Kerberos Authentication for SSO


We have a SSO/SAML enabled nextcloud.
We are using external storage to map SMB/CIFS share.
The only way I can get smb share working is, if I enable the “Log-in Credentials, save in database” authentication option.
But this is not a safe approach and has security concerns around it.
Is there any other way by which we can use kerberos tickets for authentication?
I.e. so the users don’t have to enter the credentials to access the SMB share and the credentials are not stored on the server?



We have the same situation/problem here.
Did you already found a solution for this ?

Kind Regards,

Gert Goos

Same Here.

Good day! Did anyone get to work?
In my case, LDAP works successfully, made friends with authorization through Kerberos (LDAP accounts matched successfully with REMOTE_USER only after lowering REALM in lowercase)
The most important thing left is to open the SMB folder as an authorized user
But it’s not clear what is meant by Kerberos ticket, as I understand it, when Kerberos is configured, the browser delegates who I am to the web server, then the ticket should already appear

1 Like

It’s an old thread but I’ll answer anyway.
After some debugging I found a solution that works for me.

What worked for me:
Install GSSAPI module for Apache2 (apt install libapache2-mod-auth-gssapi).

And enable Kerberos ticket apache mode.
Leave “Domain” blank and use default domain instead.