VPN Single SignOn with Samba AD
d.dario76 at gmail.com
Fri Apr 17 15:17:50 UTC 2020
Hi samba team,
these days of lockdown, I had to set up a VPN server to allow my colleagues to
work from home and I found really useful the page on your wiki so, again, thanks
to everyone for the great job you do.
My company LAN topology has 2 AD DCs + 1 domain member acting as file server + 1
domain member used to authenticate remote users logging in through SSH and now
IPSec VPN users. All machines are running samba 4.11.6.
Unfortunately the page "VPN Single SignOn with Samba AD" is not complete and I
found some troubles specially with libradiusclient-ng2 which on Ubuntu 18.04 has
been replaced by libradcli.
After some tries and searches I found that there's a ppp plugin that
authenticate against winbind and started wondering why it's not mentioned in the
With ppp winbind plugin I easily got a working xl2tpd server able to
authenticate using PAP.
In order to allow MS-CHAPv2 login, I found that it's needed to change the
default ntlm auth parameter in smb.conf to mschapv2-and-ntlmv2-only.
1. Is the use of ppp winbind plugin deprecated for some reason? (on wiki the
proposed setup is with ppp radius plugin + freeradius)
2. In the proposed setup with radius plugin, it's stated "Please note that if
you installed the Samba4 on the Firewall server, then MS-CHAP/MS-CHAPv2
authentication will not work". What does this mean?
3. If I use ppp winbind plugin with PAP there's no need to change "ntlm auth"
default value so I have the perception that this is preferable than CHAP or
MS-CHAPv[1,2]. On the other hand I thougt [MS-]CHAP[vX] is better than PAP
so: which is your advice?
4. If I change "ntlm auth", do I have to change it on DCs and on domain member
that runs winbind used to authenticate VPN logins or only on the latter? How
much does this change(s) affect security?
Thanks in advance for your help,
More information about the samba-technical