[Samba] Samba with external SSO

[Gergő Vári]

>That should tell you something.

You're absolutely right on that.

>> - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen
>> that basically sssd=Winbind (yet there WAS a module for Winbind to
>> use sssd?)
>
>The winbind daemon came first and is used to connect Samba to AD, from
>my understanding it was mostly written by one person. That person then
>went on to work for redhat, where they wrote sssd to connect to
>freeipa, using the winbind code as a base, in fact, sssd still requires
>some of the Samba packages to function.

Thanks for clearing that up!

>> 
>> ...and this is where I got stuck.
>> 
>> What would I need to connect Authentik and Samba together without AD
>> being the central place where I store users? (As two-way sync isn't
>> in Authentik atm. with AD)
>
>There is your (and Authentiks) problem, AD is the source of truth, it
>is where users, groups and computers etc are stored, it is where
>passwords are stored (in an unreadable unicode hash). In other words,
>AD must be in charge. This is not to say that you could not setup an
>external ldap server and sync users & passwords between it and AD, but
>it will be, in my opinion, a lot of work for little return, especially
>as there are other SSO providers that work with AD directly.

I see, there's the reason that I struggle with this so much: so this idea has to be put on hold for now.

...but thinking of the broader picture: are there any plans to make this even work or AD will "have to be in charge" in the foreseeable future too?

Thanks for your answer.

Greg.