[Samba] L2tp and winbind - server role active directory domain controller
Achim Gottinger
achim at ag-web.biz
Tue Aug 30 16:07:44 UTC 2016
Am 30.08.2016 um 17:25 schrieb Achim Gottinger via samba:
>
>
> Am 30.08.2016 um 16:57 schrieb Gilberto Nunes via samba:
>> hum... thanks Achim....
>>
>> I think this is more reasonable to my scenario....
>>
>> I will try!
>>
>> 2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba
>> <samba at lists.samba.org>
>> :
>>
>>>
>>> Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:
>>>
>>>> Hello list...
>>>>
>>>> I have samba 4.1.17 installed and in the same server, I have l2tp.
>>>> Samba it configurated as active directory domain controller.
>>>>
>>>> I am trying authetication against samba with winbind.
>>>> I want to know how to restrict authentication for certain group.
>>>> I put this line in the end of l2tp conf file:
>>>>
>>>> ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>>> --require-membership-of="domain\\VPN"'
>>>>
>>>> But I get this in the log.windbindd:
>>>>
>>>> server role = 'active directory domain controller' not
>>>> compatible with
>>>> running the winbindd binary.
>>>> You should start 'samba' instead, and it will control starting the
>>>> internal AD DC winbindd implementation, which is not the same as
>>>> this one
>>>>
>>>> And seem to me group restriction do not work!
>>>> Instead, any usser can connect via l2tp vpn.
>>>>
>>>> Somebody can help??
>>>>
>>>> Thanks a lot
>>>>
>>>> Gilberto Ferreira
>>>>
>>> You can use freeradius with mschap (ntlm_auth) and ldap (for group
>>> memebership requirements) configured to connect to you ad server. Then
>>> configure l2tp to use that freeradius server for authentification.
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
> Can be it's abit oversized. I think you can ignore the winbind log
> message, winbindd will be started by samba if it runs in ad mode like
> rowland mentioned.
> You say any user can connect via l2tp. Is a proper password an
> requirement or does any password work?
> You may try use the groups sid instead of the group name as the
> ntlm_auth parameter.
> If I run an test here like
>
> ntlm_auth --require-membership-of="domain\\VPN"
I have to add that you have to add --username=[some username] to test
ntlm_auth and do not use --helper-protocol here.
>
> It always complains
>
> "Winbindd lookupname failed to resolve domain\\VPN into a SID!"
>
> Using "domain\VPN" works.
>
>
>
>
More information about the samba
mailing list