[Samba] L2tp and winbind - server role active directory domain controller
achim at ag-web.biz
Tue Aug 30 15:25:52 UTC 2016
Am 30.08.2016 um 16:57 schrieb Gilberto Nunes via samba:
> hum... thanks Achim....
> I think this is more reasonable to my scenario....
> I will try!
> 2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba <samba at lists.samba.org>
>> Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:
>>> Hello list...
>>> I have samba 4.1.17 installed and in the same server, I have l2tp.
>>> Samba it configurated as active directory domain controller.
>>> I am trying authetication against samba with winbind.
>>> I want to know how to restrict authentication for certain group.
>>> I put this line in the end of l2tp conf file:
>>> ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>> But I get this in the log.windbindd:
>>> server role = 'active directory domain controller' not compatible with
>>> running the winbindd binary.
>>> You should start 'samba' instead, and it will control starting the
>>> internal AD DC winbindd implementation, which is not the same as this one
>>> And seem to me group restriction do not work!
>>> Instead, any usser can connect via l2tp vpn.
>>> Somebody can help??
>>> Thanks a lot
>>> Gilberto Ferreira
>> You can use freeradius with mschap (ntlm_auth) and ldap (for group
>> memebership requirements) configured to connect to you ad server. Then
>> configure l2tp to use that freeradius server for authentification.
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
Can be it's abit oversized. I think you can ignore the winbind log
message, winbindd will be started by samba if it runs in ad mode like
You say any user can connect via l2tp. Is a proper password an
requirement or does any password work?
You may try use the groups sid instead of the group name as the
If I run an test here like
It always complains
"Winbindd lookupname failed to resolve domain\\VPN into a SID!"
Using "domain\VPN" works.
More information about the samba