[Samba] Samba with external SSO

Rowland Penny rpenny at samba.org
Tue May 14 07:58:24 UTC 2024 

On Tue, 14 May 2024 07:29:25 +0000
Gergő Vári via samba <samba at lists.samba.org> wrote:

> Hi!
> 
> My goal is to connect Authentik to Samba (running on Ubuntu).
> 
> What I tried (with no success):
> - Samba directly to the LDAP outpost (as Authentik can expose it's
> internal DB like that): this would/will work but Authentik can't use
> the Samba scheme at the moment.

I wouldn't rely on the samba ldap schema anyway, it is mainly meant for
the old NT4-style PDCs and they rely on SMBv1 and there is a good
chance they will be removed at some point, they are deprecated already.

> - Samba -> PAM -> sssd -> LDAP outpost: in theory this worked a long
> time ago (SMBv1?) but as the password is not sent in the clear (as I
> understand it's nonce-based) this is not a possible solution (+
> somewhere it was explicitly stated sssd support was dropped)

That should tell you something.

> - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen
> that basically sssd=Winbind (yet there WAS a module for Winbind to
> use sssd?)

The winbind daemon came first and is used to connect Samba to AD, from
my understanding it was mostly written by one person. That person then
went on to work for redhat, where they wrote sssd to connect to
freeipa, using the winbind code as a base, in fact, sssd still requires
some of the Samba packages to function.

> 
> ...and this is where I got stuck.
> 
> What would I need to connect Authentik and Samba together without AD
> being the central place where I store users? (As two-way sync isn't
> in Authentik atm. with AD)

There is your (and Authentiks) problem, AD is the source of truth, it
is where users, groups and computers etc are stored, it is where
passwords are stored (in an unreadable unicode hash). In other words,
AD must be in charge. This is not to say that you could not setup an
external ldap server and sync users & passwords between it and AD, but
it will be, in my opinion, a lot of work for little return, especially
as there are other SSO providers that work with AD directly.

Rowland

More information about the samba mailing list