NS8 + DC + File Sharing

Hello NethServer community forum,

I would like to inquire if it is possible to have separate nodes in NS8 for Samba services. Specifically, I am interested in having one dedicated node solely responsible for providing Active Directory services, while another node would handle File Sharing tasks. Currently, I have observed that file sharing is only possible when an internal Samba DC (Domain Controller) is configured.

Is there a way to achieve this separation of Samba nodes within NS8? I would greatly appreciate any guidance or suggestions you can provide.

Thank you for your assistance.

It’s not implemented yet:

1 Like

I would like to separate the ADDC from the File Server too. Would be nice to have such a feature looking at the new Nethserver version working with different nodes.

This is what I normally would do in a pure Windows Server environment: DCs in their own VLAN and the file servers in their own VLAN. Traffic is allowed between VLANs based on bare minimum required (read: firewall rules / exceptions).

1 Like

Sounds like a great concept to load your firewall…
→ A single file server request results in at least 4 (probably more) data-streams over the firewall including routing…

  • Client Auth to AD
  • Client request to FS
  • Auth from FS to AD
  • Client gets response from FS

And as practically all Windows traffic needs to be passed by the firewall, there’s not really any advantage in this, except for much more overhead!

Add to this that most firewalls are not AD-traffic cogniscient (They don’t understand or can’t evaluate if that specific user out of that specific group has permissions to request XY from any server or AD)…

I do however agree in middle or larger environments to use one or several dedicated ADs!
But also ONLY virtualized, anything else is time wasting!

My 2 cents


The main idea is to have one and small VM, running AD, which is the heart of the infrastructure. It must just run, more segregated from the rest of the systems (which I frequently re-configure) the better. I want to have separate VM-s for each core function of our network, that can be independently managed.

  1. AD
  2. File server
  3. SQL
  4. Some intranet and ERP webservers
  5. router is already separate hardware based, which is also providing VPN.

I have everything running on proxmox and can restore small peaces of the infrastructure quickly and efficiently. And also move quickly to other proxmox machine.

BTW, is there any plan to also support RADIUS in NS? I have currently manually configured in NS7. It is providing WiFi (WPA2 Enterprise) and VPN authentication to my Ubiquiti router

1 Like


This would be desirable.



Thanks Andy.

There is normally a performance trade off - but we build networks where the backbone is at least 10G.

My point is that 10G networks are becoming more and more affordable. Have a look at TP-Link. I bet the Cisco’s and Aruba’s of this world see TP-Link catching up when they look in their rearview mirror :slight_smile:

This means that we want to apply solutions for large networks more and more often to small networks.

For example, we are currently setting up a network for a foundation. We use Pico PCs with 10G interfaces (LAN) as router/firewall and TP-Link switches with 10G interfaces (SFP+). We have no problem with traffic between VLANs. For larger networks we use 19" SuperMicro servers as a router/firewall (that’s a lot of CPU power and 10G connectivity).

1 Like

Are you looking for a NAC?

We use PacketFence (https://www.packetfence.org/) for authentication on switch ports and SSIDs. This is a PacketFence cluster which uses AD for authentication. You can also run PacketFence as a single server - but we found a cluster more reliable.

Not really, but I think it should not be hard to create a module for it!


Not really, but I think it should not be hard to create a module for it!

Is there a place where to submit that feature request? :slight_smile:

You’re already in the right place

Funny thing is that OpenWRT which the firewall is based off on, does have RADIUS, but during implementation Radius was dropped by Neth Dev team, was it a complex endeavour or develeopemtn overhead?

sure thing as a module is also something workable and worthwhile, we are still waiting for more complex modules implemented into NEthserver, to have better undertstanding on how to implement such modules into Ns8

1 Like

Could you pse share howto configure NS7 to act as a RADIUS-Server?


I used the instructions by kellerman from: Nethserver-freeradius integration module - #33 by kellerman

Has been working around a year already and survived all updates.

In /etc/raddb/polycy.d/canonicalization I changed apostrophe to quotation marks
nai_regexp = “^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$”