samba - Nov 2022 - freeradius on dc?

Not from my side. I tried it a couple of times but for us containers were always
a mess when it came to Samba. Starting from permission issues and problems
forwarding all the ports necessary (which conflicted with the host). That is why
we only use virtual machines now.
> On Wednesday, Nov 30, 2022 at 8:14 AM, Zombie Ryushu via samba <samba at
lists.samba.org (mailto:samba at lists.samba.org)> wrote:
> On 11/30/22 02:01, Joachim Lindenberg via samba wrote:
> > Hello Andrew,
> > good point. Actually I would love to run freeradius + samba in one or
two docker containers. However, while there are descriptions on how to run
freeradius in a container, there aren?t a lot for a samba member server. Any
pointer for that?
> > Thanks,
> > Joachim
> >
> > -----Urspr?ngliche Nachricht-----
> > Von: Andrew Bartlett <abartlet at samba.org>
> > Gesendet: Mittwoch, 30. November 2022 00:51
> > An: Joachim Lindenberg <samba at lindenberg.one>; samba at
lists.samba.org
> > Betreff: Re: [Samba] freeradius on dc?
> >
> > On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba wrote:
> > > Hello,
> > >
> > > I am wondering whether it is possible / recommended or not, to
install
> > > and use freeradius on a domain controller. The documentation at
> > >
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act
> > > ive_Directory is about installation/configuration on member
servers
> > > only.
> > >
> > > Any thoughts? What changes on a dc?
> > It should still just work, as the same winbindd is under the hood and
this mode of operation is connected, but running a member server allows more
separation of concerns and avoids any DC being 'special'.
> >
> > VMs or containers are good for this.
> >
> > Andrew Bartlett
>
> I might be able to chime in on here, if your DC is RFC2307 Compliant,
> you might be able to treat Samba like OpenLDAP and Heimdal.
>
> I used to do this with my old OpenLDAP/Heimdal/Samba 3 Setup. I know for
> a fact, the OpenLDAP Schema for FreeRadius can be converted and imported
> into Samba 4 AD, but this "breaks" Samba 4's compatibility
with other AD
> Forests wherein actual Windows Servers need the same Schema.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

On 11/30/22 3:56 AM, Alexander Harm || ApfelQ via samba
wrote:
> Not from my side. I tried it a couple of times but for us containers were
always a mess when it came to Samba. Starting from permission issues and
problems forwarding all the ports necessary (which conflicted with the host).
That is why we only use virtual machines now.
We have no problem running Samba AD as OCI containers, the trick is to 
use host networking and setup an extra IP address for the DC and bind 
only to it, This way there is no conflicts with the host.

It was required because Samba insist in adding the container internal IP 
to DNS when host networking isn't used, and that IP isn't reachable by 
clients.
> 
>> On Wednesday, Nov 30, 2022 at 8:14 AM, Zombie Ryushu via samba
<samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
>> On 11/30/22 02:01, Joachim Lindenberg via samba wrote:
>>> Hello Andrew,
>>> good point. Actually I would love to run freeradius + samba in one
or two docker containers. However, while there are descriptions on how to run
freeradius in a container, there aren?t a lot for a samba member server. Any
pointer for that?
>>> Thanks,
>>> Joachim
>>>
>>> -----Urspr?ngliche Nachricht-----
>>> Von: Andrew Bartlett <abartlet at samba.org>
>>> Gesendet: Mittwoch, 30. November 2022 00:51
>>> An: Joachim Lindenberg <samba at lindenberg.one>; samba at
lists.samba.org
>>> Betreff: Re: [Samba] freeradius on dc?
>>>
>>> On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba
wrote:
>>>> Hello,
>>>>
>>>> I am wondering whether it is possible / recommended or not, to
install
>>>> and use freeradius on a domain controller. The documentation at
>>>>
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act
>>>> ive_Directory is about installation/configuration on member
servers
>>>> only.
>>>>
>>>> Any thoughts? What changes on a dc?
>>> It should still just work, as the same winbindd is under the hood
and this mode of operation is connected, but running a member server allows more
separation of concerns and avoids any DC being 'special'.
>>>
>>> VMs or containers are good for this.
>>>
>>> Andrew Bartlett
>>
>> I might be able to chime in on here, if your DC is RFC2307 Compliant,
>> you might be able to treat Samba like OpenLDAP and Heimdal.
>>
>> I used to do this with my old OpenLDAP/Heimdal/Samba 3 Setup. I know
for
>> a fact, the OpenLDAP Schema for FreeRadius can be converted and
imported
>> into Samba 4 AD, but this "breaks" Samba 4's
compatibility with other AD
>> Forests wherein actual Windows Servers need the same Schema.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba