[Samba] Samba "pass" authentication to OpenID or SAML (external)

Andrew Bartlett abartlet at samba.org
Fri Oct 11 03:15:57 UTC 2019

On Thu, 2019-10-10 at 21:24 -0300, Thiago Anderson Santos via samba
> Hello everyone,
> I received a somewhat strange and complicated demand today.
> The idea of the manager is to use samba as a domain server but the
> directory tree (authentication and authorization of users) is on an
> external SAML server using keycloak. The samba will pass only GPO.
> Is this possible?
> As far as I've seen samba works the version of Windows Active
> Directory as
> well, and I've used it a lot as a domain server authenticating and
> authorizing users in addition to group policies.
> Thank you all,

Sadly not, but I certainly wish this kind of thing were possible.  The
primary barrier is that (Windows) clients expect a KDC for Kerberos,
and not this modern world of web authentication.

The reverse has been done however, which is to have Keycloak back onto
Samba AD using our LDAP server. 

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list