[Samba] Samba with external SSO

[Rowland Penny]

On Tue, 14 May 2024 08:39:58 +0000
Gergő Vári via samba <samba at lists.samba.org> wrote:

> 
> >That should tell you something.
> 
> You're absolutely right on that.
> 
> >> - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen
> >> that basically sssd=Winbind (yet there WAS a module for Winbind to
> >> use sssd?)
> >
> >The winbind daemon came first and is used to connect Samba to AD,
> >from my understanding it was mostly written by one person. That
> >person then went on to work for redhat, where they wrote sssd to
> >connect to freeipa, using the winbind code as a base, in fact, sssd
> >still requires some of the Samba packages to function.
> 
> Thanks for clearing that up!
> 
> >> 
> >> ...and this is where I got stuck.
> >> 
> >> What would I need to connect Authentik and Samba together without
> >> AD being the central place where I store users? (As two-way sync
> >> isn't in Authentik atm. with AD)
> >
> >There is your (and Authentiks) problem, AD is the source of truth, it
> >is where users, groups and computers etc are stored, it is where
> >passwords are stored (in an unreadable unicode hash). In other words,
> >AD must be in charge. This is not to say that you could not setup an
> >external ldap server and sync users & passwords between it and AD,
> >but it will be, in my opinion, a lot of work for little return,
> >especially as there are other SSO providers that work with AD
> >directly.
> 
> I see, there's the reason that I struggle with this so much: so this
> idea has to be put on hold for now.
> 
> ...but thinking of the broader picture: are there any plans to make
> this even work or AD will "have to be in charge" in the foreseeable
> future too?
> 

You would have to take that up with Microsoft. Samba is trying to be
fully compatible with Microsoft AD and that has been the source of
truth for nearly 25 years, so I do not realistically expect it to
change.

Rowland