Thiago Anderson Santos
2019-Oct-11 00:24 UTC
[Samba] Samba "pass" authentication to OpenID or SAML (external)
Hello everyone, I received a somewhat strange and complicated demand today. The idea of the manager is to use samba as a domain server but the directory tree (authentication and authorization of users) is on an external SAML server using keycloak. The samba will pass only GPO. Is this possible? As far as I've seen samba works the version of Windows Active Directory as well, and I've used it a lot as a domain server authenticating and authorizing users in addition to group policies. Thank you all, Thiago
Andrew Bartlett
2019-Oct-11 03:15 UTC
[Samba] Samba "pass" authentication to OpenID or SAML (external)
On Thu, 2019-10-10 at 21:24 -0300, Thiago Anderson Santos via samba wrote:> Hello everyone, > I received a somewhat strange and complicated demand today. > > The idea of the manager is to use samba as a domain server but the > directory tree (authentication and authorization of users) is on an > external SAML server using keycloak. The samba will pass only GPO. > > Is this possible? > > As far as I've seen samba works the version of Windows Active > Directory as > well, and I've used it a lot as a domain server authenticating and > authorizing users in addition to group policies. > > Thank you all,Sadly not, but I certainly wish this kind of thing were possible. The primary barrier is that (Windows) clients expect a KDC for Kerberos, and not this modern world of web authentication. The reverse has been done however, which is to have Keycloak back onto Samba AD using our LDAP server. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Thiago Anderson Santos
2019-Oct-11 09:51 UTC
[Samba] Samba "pass" authentication to OpenID or SAML (external)
thanks, I believe I will need to do an Adfs for this kind of authentication. I found nothing in documented about federation service, is it possible to do samba? Thiago Em sex, 11 de out de 2019 00:16, Andrew Bartlett <abartlet at samba.org> escreveu:> On Thu, 2019-10-10 at 21:24 -0300, Thiago Anderson Santos via samba > wrote: > > Hello everyone, > > I received a somewhat strange and complicated demand today. > > > > The idea of the manager is to use samba as a domain server but the > > directory tree (authentication and authorization of users) is on an > > external SAML server using keycloak. The samba will pass only GPO. > > > > Is this possible? > > > > As far as I've seen samba works the version of Windows Active > > Directory as > > well, and I've used it a lot as a domain server authenticating and > > authorizing users in addition to group policies. > > > > Thank you all, > > Sadly not, but I certainly wish this kind of thing were possible. The > primary barrier is that (Windows) clients expect a KDC for Kerberos, > and not this modern world of web authentication. > > The reverse has been done however, which is to have Keycloak back onto > Samba AD using our LDAP server. > > Andrew Bartlett > > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > > >