Advice Needed on Samba Shares and AD Authentication in Entra Migration

By
William Rossbach
-
0
4
Asked By TechieWizard93 On

I'm currently working with a Samba file share set up on an Ubuntu VM in Google Compute Engine that authenticates users via Active Directory (AD). We've got a setup where Windows PCs map the shares automatically while Mac users sign in with their AD credentials through 'Connect To Server'. We've been managing user access with uidNumber and gidNumber properties assigned to AD accounts via PowerShell scripts. Now, as we're transitioning from a hybrid Intune/Entra setup to fully using Intune, Autopilot, and Entra, I have specific questions on how to navigate this change. How do I set up Entra for user authentication with Linux file shares? Will Samba still play a role in mapping drives? If we consider Google Workspace for authentication, should we stick with Entra? Also, how can I ensure the uid/gid mapping from AD aligns with Entra accounts, and what's the best way to automate new ID assignments for new accounts?

2 Answers

Answered By ServerSavvy47 On

From what I gather, you'll still need to utilize PAM, Kerberos, and other services to bridge Samba with Entra or any AD setup. This isn't so much about Samba dropping SSSD support but rather how Linux manages authentication in general. You might want to look into using SSSD or Ubuntu Landscape for better integration with your Samba shares.

Also, it's worth noting that if your Samba host can work against an actual Active Directory Domain Controller, the functional needs become easier to manage. If you're fully committed to Entra ID, that's definitely the way to go.

Answered By GadgetGuru88 On

It sounds like your current issues might be related to the 'ad' winbind backend you’re using. If you shifted to the 'rid' backend, Samba would automatically handle user and group mappings, so you wouldn’t need that PowerShell scripting. Just a thought! If you’ve locked in on the 'ad' backend, you could potentially switch, but it might complicate things since you’d have to reconfigure parts of your setup.

Changing it could save you some work in the long run, but be careful—there are limits to the 'rid' backend when you're dealing with complex domains.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.