Gilberto Nunes
2016-Aug-30 13:05 UTC
[Samba] L2tp and winbind - server role active directory domain controller
Hello list... I have samba 4.1.17 installed and in the same server, I have l2tp. Samba it configurated as active directory domain controller. I am trying authetication against samba with winbind. I want to know how to restrict authentication for certain group. I put this line in the end of l2tp conf file: ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="domain\\VPN"' But I get this in the log.windbindd: server role = 'active directory domain controller' not compatible with running the winbindd binary. You should start 'samba' instead, and it will control starting the internal AD DC winbindd implementation, which is not the same as this one And seem to me group restriction do not work! Instead, any usser can connect via l2tp vpn. Somebody can help?? Thanks a lot Gilberto Ferreira
Rowland Penny
2016-Aug-30 13:47 UTC
[Samba] L2tp and winbind - server role active directory domain controller
On Tue, 30 Aug 2016 10:05:28 -0300 Gilberto Nunes via samba <samba at lists.samba.org> wrote:> Hello list... > > I have samba 4.1.17 installed and in the same server, I have l2tp. > Samba it configurated as active directory domain controller. > > I am trying authetication against samba with winbind. > I want to know how to restrict authentication for certain group. > I put this line in the end of l2tp conf file: > > ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > --require-membership-of="domain\\VPN"' > > But I get this in the log.windbindd: > > server role = 'active directory domain controller' not compatible > with running the winbindd binary. > You should start 'samba' instead, and it will control starting the > internal AD DC winbindd implementation, which is not the same as this > one > > And seem to me group restriction do not work! > Instead, any usser can connect via l2tp vpn. > > Somebody can help?? > > Thanks a lot > > Gilberto FerreiraYou really need to upgrade samba, 4.1.x is EOL, 4.5.0 will be released shortly and then 4.2.x will go EOL. Before 4.2.0, winbindd wasn't used, the 'winbind' part of the 'samba' binary was used. When 4.2.0 was released the code was changed to use the separate 'winbindd' binary instead and the 'samba' binary will start it for you, just like it starts 'smbd'. As you have found out, you cannot start the separate 'winbindd' binary yourself. Rowland
Gilberto Nunes
2016-Aug-30 14:06 UTC
[Samba] L2tp and winbind - server role active directory domain controller
Hi Thanks for your answer... Unfortunatelly, I can't upgrade because it's a appliance - Zentyal Server 4.0. I will try another thing. Thank you any way... 2016-08-30 10:47 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 30 Aug 2016 10:05:28 -0300 > Gilberto Nunes via samba <samba at lists.samba.org> wrote: > > > Hello list... > > > > I have samba 4.1.17 installed and in the same server, I have l2tp. > > Samba it configurated as active directory domain controller. > > > > I am trying authetication against samba with winbind. > > I want to know how to restrict authentication for certain group. > > I put this line in the end of l2tp conf file: > > > > ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > > --require-membership-of="domain\\VPN"' > > > > But I get this in the log.windbindd: > > > > server role = 'active directory domain controller' not compatible > > with running the winbindd binary. > > You should start 'samba' instead, and it will control starting the > > internal AD DC winbindd implementation, which is not the same as this > > one > > > > And seem to me group restriction do not work! > > Instead, any usser can connect via l2tp vpn. > > > > Somebody can help?? > > > > Thanks a lot > > > > Gilberto Ferreira > > You really need to upgrade samba, 4.1.x is EOL, 4.5.0 will be released > shortly and then 4.2.x will go EOL. > Before 4.2.0, winbindd wasn't used, the 'winbind' part of the 'samba' > binary was used. When 4.2.0 was released the code was changed to use > the separate 'winbindd' binary instead and the 'samba' binary will > start it for you, just like it starts 'smbd'. > > As you have found out, you cannot start the separate 'winbindd' binary > yourself. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Gilberto Ferreira +55 (47) 9676-7530 Skype: gilberto.nunes36
L.P.H. van Belle
2016-Aug-30 14:27 UTC
[Samba] L2tp and winbind - server role active directory domain controller
Uhm upgrade.. to zentyal 4.2.. Setup a member server, now enable l2tp with winbindd That should work fine. Winbindd can not run on the AD DC, but it does on a member server. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Gilberto Nunes > via samba > Verzonden: dinsdag 30 augustus 2016 16:07 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] L2tp and winbind - server role active directory > domain controller > > Hi > > Thanks for your answer... > > Unfortunatelly, I can't upgrade because it's a appliance - Zentyal Server > 4.0. > I will try another thing. > > Thank you any way... > > 2016-08-30 10:47 GMT-03:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Tue, 30 Aug 2016 10:05:28 -0300 > > Gilberto Nunes via samba <samba at lists.samba.org> wrote: > > > > > Hello list... > > > > > > I have samba 4.1.17 installed and in the same server, I have l2tp. > > > Samba it configurated as active directory domain controller. > > > > > > I am trying authetication against samba with winbind. > > > I want to know how to restrict authentication for certain group. > > > I put this line in the end of l2tp conf file: > > > > > > ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > > > --require-membership-of="domain\\VPN"' > > > > > > But I get this in the log.windbindd: > > > > > > server role = 'active directory domain controller' not compatible > > > with running the winbindd binary. > > > You should start 'samba' instead, and it will control starting the > > > internal AD DC winbindd implementation, which is not the same as this > > > one > > > > > > And seem to me group restriction do not work! > > > Instead, any usser can connect via l2tp vpn. > > > > > > Somebody can help?? > > > > > > Thanks a lot > > > > > > Gilberto Ferreira > > > > You really need to upgrade samba, 4.1.x is EOL, 4.5.0 will be released > > shortly and then 4.2.x will go EOL. > > Before 4.2.0, winbindd wasn't used, the 'winbind' part of the 'samba' > > binary was used. When 4.2.0 was released the code was changed to use > > the separate 'winbindd' binary instead and the 'samba' binary will > > start it for you, just like it starts 'smbd'. > > > > As you have found out, you cannot start the separate 'winbindd' binary > > yourself. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > Gilberto Ferreira > +55 (47) 9676-7530 > Skype: gilberto.nunes36 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-Aug-30 14:48 UTC
[Samba] L2tp and winbind - server role active directory domain controller
Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:> Hello list... > > I have samba 4.1.17 installed and in the same server, I have l2tp. > Samba it configurated as active directory domain controller. > > I am trying authetication against samba with winbind. > I want to know how to restrict authentication for certain group. > I put this line in the end of l2tp conf file: > > ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > --require-membership-of="domain\\VPN"' > > But I get this in the log.windbindd: > > server role = 'active directory domain controller' not compatible with > running the winbindd binary. > You should start 'samba' instead, and it will control starting the > internal AD DC winbindd implementation, which is not the same as this one > > And seem to me group restriction do not work! > Instead, any usser can connect via l2tp vpn. > > Somebody can help?? > > Thanks a lot > > Gilberto FerreiraYou can use freeradius with mschap (ntlm_auth) and ldap (for group memebership requirements) configured to connect to you ad server. Then configure l2tp to use that freeradius server for authentification.
Gilberto Nunes
2016-Aug-30 14:57 UTC
[Samba] L2tp and winbind - server role active directory domain controller
hum... thanks Achim.... I think this is more reasonable to my scenario.... I will try! 2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba <samba at lists.samba.org> :> > > Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba: > >> Hello list... >> >> I have samba 4.1.17 installed and in the same server, I have l2tp. >> Samba it configurated as active directory domain controller. >> >> I am trying authetication against samba with winbind. >> I want to know how to restrict authentication for certain group. >> I put this line in the end of l2tp conf file: >> >> ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 >> --require-membership-of="domain\\VPN"' >> >> But I get this in the log.windbindd: >> >> server role = 'active directory domain controller' not compatible with >> running the winbindd binary. >> You should start 'samba' instead, and it will control starting the >> internal AD DC winbindd implementation, which is not the same as this one >> >> And seem to me group restriction do not work! >> Instead, any usser can connect via l2tp vpn. >> >> Somebody can help?? >> >> Thanks a lot >> >> Gilberto Ferreira >> > You can use freeradius with mschap (ntlm_auth) and ldap (for group > memebership requirements) configured to connect to you ad server. Then > configure l2tp to use that freeradius server for authentification. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Gilberto Ferreira +55 (47) 9676-7530 Skype: gilberto.nunes36
Apparently Analagous Threads
- L2tp and winbind - server role active directory domain controller
- L2tp and winbind - server role active directory domain controller
- L2tp and winbind - server role active directory domain controller
- L2tp and winbind - server role active directory domain controller
- L2tp and winbind - server role active directory domain controller