samba - Aug 2016 - L2tp and winbind - server role active directory domain controller

Uhm upgrade.. to zentyal 4.2.. 

Setup a member server, now enable l2tp with winbindd 
That should work fine. 

Winbindd can not run on the AD DC, but it does on a member server. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Gilberto Nunes
> via samba
> Verzonden: dinsdag 30 augustus 2016 16:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] L2tp and winbind - server role active directory
> domain controller
> 
> Hi
> 
> Thanks for your answer...
> 
> Unfortunatelly, I can't upgrade because it's a appliance - Zentyal
Server
> 4.0.
> I will try another thing.
> 
> Thank you any way...
> 
> 2016-08-30 10:47 GMT-03:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Tue, 30 Aug 2016 10:05:28 -0300
> > Gilberto Nunes via samba <samba at lists.samba.org> wrote:
> >
> > > Hello list...
> > >
> > > I have samba 4.1.17 installed and in the same server, I have
l2tp.
> > > Samba it configurated as active directory domain controller.
> > >
> > > I am trying authetication against samba with winbind.
> > > I want to know how to restrict authentication for certain group.
> > > I put this line in the end of l2tp conf file:
> > >
> > > ntlm_auth-helper '/usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
> > > --require-membership-of="domain\\VPN"'
> > >
> > > But I get this in the log.windbindd:
> > >
> > >  server role = 'active directory domain controller' not
compatible
> > > with running the winbindd binary.
> > >   You should start 'samba' instead, and it will control
starting the
> > > internal AD DC winbindd implementation, which is not the same as
this
> > > one
> > >
> > > And seem to me group restriction do not work!
> > > Instead, any usser can connect via l2tp vpn.
> > >
> > > Somebody can help??
> > >
> > > Thanks a lot
> > >
> > > Gilberto Ferreira
> >
> > You really need to upgrade samba, 4.1.x is EOL, 4.5.0 will be released
> > shortly and then 4.2.x will go EOL.
> > Before 4.2.0, winbindd wasn't used, the 'winbind' part of
the 'samba'
> > binary was used. When 4.2.0 was released the code was changed to use
> > the separate 'winbindd' binary instead and the 'samba'
binary will
> > start it for you, just like it starts 'smbd'.
> >
> > As you have found out, you cannot start the separate
'winbindd' binary
> > yourself.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> 
> --
> 
> Gilberto Ferreira
> +55 (47) 9676-7530
> Skype: gilberto.nunes36
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hello Louis

I can't do it, 'cause Zentyal 4.2 doesn't have Proxy and other
modules that
I need....

Any way, thanks a lot

2016-08-30 11:27 GMT-03:00 L.P.H. van Belle via samba <samba at
lists.samba.org
>:
> Uhm upgrade.. to zentyal 4.2..
>
> Setup a member server, now enable l2tp with winbindd
> That should work fine.
>
> Winbindd can not run on the AD DC, but it does on a member server.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Gilberto
Nunes
> > via samba
> > Verzonden: dinsdag 30 augustus 2016 16:07
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] L2tp and winbind - server role active directory
> > domain controller
> >
> > Hi
> >
> > Thanks for your answer...
> >
> > Unfortunatelly, I can't upgrade because it's a appliance -
Zentyal Server
> > 4.0.
> > I will try another thing.
> >
> > Thank you any way...
> >
> > 2016-08-30 10:47 GMT-03:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Tue, 30 Aug 2016 10:05:28 -0300
> > > Gilberto Nunes via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hello list...
> > > >
> > > > I have samba 4.1.17 installed and in the same server, I have
l2tp.
> > > > Samba it configurated as active directory domain controller.
> > > >
> > > > I am trying authetication against samba with winbind.
> > > > I want to know how to restrict authentication for certain
group.
> > > > I put this line in the end of l2tp conf file:
> > > >
> > > > ntlm_auth-helper '/usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
> > > > --require-membership-of="domain\\VPN"'
> > > >
> > > > But I get this in the log.windbindd:
> > > >
> > > >  server role = 'active directory domain controller'
not compatible
> > > > with running the winbindd binary.
> > > >   You should start 'samba' instead, and it will
control starting the
> > > > internal AD DC winbindd implementation, which is not the
same as this
> > > > one
> > > >
> > > > And seem to me group restriction do not work!
> > > > Instead, any usser can connect via l2tp vpn.
> > > >
> > > > Somebody can help??
> > > >
> > > > Thanks a lot
> > > >
> > > > Gilberto Ferreira
> > >
> > > You really need to upgrade samba, 4.1.x is EOL, 4.5.0 will be
released
> > > shortly and then 4.2.x will go EOL.
> > > Before 4.2.0, winbindd wasn't used, the 'winbind'
part of the 'samba'
> > > binary was used. When 4.2.0 was released the code was changed to
use
> > > the separate 'winbindd' binary instead and the
'samba' binary will
> > > start it for you, just like it starts 'smbd'.
> > >
> > > As you have found out, you cannot start the separate
'winbindd' binary
> > > yourself.
> > >
> > > Rowland
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> >
> > --
> >
> > Gilberto Ferreira
> > +55 (47) 9676-7530
> > Skype: gilberto.nunes36
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

Gilberto Ferreira
+55 (47) 9676-7530
Skype: gilberto.nunes36

On Tue, 30 Aug 2016 16:27:51 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Uhm upgrade.. to zentyal 4.2.. 
> 
> Setup a member server, now enable l2tp with winbindd 
> That should work fine. 
> 
> Winbindd can not run on the AD DC, but it does on a member server. 
> 
Oh dear my DC must be broken LOL

root at dc1:~# ps ax | grep winbind
 2344 ?        Ss     6:37 /usr/local/samba/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground
 2364 ?        S     18:30 /usr/local/samba/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground
 2366 ?        S      0:00 /usr/local/samba/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground
 2367 ?        S      0:02 /usr/local/samba/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground

Rowland

You funny guy..  ;-) 

.. i'll correct..  
Winbindd can not run solo on the AD DC, but it does on a member server.
Its started by samba itself on the AD DC..  

And dont cheat in the commands..  ;-) 

ps fax | egrep "samba|winbind"

27389 ?        Ss     0:00 /usr/sbin/samba
27390 ?        S      0:00  \_ /usr/sbin/samba
27391 ?        S     33:11  \_ /usr/sbin/samba
27393 ?        S      0:04  \_ /usr/sbin/samba
27394 ?        S      0:04  \_ /usr/sbin/samba
27395 ?        S      3:34  \_ /usr/sbin/samba
27396 ?        S      0:15  \_ /usr/sbin/samba
27397 ?        S      1:02  \_ /usr/sbin/samba
27398 ?        S      3:17  \_ /usr/sbin/samba
27399 ?        S      0:00  \_ /usr/sbin/samba
27401 ?        Ss     1:24  |   \_ /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
27426 ?        S      2:56  |       \_ /usr/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground
27470 ?        S      3:09  |       \_ /usr/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground
27522 ?        S      0:00  |       \_ /usr/sbin/winbindd -D --option=server
role check:inhibit=yes --foreground
27400 ?        S      0:01  \_ /usr/sbin/samba
27402 ?        S      1:28  \_ /usr/sbin/samba
27403 ?        S      0:28  \_ /usr/sbin/samba



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: dinsdag 30 augustus 2016 16:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] L2tp and winbind - server role active directory
> domain controller
> 
> On Tue, 30 Aug 2016 16:27:51 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Uhm upgrade.. to zentyal 4.2..
> >
> > Setup a member server, now enable l2tp with winbindd
> > That should work fine.
> >
> > Winbindd can not run on the AD DC, but it does on a member server.
> >
> 
> Oh dear my DC must be broken LOL
> 
> root at dc1:~# ps ax | grep winbind
>  2344 ?        Ss     6:37 /usr/local/samba/sbin/winbindd -D --
> option=server role check:inhibit=yes --foreground
>  2364 ?        S     18:30 /usr/local/samba/sbin/winbindd -D --
> option=server role check:inhibit=yes --foreground
>  2366 ?        S      0:00 /usr/local/samba/sbin/winbindd -D --
> option=server role check:inhibit=yes --foreground
>  2367 ?        S      0:02 /usr/local/samba/sbin/winbindd -D --
> option=server role check:inhibit=yes --foreground
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 30 Aug 2016 17:16:36 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> You funny guy..  ;-) 
Well, I try ;-)
> 
> .. i'll correct..  
> Winbindd can not run solo on the AD DC, but it does on a member
> server. Its started by samba itself on the AD DC.. 
Cannot argue with that.
 
> 
> And dont cheat in the commands..  ;-) 
Why not ? ;-)

Rowland