Samba Active Directory as Authelia's SSO Authentication Backend

This article explains how to configure Samba Active Directory as Authelia’s authentication backend via LDAP. This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server with dockerized or virtualized services.

This article is part of a mini-series about running Samba Active Directory and a file server service in a Docker container on a home server:

Please read the first article of this mini-series before proceeding.

Create Users and Groups in Samba AD

All commands in this section are run on the Samba AD DC. Exec into the container to run them (docker exec -it samba bash).

Create OUs for Your Objects

Creating your own organizational unit structure is not required, but it’s a good practice not to mix your own AD objects with the directory’s default users and groups.

# Base OU: OU=My,DC=ad,DC=internal
samba-tool ou add "OU=My"
# OU for user accounts: OU=Users,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Users,OU=My"
# OU for service accounts: OU=Service-Accounts,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Service-Accounts,OU=My"
# OU for groups: OU=Groups,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Groups,OU=My"

Create a User

samba-tool user add USERNAME --use-username-as-cn --given-name=FIRSTNAME --surname=LASTNAME --mail-address=EMAIL --userou="OU=Users,OU=My"

Notes

  • Without use-username-as-cn the user’s surname is used as CN.
  • For security reasons, we don’t specify the password on the command line, prompting samba-tool to ask for it.

Inspect User Account Properties

Run the following command to inspect all properties of the newly-created user:

samba-tool user show USERNAME

This lists properties like the following:

  • dn (distinguished name)
  • objectSid (Windows security ID used in ACLs)
  • sAMAccountName (classic Windows user name)
  • userPrincipalName (modern Windows user name)

Create a Group

samba-tool group add GROUPNAME --groupou="OU=Groups,OU=My"

You can inspect a group’s properties in the same way as you can a user’s (see above).

Add a User to a Group

samba-tool group addmembers GROUPNAME USERNAME

# List members with:
samba-tool group listmembers GROUPNAME

Configure Samba AD as Authelia’s Authentication Backend

Allow Unencrypted LDAP Connections

By default, Samba requires LDAP connections to be encrypted by TLS (details). That would be great if it didn’t involve having to deal with certificates. Samba creates its own self-signed certificate, but that is valid for 700 days only. As I don’t want authentication to suddenly fail after 700 days, I disabled the need for LDAPS. This is not insecure because the authentication traffic never leaves my home server.

Add the following to the [global] stanza of Samba’s configuration file config/smb.conf:

ldap server require strong auth = no

Restart Samba to apply the change.

Create a Service User Account in AD

Authelia needs a user account to bind to AD via LDAP. The user needs permissions to search the directory and reset passwords.

# Create a service account; specify a password at the prompt
samba-tool user add authelia_svc --userou="OU=Service-Accounts,OU=My"

# Add the service account to the group Administrators
samba-tool group addmembers Administrators authelia_svc

Configure Authelia’s Authentication Backend

If you previously used lldap, as I did, replace Authelia’s authentication backend configuration with the following. Otherwise, add it.

Authelia container-vars.env File

Create or modify the following AUTHELIA_AUTHENTICATION_BACKEND_LDAP settings in container-vars.env:

AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldap://dc1.ad.internal:389
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=ad,dc=internal
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN=OU=Users,OU=My
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN=OU=Groups,OU=My
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=CN=authelia_svc,OU=Service-Accounts,OU=My,dc=ad,dc=internal

# Secrets: Authelia reads them from the specified files.
# This way, the secrets are not part of any process' environment.
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD

Authelia LDAP Password

Edit the file secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD and paste the password of the service user account you created earlier.

Authelia YAML Configuration File

Add or replace the authentication_backend section of Authelia’s config file config/configuration.yml with the following:

authentication_backend:
  ldap:
    implementation: activedirectory

Restart Authelia

Restart Authelia’s Docker container and inspect the logs:

docker compose down
docker compose up -d
docker compose logs --tail 100 --timestamps
Active DirectoryAutheliaSambaSSO

Comments

Related Posts

Docker Monitoring With Prometheus, Automatic HTTPS & SSO Authentication

Docker Monitoring With Prometheus, Automatic HTTPS & SSO Authentication
This article, effectively part 2 of my Grafana setup guide, explains how to set up Prometheus, Node Exporter, and cAdvisor with automatic HTTPS certificates (via Caddy) and OAuth single sign-on (via Authelia). This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.
Home Automation, Networking & Self-Hosting

Samba File Server: Web Access Through Filebrowser With SSO & HTTPS

Samba File Server: Web Access Through Filebrowser With SSO & HTTPS
This article explains how to set up Filebrowser in a Docker container as a web interface for browser-based access to a Samba file server. Please note that in my own use this configuration has been superseded by a Filestash setup which has the advantage of accessing the storage as the authenticating user. Filebrowser and other tools like it have the disadvantage of accessing the file system through one “service” user account. This means that what the browser shows is not what the actual user is allowed to access but instead what the service account has permission to read. Also, when files are created, the owning user is the service account. This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server with dockerized or virtualized services. This article is part of a mini-series about running Samba Active Directory and a file server service in a Docker container on a home server:
Home Automation, Networking & Self-Hosting

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware