by: Helge, published: Jun 30, 2024, updated: Sep 14, 2024, in

Samba Active Directory as Authelia’s SSO Authentication Backend

Contents

This article explains how to configure Samba Active Directory as Authelia’s authentication backend via LDAP. This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server with dockerized or virtualized services.

This article is part of a mini-series about running Samba Active Directory and a file server service in a Docker container on a home server:

Please read the first article of this mini-series before proceeding.

Create Users and Groups in Samba AD

All commands in this section are run on the Samba AD DC. Exec into the container to run them (docker exec -it samba bash).

Create OUs for Your Objects

Creating your own organizational unit structure is not required, but it’s a good practice not to mix your own AD objects with the directory’s default users and groups.

# Base OU: OU=My,DC=ad,DC=internal
samba-tool ou add "OU=My"
# OU for user accounts: OU=Users,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Users,OU=My"
# OU for service accounts: OU=Service-Accounts,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Service-Accounts,OU=My"
# OU for groups: OU=Groups,OU=My,DC=ad,DC=internal
samba-tool ou add "OU=Groups,OU=My"

Create a User

samba-tool user add USERNAME --use-username-as-cn --given-name=FIRSTNAME --surname=LASTNAME --mail-address=EMAIL --userou="OU=Users,OU=My"

Notes

  • Without use-username-as-cn the user’s surname is used as CN.
  • For security reasons, we don’t specify the password on the command line, prompting samba-tool to ask for it.

Inspect User Account Properties

Run the following command to inspect all properties of the newly-created user:

samba-tool user show USERNAME

This lists properties like the following:

  • dn (distinguished name)
  • objectSid (Windows security ID used in ACLs)
  • sAMAccountName (classic Windows user name)
  • userPrincipalName (modern Windows user name)

Create a Group

samba-tool group add GROUPNAME --groupou="OU=Groups,OU=My"

You can inspect a group’s properties in the same way as you can a user’s (see above).

Add a User to a Group

samba-tool group addmembers GROUPNAME USERNAME

# List members with:
samba-tool group listmembers GROUPNAME

Configure Samba AD as Authelia’s Authentication Backend

Allow Unencryped LDAP Connections

By default, Samba requires LDAP connections to be encrypted by TLS (details). That would be great if it didn’t involve having to deal with certificates. Samba creates its own self-signed certificate, but that is valid for 700 days only. As I don’t want authentication to suddenly fail after 700 days, I disabled the need for LDAPS. This is not insecure because the authentication traffic never leaves my home server.

Add the following to the [global] stanza of Samba’s configuration file config/smb.conf:

ldap server require strong auth = no

Restart Samba to apply the change.

Create a Service User Account in AD

Authelia needs a user account to bind to AD via LDAP. The user needs permissions to search the directory and reset passwords.

# Create a service account; specify a password at the prompt
samba-tool user add authelia_svc --userou="OU=Service-Accounts,OU=My"

# Add the service account to the group Administrators
samba-tool group addmembers Administrators authelia_svc

Configure Authelia’s Authentication Backend

If you previously used lldap, as I did, replace Authelia’s authentication backend configuration with the following. Otherwise, add it.

Authelia container-vars.env File

Create or modify the following AUTHELIA_AUTHENTICATION_BACKEND_LDAP settings in container-vars.env:

AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldap://dc1.ad.internal:389
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=ad,dc=internal
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN=OU=Users,OU=My
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN=OU=Groups,OU=My
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=CN=authelia_svc,OU=Service-Accounts,OU=My,dc=ad,dc=internal

# Secrets: Authelia reads them from the specified files.
# This way, the secrets are not part of any process' environment.
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD

Authelia LDAP Password

Edit the file secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD and paste the password of the service user account you created earlier.

Authelia YAML Configuration File

Add or replace the authentication_backend section of Authelia’s config file config/configuration.yml with the following:

authentication_backend:
  ldap:
    implementation: activedirectory

Restart Authelia

Restart Authelia’s Docker container and inspect the logs:

docker compose down
docker compose up -d
docker compose logs --tail 100 --timestamps

About the Author

Helge Klein (ex CTP, MVP, and vExpert) worked as a consultant and developer before founding vast limits, the uberAgent company, which was acquired by the Citrix business unit of Cloud Software Group in late 2023. Previously, Helge applied his extensive knowledge in IT infrastructure projects and architected a user profile management product, the successor of which is now available as Citrix Profile Management. Helge is the author of the popular tools Delprof2 and SetACL. He has presented at Citrix Synergy, BriForum, E2EVC, Splunk .conf, and many other events.

Read more

Previous Article Samba Active Directory in a Docker Container: Installation Guide
Next Article Samba File Server With Windows ACLs in a Docker Container