[Samba] L2tp and winbind - server role active directory domain controller

Rowland Penny rpenny at samba.org
Tue Aug 30 13:47:18 UTC 2016

On Tue, 30 Aug 2016 10:05:28 -0300
Gilberto Nunes via samba <samba at lists.samba.org> wrote:

> Hello list...
> I have samba 4.1.17 installed and in the same server, I have l2tp.
> Samba it configurated as active directory domain controller.
> I am trying authetication against samba with winbind.
> I want to know how to restrict authentication for certain group.
> I put this line in the end of l2tp conf file:
> ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> --require-membership-of="domain\\VPN"'
> But I get this in the log.windbindd:
>  server role = 'active directory domain controller' not compatible
> with running the winbindd binary.
>   You should start 'samba' instead, and it will control starting the
> internal AD DC winbindd implementation, which is not the same as this
> one
> And seem to me group restriction do not work!
> Instead, any usser can connect via l2tp vpn.
> Somebody can help??
> Thanks a lot
> Gilberto Ferreira

You really need to upgrade samba, 4.1.x is EOL, 4.5.0 will be released
shortly and then 4.2.x will go EOL.
Before 4.2.0, winbindd wasn't used, the 'winbind' part of the 'samba'
binary was used. When 4.2.0 was released the code was changed to use
the separate 'winbindd' binary instead and the 'samba' binary will
start it for you, just like it starts 'smbd'.

As you have found out, you cannot start the separate 'winbindd' binary


More information about the samba mailing list