VPN Single SignOn with Samba AD

Daniele Dario d.dario76 at gmail.com
Fri Apr 17 15:17:50 UTC 2020


Hi samba team,
these days of lockdown, I had to set up a VPN server to allow my colleagues to
work from home and I found really useful the page on your wiki so, again, thanks
to everyone for the great job you do.

My company LAN topology has 2 AD DCs + 1 domain member acting as file server + 1
domain member used to authenticate remote users logging in through SSH and now
IPSec VPN users. All machines are running samba 4.11.6.

Unfortunately the page "VPN Single SignOn with Samba AD" is not complete and I
found some troubles specially with libradiusclient-ng2 which on Ubuntu 18.04 has
been replaced by libradcli.

After some tries and searches I found that there's a ppp plugin that
authenticate against winbind and started wondering why it's not mentioned in the
wiki page.

With ppp winbind plugin I easily got a working xl2tpd server able to
authenticate using PAP.

In order to allow MS-CHAPv2 login, I found that it's needed to change the
default ntlm auth parameter in smb.conf to mschapv2-and-ntlmv2-only.

Questions:
   1. Is the use of ppp winbind plugin deprecated for some reason? (on wiki the
      proposed setup is with ppp radius plugin + freeradius)
   2. In the proposed setup with radius plugin, it's stated "Please note that if
      you installed the Samba4 on the Firewall server, then MS-CHAP/MS-CHAPv2
      authentication will not work". What does this mean?
   3. If I use ppp winbind plugin with PAP there's no need to change "ntlm auth"
      default value so I have the perception that this is preferable than CHAP or
      MS-CHAPv[1,2]. On the other hand I thougt [MS-]CHAP[vX] is better than PAP
      so: which is your advice?
   4. If I change "ntlm auth", do I have to change it on DCs and on domain member
      that runs winbind used to authenticate VPN logins or only on the latter? How
      much does this change(s) affect security? 

Thanks in advance for your help,
Daniele.




More information about the samba-technical mailing list