Hello Andrew, good point. Actually I would love to run freeradius + samba in one or two docker containers. However, while there are descriptions on how to run freeradius in a container, there aren?t a lot for a samba member server. Any pointer for that? Thanks, Joachim -----Urspr?ngliche Nachricht----- Von: Andrew Bartlett <abartlet at samba.org> Gesendet: Mittwoch, 30. November 2022 00:51 An: Joachim Lindenberg <samba at lindenberg.one>; samba at lists.samba.org Betreff: Re: [Samba] freeradius on dc? On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba wrote:> Hello, > > I am wondering whether it is possible / recommended or not, to install > and use freeradius on a domain controller. The documentation at > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act > ive_Directory is about installation/configuration on member servers > only. > > Any thoughts? What changes on a dc?It should still just work, as the same winbindd is under the hood and this mode of operation is connected, but running a member server allows more separation of concerns and avoids any DC being 'special'. VMs or containers are good for this. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On 11/30/22 02:01, Joachim Lindenberg via samba wrote:> Hello Andrew, > good point. Actually I would love to run freeradius + samba in one or two docker containers. However, while there are descriptions on how to run freeradius in a container, there aren?t a lot for a samba member server. Any pointer for that? > Thanks, > Joachim > > -----Urspr?ngliche Nachricht----- > Von: Andrew Bartlett <abartlet at samba.org> > Gesendet: Mittwoch, 30. November 2022 00:51 > An: Joachim Lindenberg <samba at lindenberg.one>; samba at lists.samba.org > Betreff: Re: [Samba] freeradius on dc? > > On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba wrote: >> Hello, >> >> I am wondering whether it is possible / recommended or not, to install >> and use freeradius on a domain controller. The documentation at >> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act >> ive_Directory is about installation/configuration on member servers >> only. >> >> Any thoughts? What changes on a dc? > It should still just work, as the same winbindd is under the hood and this mode of operation is connected, but running a member server allows more separation of concerns and avoids any DC being 'special'. > > VMs or containers are good for this. > > Andrew BartlettI might be able to chime in on here, if your DC is RFC2307 Compliant, you might be able to treat Samba like OpenLDAP and Heimdal. I used to do this with my old OpenLDAP/Heimdal/Samba 3 Setup. I know for a fact, the OpenLDAP Schema for FreeRadius can be converted and imported into Samba 4 AD, but this "breaks" Samba 4's compatibility with other AD Forests wherein actual Windows Servers need the same Schema.
On Wednesday, November 30, 2022 2:01:52 AM EST Joachim Lindenberg via samba wrote:> Hello Andrew, > good point. Actually I would love to run freeradius + samba in one or two > docker containers. However, while there are descriptions on how to run > freeradius in a container, there aren?t a lot for a samba member server. > Any pointer for that? Thanks, > Joachim >I work on a project that is providing OCI container images, example deployments and documentation. https://github.com/samba-in-kubernetes/samba-container/ We have images for (member) file server, AD DC, client, and just recently added a "toolbox" image for testing and diagnostics. Please don't let the 'kubernetes' in the org name scare you off the project in question is not K8S specific. I'd love more feedback and eyes on our project. We've presented some of this work at sambaXP in the past two years FWIW.> -----Urspr?ngliche Nachricht----- > Von: Andrew Bartlett <abartlet at samba.org> > Gesendet: Mittwoch, 30. November 2022 00:51 > An: Joachim Lindenberg <samba at lindenberg.one>; samba at lists.samba.org > Betreff: Re: [Samba] freeradius on dc? > > On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba wrote: > > Hello, > > > > I am wondering whether it is possible / recommended or not, to install > > and use freeradius on a domain controller. The documentation at > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act > > ive_Directory is about installation/configuration on member servers > > only. > > > > Any thoughts? What changes on a dc? > > It should still just work, as the same winbindd is under the hood and this > mode of operation is connected, but running a member server allows more > separation of concerns and avoids any DC being 'special'. > > VMs or containers are good for this. > > Andrew Bartlett