sssd a AzureAD wrapper a samba

https://github.com/ahaenggli/AzureAD-LDAP-wrapper

docker-compose.yaml

version: '3.2'
services:
  azuread-ldap-wrapper:
    image: ahaen/azuread-ldap-wrapper:latest
    container_name: azuread-ldap-wrapper
    environment:
      TZ: "Europe/Prague"
      AZURE_TENANTID: "xxx"
      AZURE_APP_ID: "xxx"
      AZURE_APP_SECRET: "xxx"
      LDAP_DOMAIN: "sspu-opava.cz"
      LDAP_BINDUSER: "ldapsearch|ldapsearch123"
      LDAP_DEBUG: "true"
      GRAPH_IGNORE_MFA_ERRORS: "false" # set this to true to bypass MFA
      DSM7: "true" # set this to false if you are running DSM 6 or lower      
    ports:
      - 389:13389
    volumes:
      - /data/azuread-ldap/app:/app/.cache

a na klientovi linux sssd

sudo apt install sssd-ad sssd-tools realmd adcli
# konfigurace /etc/sssd/sssd.conf

[domain/external_ldap]
krb5_store_password_if_offline = True
krb5_realm = LDAP.SSPU-OPAVA.CZ
krb5_validate = false
realmd_tags = manages-system joined-with-adcli
ad_server = ldap.sspu-opava.cz
ad_domain = ldap.sspu-opava.cz
ad_gpo_access_control = permissive
auto_private_groups = true
simple_allow_groups = users
###The below common parameters and values should not be changed
ignore_group_members = True
ldap_user_object_class = posixAccount
#userObjectClass = posixAccount # not allowed in this 
ldap_schema = AD
ldap_group_name = memberOf
#ldap_group_name = sAMAccountName
ldap_user_name = sAMAccountName
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = false
#ldap_id_mapping = True # toto me nefunguje 
#ldap_group_attribute =
#debug_level = 10
cache_credentials = true
ldap_referrals = false
###Supplied from Input
ldap_access_filter = (&(objectclass=posixaccount)(memberOf=cn=ucitele_wifi,cn=groups,dc=sspu-opava,dc=cz))
ldap_uri = ldap://ldap.sspu-opava.cz:389
ldap_user_search_base = dc=sspu-opava,dc=cz
ldap_default_bind_dn = uid=ldapsearch
#ldap_tls_reqcert = demand
#ldap_id_use_start_tls = True
#ldap_tls_cacert = /nz/caCert/ca_cert.pem
#ldap_group_search_base = ou=groups,dc=sspu-opava,dc=cz?subtree?(cn=ssh_access)
ldap_group_search_base = DC=sspu-opava,DC=cz?subtree?(&(objectclass=group))
ldap_default_authtok = ldapsearch123
#ldap_default_authtok = ldappw
ldap_auth_disable_tls_never_use_in_production=true
adding implicit_pac_responder = false 
[sssd]
services = nss, sudo, ssh, pam
domains = external_ldap

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]
#debug_level = 10

[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]

a jeste autocreate home directory

# /etc/pam.d/common-session

# pridat radek
session required	pam_mkhomedir.so skel=/etc/skel umask=0022

Omezeni zatim autopridani nazvu skupin (groups)

Pomocne prikazy na testovani

#restart sssd

service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start

#kontrola uzivatele

id [uzivatel]

sssctl user-checks -a=auth [user@domena] nebo [user]

journalctl

Samba

https://copyprogramming.com/howto/samba-file-server-ad-sssd-without-winbind