Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] radius auth to samba
201 views
Skip to first unread message
David Bear
Jun 30, 2014, 10:20:01 PM6/30/14
to
I want to have samba be the back end provider for authentication to a
radius server. I found
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
and wanted to see if this is 'current' and works with samba 4.1.8 -- or if
anyone is using it.
I want to use RADIUS authentication on a firewall and have Samba be the
source for the user accounts. I am using a pfsense firewall. Anyone
pointers would be greatly appreciated.
--
David Bear
mobile: (602) 903-6476
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
radius server. I found
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
and wanted to see if this is 'current' and works with samba 4.1.8 -- or if
anyone is using it.
I want to use RADIUS authentication on a firewall and have Samba be the
source for the user accounts. I am using a pfsense firewall. Anyone
pointers would be greatly appreciated.
--
David Bear
mobile: (602) 903-6476
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Jun 30, 2014, 10:30:01 PM6/30/14
to
On Mon, 2014-06-30 at 19:17 -0700, David Bear wrote:
> I want to have samba be the back end provider for authentication to a
> radius server. I found
> https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
>
> and wanted to see if this is 'current' and works with samba 4.1.8 -- or if
> anyone is using it.
>
> I want to use RADIUS authentication on a firewall and have Samba be the
> source for the user accounts. I am using a pfsense firewall. Anyone
> pointers would be greatly appreciated.
It looks reasonable to me, but I suggest running radius, ntlm_auth and
> I want to have samba be the back end provider for authentication to a
> radius server. I found
> https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
>
> and wanted to see if this is 'current' and works with samba 4.1.8 -- or if
> anyone is using it.
>
> I want to use RADIUS authentication on a firewall and have Samba be the
> source for the user accounts. I am using a pfsense firewall. Anyone
> pointers would be greatly appreciated.
winbindd on a member server, not on your DC.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
David Bear
Jun 30, 2014, 10:50:01 PM6/30/14
to
This hurts because we only have 1 DC -- and don't plan on adding member
servers. We will add 2 more DC's for replication to remote sites. The DC is
only doing samba though -- just as a AD DC.
On Mon, Jun 30, 2014 at 7:21 PM, Andrew Bartlett <abar...@samba.org> wrote:
> On Mon, 2014-06-30 at 19:17 -0700, David Bear wrote:
> > I want to have samba be the back end provider for authentication to a
> > radius server. I found
> > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
> >
> > and wanted to see if this is 'current' and works with samba 4.1.8 -- or
> if
> > anyone is using it.
> >
> > I want to use RADIUS authentication on a firewall and have Samba be the
> > source for the user accounts. I am using a pfsense firewall. Anyone
> > pointers would be greatly appreciated.
>
> It looks reasonable to me, but I suggest running radius, ntlm_auth and
> winbindd on a member server, not on your DC.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
>
--
servers. We will add 2 more DC's for replication to remote sites. The DC is
only doing samba though -- just as a AD DC.
On Mon, Jun 30, 2014 at 7:21 PM, Andrew Bartlett <abar...@samba.org> wrote:
> On Mon, 2014-06-30 at 19:17 -0700, David Bear wrote:
> > I want to have samba be the back end provider for authentication to a
> > radius server. I found
> > https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
> >
> > and wanted to see if this is 'current' and works with samba 4.1.8 -- or
> if
> > anyone is using it.
> >
> > I want to use RADIUS authentication on a firewall and have Samba be the
> > source for the user accounts. I am using a pfsense firewall. Anyone
> > pointers would be greatly appreciated.
>
> It looks reasonable to me, but I suggest running radius, ntlm_auth and
> winbindd on a member server, not on your DC.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
>
--
Arun Khan
Jul 1, 2014, 2:00:01 AM7/1/14
to
On Tue, Jul 1, 2014 at 7:47 AM, David Bear <dwbe...@gmail.com> wrote:
> I want to have samba be the back end provider for authentication to a
> radius server. I found
> https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
>
This would VPN authenticating with a back end AD/DC (Samba4)
> I want to have samba be the back end provider for authentication to a
> radius server. I found
> https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
>
> and wanted to see if this is 'current' and works with samba 4.1.8 -- or if
> anyone is using it.
> I want to use RADIUS authentication on a firewall and have Samba be the
> source for the user accounts. I am using a pfsense firewall. Anyone
> pointers would be greatly appreciated.
authentication ball game which may use AD/DC or LDAP backends for
authenticating users. In such a case Samba AD/DC would be the
"backend' for your RADIUS server.
search keywords "radius server active directory" gives the following
which may be what you are looking for.
<http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO>
HTH,
-- Arun Khan
Bob Miller
Jul 1, 2014, 2:50:01 PM7/1/14
to
Hello,
> > I want to use RADIUS authentication on a firewall and have Samba be the
> > source for the user accounts. I am using a pfsense firewall. Anyone
> > pointers would be greatly appreciated.
>
> It looks reasonable to me, but I suggest running radius, ntlm_auth and
> winbindd on a member server, not on your DC.
I installed radius server right on the DC and built my firewall to use
radiusclient<=>ntlmauth. It doesn't get used a whole lot, but it has
been very reliable for over 18 months.
Andrew is there any particular reason you recommend separating them, am
I overlooking something I should be concerned about?
> > I want to use RADIUS authentication on a firewall and have Samba be the
> > source for the user accounts. I am using a pfsense firewall. Anyone
> > pointers would be greatly appreciated.
>
> It looks reasonable to me, but I suggest running radius, ntlm_auth and
> winbindd on a member server, not on your DC.
radiusclient<=>ntlmauth. It doesn't get used a whole lot, but it has
been very reliable for over 18 months.
Andrew is there any particular reason you recommend separating them, am
I overlooking something I should be concerned about?
Andrew Bartlett
Jul 2, 2014, 3:50:02 PM7/2/14
to
On Tue, 2014-07-01 at 11:36 -0700, Bob Miller wrote:
> Hello,
>
> > > I want to use RADIUS authentication on a firewall and have Samba be the
> > > source for the user accounts. I am using a pfsense firewall. Anyone
> > > pointers would be greatly appreciated.
> >
> > It looks reasonable to me, but I suggest running radius, ntlm_auth and
> > winbindd on a member server, not on your DC.
>
> I installed radius server right on the DC and built my firewall to use
> radiusclient<=>ntlmauth. It doesn't get used a whole lot, but it has
> been very reliable for over 18 months.
>
> Andrew is there any particular reason you recommend separating them, am
> I overlooking something I should be concerned about?
We like to encourage separation of roles, and the
> Hello,
>
> > > I want to use RADIUS authentication on a firewall and have Samba be the
> > > source for the user accounts. I am using a pfsense firewall. Anyone
> > > pointers would be greatly appreciated.
> >
> > It looks reasonable to me, but I suggest running radius, ntlm_auth and
> > winbindd on a member server, not on your DC.
>
> I installed radius server right on the DC and built my firewall to use
> radiusclient<=>ntlmauth. It doesn't get used a whole lot, but it has
> been very reliable for over 18 months.
>
> Andrew is there any particular reason you recommend separating them, am
> I overlooking something I should be concerned about?
--require-membership-of option doesn't work on the AD DC currently (to
be fixed for 4.2, when we swap to always using winbindd).
0 new messages