[Samba] Samba "pass" authentication to OpenID or SAML (external)
abartlet at samba.org
Fri Oct 11 18:12:25 UTC 2019
ADFS and keycloak are both SAML (and similar web authentication
protocol) identity providers, they both provide the web authentication
side of things. When checking passwords both can be backed by AD.
(They may also be able to trust other web authentication providers).
Even Microsoft ADFS can't provide AD services to windows desktops.
I hope this helps you fill out your mental map here.
On Fri, 2019-10-11 at 06:51 -0300, Thiago Anderson Santos wrote:
> I believe I will need to do an Adfs for this kind of authentication.
> I found nothing in documented about federation service, is it
> possible to do samba?
> Em sex, 11 de out de 2019 00:16, Andrew Bartlett <abartlet at samba.org>
> > On Thu, 2019-10-10 at 21:24 -0300, Thiago Anderson Santos via samba
> > wrote:
> > > Hello everyone,
> > > I received a somewhat strange and complicated demand today.
> > >
> > > The idea of the manager is to use samba as a domain server but
> > the
> > > directory tree (authentication and authorization of users) is on
> > an
> > > external SAML server using keycloak. The samba will pass only
> > GPO.
> > >
> > > Is this possible?
> > >
> > > As far as I've seen samba works the version of Windows Active
> > > Directory as
> > > well, and I've used it a lot as a domain server authenticating
> > and
> > > authorizing users in addition to group policies.
> > >
> > > Thank you all,
> > Sadly not, but I certainly wish this kind of thing were possible.
> > The
> > primary barrier is that (Windows) clients expect a KDC for
> > Kerberos,
> > and not this modern world of web authentication.
> > The reverse has been done however, which is to have Keycloak back
> > onto
> > Samba AD using our LDAP server.
> > Andrew Bartlett
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
More information about the samba