ahaenggli/AzureAD-LDAP-wrapper

How to configure standalone Samba instead of Synology?

dabit20 opened this issue · 2 comments

I am trying to use the AzureAD-LDAP-wrapper to authenticate users on a Samba fileserver. We do use Duo MFA, and I needed to add AADSTS50158 to the list of MFA errors to be ignored when GRAPH_IGNORE_MFA_ERRORS is configured.

I do have another question which is not an issue, however. The wrapper itself works fine after ignoring AADSTS50158; I am able to authenticate users in a Proxmox VE UI against the LDAP directory and I do see valid sambaNTPassword hashes appearing. so far so good.
However, I am totally confused on how to setup Samba to work with the directory produced by the wrapper. It is not a domain controller, but it is not an empty LDAP directory that can be filled at will either. I am getting up to the point where smbldap-userlist/smbldap-grouplist/net getlocalsid/net getdomainsid etcetera work fine, but I don't know how to continue from there.
Can you provide some pointers or guidance maybe?

Duo MFA seems to be used only with Premium subscription and is activated via Conditional Access, correct?
What would be against adding the wrapper as an exception for MFA? (I'll exclude the error code too, but I'm wondering why you choose the ENV variable when it could be solved in Conditional Access...)

Samba:
I have no idea. I use the wrapper for my Synology NAS myself. Once LDAP is connected there, I can set permissions on the folders/shares for my users.

Hi,
Thanks for the quick answer!

As far as I know we do not have a premium subscription, just the regular one that comes with Office365. But I am not 100% sure; I am not the manager of the active directory. Regarding Samba: no problem; I will google and try a bit more.

Thanks for the software anyway! It helps.