samba - Aug 2016 - L2tp and winbind - server role active directory domain controller

hum... thanks Achim....

I think this is more reasonable to my scenario....

I will try!

2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba <samba at
lists.samba.org>
:
>
>
> Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:
>
>> Hello list...
>>
>> I have samba 4.1.17 installed and in the same server, I have l2tp.
>> Samba it configurated as active directory domain controller.
>>
>> I am trying authetication against samba with winbind.
>> I want to know how to restrict authentication for certain group.
>> I put this line in the end of l2tp conf file:
>>
>> ntlm_auth-helper '/usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
>> --require-membership-of="domain\\VPN"'
>>
>> But I get this in the log.windbindd:
>>
>>   server role = 'active directory domain controller' not
compatible with
>> running the winbindd binary.
>>    You should start 'samba' instead, and it will control
starting the
>> internal AD DC winbindd implementation, which is not the same as this
one
>>
>> And seem to me group restriction do not work!
>> Instead, any usser can connect via l2tp vpn.
>>
>> Somebody can help??
>>
>> Thanks a lot
>>
>> Gilberto Ferreira
>>
> You can use freeradius with mschap (ntlm_auth) and ldap (for group
> memebership requirements) configured to connect to you ad server. Then
> configure l2tp to use that freeradius server for authentification.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

Gilberto Ferreira
+55 (47) 9676-7530
Skype: gilberto.nunes36

Am 30.08.2016 um 16:57 schrieb Gilberto Nunes via samba:
> hum... thanks Achim....
>
> I think this is more reasonable to my scenario....
>
> I will try!
>
> 2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba <samba at
lists.samba.org>
> :
>
>>
>> Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:
>>
>>> Hello list...
>>>
>>> I have samba 4.1.17 installed and in the same server, I have l2tp.
>>> Samba it configurated as active directory domain controller.
>>>
>>> I am trying authetication against samba with winbind.
>>> I want to know how to restrict authentication for certain group.
>>> I put this line in the end of l2tp conf file:
>>>
>>> ntlm_auth-helper '/usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
>>> --require-membership-of="domain\\VPN"'
>>>
>>> But I get this in the log.windbindd:
>>>
>>>    server role = 'active directory domain controller' not
compatible with
>>> running the winbindd binary.
>>>     You should start 'samba' instead, and it will control
starting the
>>> internal AD DC winbindd implementation, which is not the same as
this one
>>>
>>> And seem to me group restriction do not work!
>>> Instead, any usser can connect via l2tp vpn.
>>>
>>> Somebody can help??
>>>
>>> Thanks a lot
>>>
>>> Gilberto Ferreira
>>>
>> You can use freeradius with mschap (ntlm_auth) and ldap (for group
>> memebership requirements) configured to connect to you ad server. Then
>> configure l2tp to use that freeradius server for authentification.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Can be it's abit oversized. I think you can ignore the winbind log 
message, winbindd will be started by samba if it runs in ad mode like 
rowland mentioned.
You say any user can connect via l2tp. Is a proper password an 
requirement or does any password work?
You may try use the groups sid instead of the group name as the 
ntlm_auth parameter.
If I run an test here like

ntlm_auth --require-membership-of="domain\\VPN"

It always complains

"Winbindd lookupname failed to resolve domain\\VPN into a SID!"

Using "domain\VPN" works.

Am 30.08.2016 um 17:25 schrieb Achim Gottinger via
samba:
>
>
> Am 30.08.2016 um 16:57 schrieb Gilberto Nunes via samba:
>> hum... thanks Achim....
>>
>> I think this is more reasonable to my scenario....
>>
>> I will try!
>>
>> 2016-08-30 11:48 GMT-03:00 Achim Gottinger via samba 
>> <samba at lists.samba.org>
>> :
>>
>>>
>>> Am 30.08.2016 um 15:05 schrieb Gilberto Nunes via samba:
>>>
>>>> Hello list...
>>>>
>>>> I have samba 4.1.17 installed and in the same server, I have
l2tp.
>>>> Samba it configurated as active directory domain controller.
>>>>
>>>> I am trying authetication against samba with winbind.
>>>> I want to know how to restrict authentication for certain
group.
>>>> I put this line in the end of l2tp conf file:
>>>>
>>>> ntlm_auth-helper '/usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
>>>> --require-membership-of="domain\\VPN"'
>>>>
>>>> But I get this in the log.windbindd:
>>>>
>>>>    server role = 'active directory domain controller'
not
>>>> compatible with
>>>> running the winbindd binary.
>>>>     You should start 'samba' instead, and it will
control starting the
>>>> internal AD DC winbindd implementation, which is not the same
as
>>>> this one
>>>>
>>>> And seem to me group restriction do not work!
>>>> Instead, any usser can connect via l2tp vpn.
>>>>
>>>> Somebody can help??
>>>>
>>>> Thanks a lot
>>>>
>>>> Gilberto Ferreira
>>>>
>>> You can use freeradius with mschap (ntlm_auth) and ldap (for group
>>> memebership requirements) configured to connect to you ad server.
Then
>>> configure l2tp to use that freeradius server for authentification.
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
> Can be it's abit oversized. I think you can ignore the winbind log 
> message, winbindd will be started by samba if it runs in ad mode like 
> rowland mentioned.
> You say any user can connect via l2tp. Is a proper password an 
> requirement or does any password work?
> You may try use the groups sid instead of the group name as the 
> ntlm_auth parameter.
> If I run an test here like
>
> ntlm_auth --require-membership-of="domain\\VPN"
I have to add that you have to add --username=[some username] to test 
ntlm_auth and do not use --helper-protocol here.
>
> It always complains
>
> "Winbindd lookupname failed to resolve domain\\VPN into a SID!"
>
> Using "domain\VPN" works.
>
>
>
>