authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

How to enable the "Samba Schema" on Authentik LDAP Provider?

Open shanelord01 opened this issue 2 years ago • 8 comments

Describe your question How do I enable the "Samba Schema" in the Authentik LDAP Provider when connecting a Synology NAS to it.

Relevant infos Connecting Synology DSM to the LDAP Provider on Authentik, I am going through the Synology joining wizard and it is warning me that the LDAP server does not support the Samba Schema.

The Synology wizard says it can resolve it, but its resolution is to revert the Synology to using SMB1 instead of SMB2 or SMB3, reducing its security (known exploits in SMB1) and compatibility with recent Windows versions. This is NOT ideal.

Screenshots Screenshot 2023-07-03 at 3 12 45 pm Screenshot 2023-07-03 at 3 12 56 pm

Need some assistance on how to add this schema to the Authentik LDAP Provider please!

Logs n/a

Version and Deployment (please complete the following information):

  • authentik version: 2023.5.4
  • Deployment: docker-compose

Additional context I have used "Custom" profile for the LDAP server (other options are "Standard" which is Synology native, "IBM Lotus Domino" and "Open Directory"). Mapping via the edit button is as follows (without which it fails to pass the "Check Profile" step):

filter passwd : (objectClass=user) group : (objectClass=group) group cn : gidNumber : memberUid : member passwd uidNumber : uid : cn userPassword : (objectClass=user) gidNumber :

shanelord01 avatar Jul 03 '23 05:07 shanelord01

Found this but (a) not sure if it is relevant info and (b) I wouldn't know how to apply this info in a form that could make Authentik work.

https://ubuntu.com/server/docs/samba-openldap-backend

shanelord01 avatar Jul 10 '23 11:07 shanelord01

Being able to add additional LDAP schemas (Samba and others for specific LDAP-y applications/structures) in the Customisation section and then being able to assign/extend them to one or more Federation/Social sources would be fantastic for LDAP Outposts. [ties directly to #6063]

StewRed avatar Jul 11 '23 00:07 StewRed

This issue remains unresolved. For now I'll use alternative solutions. I'll reconsider if and when a developer deems the request worthy enough to even respond to.

shanelord01 avatar Aug 20 '23 03:08 shanelord01

+1 on @StewReds suggestion above. Also running into this issue issue with my Synology NAS.

Filtered Users and Groups from Authentik are syncing fine via the LDAP provider. Users log in the NAS, but authentication via SMB is not working as it seems that the password attribute is not available / mapped.

SpitFireRSA avatar Feb 19 '24 09:02 SpitFireRSA

Did someone find a workaround, possible with 3rd party linked between Synology/Truenas and Authentik?

abeggled avatar Apr 21 '24 08:04 abeggled

Did someone find a workaround, possible with 3rd party linked between Synology/Truenas and Authentik?

—-

No. Unfortunately no movement. I posted a few times on Discord for support, but no response on this one.

SpitFireRSA avatar Apr 21 '24 09:04 SpitFireRSA

Same issue, although I'll try connecting SMB to PAM, and PAM to LDAP.

(If I understand correctly that's possible.)

gregistech avatar May 12 '24 04:05 gregistech

Just to add, I pursued many avenues.

The Samba team made it clear to me that they'll stick to Microsoft's rules: Active Directory IS THE SOURCE OF TRUTH. (See https://lists.samba.org/archive/samba/2024-May/248707.html)

As such, even this LDAP connection method is fazed out with (basically already) with SMBv1.

(The reason is that a clear-text password is never sent to the server, thus most Unix tools can't be used here.)

The only ways I can think to solve this

  • Authentik accepts that AD is king and uses it as the source of truth
  • Authentik does a 2-way sync with AD
  • Connect the LDAP outpost to sssd, turn enumeration ON in sssd, periodically put in the LDAP passwords of every user with smbpasswd

The first seems inconvenient, and I'd avoid that.

The second seems inconvenient AND unreliable: out of sync issues and such could come up.

The third feels hacky and inefficient.

All options lack TOTP. (Maybe with the 3rd option, but that'd be even more funnier that we constantly update smbpasswd with every rotation.)

gregistech avatar May 20 '24 16:05 gregistech

I don't know which part in particular DSM is not happy with, but our schema is relatively close to active directory's schema. However even if we had the identical schema to active directory I'm relatively sure that "joining" a DSM to authentik wouldn't work, as the LDAP outpost is read only, and IIRC DSM attempts an AD-like join to create a computer object.

As a partial alternative you can setup DSM to authenticate to authentik with OIDC: https://docs.goauthentik.io/integrations/services/synology-dsm/

BeryJu avatar Jul 11 '24 16:07 BeryJu