[Samba] L2tp and winbind - server role active directory domain controller

Achim Gottinger achim at ag-web.biz
Tue Aug 30 15:25:52 UTC 2016

Am 30.08.2016 um 16:57 schrieb Gilberto Nunes via samba:
> hum... thanks Achim....
> I think this is more reasonable to my scenario....
> I will try!
> 2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba <samba at lists.samba.org>
> :
>> Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:
>>> Hello list...
>>> I have samba 4.1.17 installed and in the same server, I have l2tp.
>>> Samba it configurated as active directory domain controller.
>>> I am trying authetication against samba with winbind.
>>> I want to know how to restrict authentication for certain group.
>>> I put this line in the end of l2tp conf file:
>>> ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>> --require-membership-of="domain\\VPN"'
>>> But I get this in the log.windbindd:
>>>    server role = 'active directory domain controller' not compatible with
>>> running the winbindd binary.
>>>     You should start 'samba' instead, and it will control starting the
>>> internal AD DC winbindd implementation, which is not the same as this one
>>> And seem to me group restriction do not work!
>>> Instead, any usser can connect via l2tp vpn.
>>> Somebody can help??
>>> Thanks a lot
>>> Gilberto Ferreira
>> You can use freeradius with mschap (ntlm_auth) and ldap (for group
>> memebership requirements) configured to connect to you ad server. Then
>> configure l2tp to use that freeradius server for authentification.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
Can be it's abit oversized. I think you can ignore the winbind log 
message, winbindd will be started by samba if it runs in ad mode like 
rowland mentioned.
You say any user can connect via l2tp. Is a proper password an 
requirement or does any password work?
You may try use the groups sid instead of the group name as the 
ntlm_auth parameter.
If I run an test here like

ntlm_auth --require-membership-of="domain\\VPN"

It always complains

"Winbindd lookupname failed to resolve domain\\VPN into a SID!"

Using "domain\VPN" works.

More information about the samba mailing list