[Samba] radius auth to samba

Andrew Bartlett abartlet at samba.org
Wed Jul 2 13:39:34 MDT 2014

On Tue, 2014-07-01 at 11:36 -0700, Bob Miller wrote:
> Hello,
> > > I want to use RADIUS authentication on a firewall and have Samba be the
> > > source for the user accounts. I am using a pfsense firewall. Anyone
> > > pointers would be greatly appreciated.
> > 
> > It looks reasonable to me, but I suggest running radius, ntlm_auth and
> > winbindd on a member server, not on your DC.
> I installed radius server right on the DC and built my firewall to use
> radiusclient<=>ntlmauth.  It doesn't get used a whole lot, but it has
> been very reliable for over 18 months.  
> Andrew is there any particular reason you recommend separating them, am
> I overlooking something I should be concerned about?

We like to encourage separation of roles, and the
--require-membership-of option doesn't work on the AD DC currently (to
be fixed for 4.2, when we swap to always using winbindd). 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list