Samba Active Directory as Authelia's SSO Authentication Backend

Home Automation, Networking & Self-Hosting
Published Jun 30, 2024 Updated Aug 24, 2025

This article explains how to configure Samba Active Directory as Authelia’s authentication backend via LDAP. This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server with dockerized or virtualized services.

This article is part of a mini-series about running Samba Active Directory and a file server service in a Docker container on a home server:

Samba Active Directory in a Docker Container: Installation Guide
Samba Active Directory as Authelia’s Authentication Backend (this article)
Samba File Server With Windows ACLs in a Docker Container
Samba File Server With POSIX ACLs in a Docker Container
Web Access Through Filebrowser With SSO & HTTPS
Web Access Through Filestash With Passthrough Auth
GitHub repository with Docker files and helper scripts

Please read the first article of this mini-series before proceeding.

Create Users and Groups in Samba AD

All commands in this section are run on the Samba AD DC. Exec into the container to run them (docker exec -it samba bash).

Create OUs for Your Objects

Creating your own organizational unit structure is not required, but it’s a good practice not to mix your own AD objects with the directory’s default users and groups.

# Base OU: OU=My,DC=ad,DC=internal
samba-tool ou add "OU=My"
# OU for user accounts: OU=Users,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Users,OU=My"
# OU for service accounts: OU=Service-Accounts,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Service-Accounts,OU=My"
# OU for groups: OU=Groups,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Groups,OU=My"

Create a User

samba-tool user add USERNAME --use-username-as-cn --given-name=FIRSTNAME --surname=LASTNAME --mail-address=EMAIL --userou="OU=Users,OU=My"

Notes

Without use-username-as-cn the user’s surname is used as CN.
For security reasons, we don’t specify the password on the command line, prompting samba-tool to ask for it.

Inspect User Account Properties

Run the following command to inspect all properties of the newly-created user:

samba-tool user show USERNAME

This lists properties like the following:

dn (distinguished name)
objectSid (Windows security ID used in ACLs)
sAMAccountName (classic Windows user name)
userPrincipalName (modern Windows user name)

Create a Group

samba-tool group add GROUPNAME --groupou="OU=Groups,OU=My"

You can inspect a group’s properties in the same way as you can a user’s (see above).

Add a User to a Group

samba-tool group addmembers GROUPNAME USERNAME

# List members with:
samba-tool group listmembers GROUPNAME

Configure Samba AD as Authelia’s Authentication Backend

Allow Unencryped LDAP Connections

By default, Samba requires LDAP connections to be encrypted by TLS (details). That would be great if it didn’t involve having to deal with certificates. Samba creates its own self-signed certificate, but that is valid for 700 days only. As I don’t want authentication to suddenly fail after 700 days, I disabled the need for LDAPS. This is not insecure because the authentication traffic never leaves my home server.

Add the following to the [global] stanza of Samba’s configuration file config/smb.conf:

ldap server require strong auth = no

Restart Samba to apply the change.

Create a Service User Account in AD

Authelia needs a user account to bind to AD via LDAP. The user needs permissions to search the directory and reset passwords.

# Create a service account; specify a password at the prompt
samba-tool user add authelia_svc --userou="OU=Service-Accounts,OU=My"

# Add the service account to the group Administrators
samba-tool group addmembers Administrators authelia_svc

Configure Authelia’s Authentication Backend

If you previously used lldap, as I did, replace Authelia’s authentication backend configuration with the following. Otherwise, add it.

Authelia container-vars.env File

Create or modify the following AUTHELIA_AUTHENTICATION_BACKEND_LDAP settings in container-vars.env:

AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldap://dc1.ad.internal:389
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=ad,dc=internal
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN=OU=Users,OU=My
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN=OU=Groups,OU=My
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=CN=authelia_svc,OU=Service-Accounts,OU=My,dc=ad,dc=internal

# Secrets: Authelia reads them from the specified files.
# This way, the secrets are not part of any process' environment.
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD

Authelia LDAP Password

Edit the file secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD and paste the password of the service user account you created earlier.

Authelia YAML Configuration File

Add or replace the authentication_backend section of Authelia’s config file config/configuration.yml with the following:

authentication_backend:
  ldap:
    implementation: activedirectory

Restart Authelia

Restart Authelia’s Docker container and inspect the logs:

docker compose down
docker compose up -d
docker compose logs --tail 100 --timestamps

Active Directory Authelia Samba SSO

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

This article explains how to set up a simple but modern user management and authentication system for services on your internal home network. The solution supports important security features like two-factor authentication and single sign-on, and only requires minimal maintenance due to self-service password reset. This article is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

Dec 13, 2022

Latest Posts

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Website

Jan 25, 2026

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting

Dec 27, 2025

GitHub: Authenticated Access via SSH

This article describes how to set up authenticated access to a (private or public) GitHub repository from Linux. Create & Set Up an SSH Key SSH Key Creation Create a new SSH key:

Software development

Dec 6, 2025

Fixing IPv6 Intermittent Packet Loss Caused by Windows Firewall

This article shows a simple solution to a weird networking problem that plagued me for hours: IPv6 packets were sometimes lost; IPv4 was not affected. Problem: IPv6 Ping Timeouts and Packet Losses Symptom: Teams Issues I noticed the problem first when there were intermittent connectivity issues in Teams during a meeting.

Networking

Oct 16, 2025