Non Synology non container setup
doubleddav opened this issue · 3 comments
Hi,
I've been experimenting with this on an Alpine VM. So far so good, I have the wrapper running happily in the background.
I was wondering how to link this to the system, such that either:
- Azure AD users could log in via ssh
- This could be integrated into Samba
I'm assuming Synology are using an openldap client and maybe something like sssd to link all of this together?
Thanks
Hey,
I think you are on the right track. Synology uses a few of its own implementations for the permissions (because the users might be "mixed" locally and externally). I would consider the LDAP-wrapper like an openldap server and google accordingly how you could use an openldap server to connect SSH and samba... If I read the Synology samba config correctly, they use NT4 mode and as you guessed SSSD seems also to be configured. Hope this gets you further! :)
Thanks for getting back to me :-)
I'll do a bit more digging as I have time and see if I can get this working - sans Synology. I might document what I do as well somewhere.
To get some hints, I don't suppose you could pull out the samba and sssd config files from the Synology for me to have a look at?
Thanks
Sure, hope it helps you:
smb.conf
[global]
printcap name=cups
winbind enum groups=yes
include=/var/tmp/nginx/smb.netbios.aliases.conf
ldap admin dn=uid=root
encrypt passwords=yes
workgroup=WORKGROUP
min protocol=SMB2
ldap ssl=Off
security=user
local master=no
realm=*
ldap passwd sync=yes
ldap suffix=dc=domain,dc=tld
passdb backend=multi:smbpasswd,ldapsam:ldap://127.0.0.1
syno ldap support=yes
printing=cups
max protocol=SMB3
winbind enum users=yes
load printers=yes
admin users=@WORKGROUP\Domain Admins,@WORKGROUP\Enterprise Admins
sssd.conf
[sssd]
reconnection_retries = 3
sbus_timeout = 30
domains = domain.tld
config_file_version = 2
debug_level = 1
services = nss, pam
[nss]
filter_groups=root
filter_users=root
reconnection_retries=2
memcache_timeout=300
entry_cache_nowait_percentage=50
debug_level=1
[pam]
reconnection_retries=3
offline_credentials_expiration=2
offline_failed_login_attempts=2
offline_failed_login_delay=50
debug_level=1
# Example LDAP domain
[domain/domain.tld]
id_provider = ldap
nss_nested_groups = yes
auth_provider = ldap
ldap_schema = rfc2307bis
entry_cache_timeout = 5400
ldap_default_authtok_type = syno_secret
gidmap_max = 0
case_sensitive = preserving
ldap_search_base = dc=domain,dc=tld
ldap_id_use_start_tls = false
uidmap_max = 0
debug_level = 1
ssl = no
ldap_group_nesting_level = 5
ldap_pwd_policy = shadow
ldap_auth_disable_tls_never_use_in_production = true
ldap_tls_reqcert = never
gidmap_min = 0
ldap_uri = ldap://127.0.0.1
ldap_tls_cacertdir = /etc/ssl/certs
uidmap_min = 0
ldap_default_bind_dn = uid=root
# ldap_tls_key=/var/lib/ldap/ldapclient.key
# ldap_tls_cert=/var/lib/ldap/ldapclient.crt