retry message.
#	retry_msg = "Re-enter (or reset) the password"
}
