Probably is a stupid question, but... I need to implement some 'NTLM auth' (in squid and MSCHAPv2/PEAP on freeradius). It is better to install squid/freeradius in the same host of a DC, or don't bother at all so they can be installed also on a DM? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
El 7/9/18 a les 17:59, Marco Gaiarin via samba ha escrit:> It is better to install squid/freeradius in the same host of a DC, or > don't bother at all so they can be installed also on a DM?I don't know if it's better but I'm running freeradius with ntlm_auth on a different host. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On Fri, 2018-09-07 at 20:14 +0200, Luca Olivetti via samba wrote:> El 7/9/18 a les 17:59, Marco Gaiarin via samba ha escrit: > > > It is better to install squid/freeradius in the same host of a DC, or > > don't bother at all so they can be installed also on a DM? > > I don't know if it's better but I'm running freeradius with ntlm_auth on > a different host.I would do that, it allows you to have the FreeRADIUS fail over to another DC when you are upgrading Samba, and choose to upgrade Samba's base OS without consideration for the Squid/FreeRADIUS stack. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Marco,> Probably is a stupid question, but... > > I need to implement some 'NTLM auth' (in squid and MSCHAPv2/PEAP on > freeradius). > > It is better to install squid/freeradius in the same host of a DC, or > don't bother at all so they can be installed also on a DM?This is not a stupid question! We have sveral squid proxy with ntlm_auth running. Ntlm_auth works only on a Domain Member Server and not on a PDC, BDC or DC. If for any reason you MUST run it on a PDC/BDC you must start the winbindd with an own smb.conf (i.e. winbindd -s /etc/samba/winbind.conf). So all winbind related settings MUST be done in winbind.conf. Only one winbind instance CAN run on a server. I do not know if this is possible on an AD DC. I have never tried it.> Thanks.-- Regards Harry Jede
Would squid and freeradius support LDAP authentication with AD ? I don't know if you are using NTLM or NTLMv2. On 09/08/18 06:54, Harry Jede via samba wrote:> Hi Marco, > >> Probably is a stupid question, but... >> >> I need to implement some 'NTLM auth' (in squid and MSCHAPv2/PEAP on >> freeradius). >> >> It is better to install squid/freeradius in the same host of a DC, or >> don't bother at all so they can be installed also on a DM? > This is not a stupid question! > > We have sveral squid proxy with ntlm_auth running. Ntlm_auth works only > on a Domain Member Server and not on a PDC, BDC or DC. > > If for any reason you MUST run it on a PDC/BDC you must start the winbindd > with an own smb.conf (i.e. winbindd -s /etc/samba/winbind.conf). > > So all winbind related settings MUST be done in winbind.conf. Only one > winbind instance CAN run on a server. > > I do not know if this is possible on an AD DC. I have never tried it. > > >> Thanks. >