Kerberos Authentication for SSO

Dinesh_Sharma · April 29, 2018, 10:34pm

Hi

We have a SSO/SAML enabled nextcloud.
We are using external storage to map SMB/CIFS share.
The only way I can get smb share working is, if I enable the “Log-in Credentials, save in database” authentication option.
But this is not a safe approach and has security concerns around it.
Is there any other way by which we can use kerberos tickets for authentication?
I.e. so the users don’t have to enter the credentials to access the SMB share and the credentials are not stored on the server?

Thanks
Dinesh

u0046038 · September 26, 2018, 7:36am

Hi,

We have the same situation/problem here.
Did you already found a solution for this ?

Kind Regards,

Gert Goos

Mmn · April 10, 2019, 4:07pm

Same Here.

strelkovandreyv · August 16, 2019, 8:47am

Good day! Did anyone get to work?
In my case, LDAP works successfully, made friends with authorization through Kerberos (LDAP accounts matched successfully with REMOTE_USER only after lowering REALM in lowercase)
The most important thing left is to open the SMB folder as an authorized user
But it’s not clear what is meant by Kerberos ticket, as I understand it, when Kerberos is configured, the browser delegates who I am to the web server, then the ticket should already appear

gno · February 13, 2021, 6:06pm

It’s an old thread but I’ll answer anyway.
After some debugging I found a solution that works for me.

arrow_to_knee · November 23, 2022, 11:10am

What worked for me:
Install GSSAPI module for Apache2 (apt install libapache2-mod-auth-gssapi).

And enable Kerberos ticket apache mode.
Leave “Domain” blank and use default domain instead.

esg · May 25, 2023, 12:14pm

Hod did you get gssapi to work. Do you have a description? I managed to use gssapi to work as authentication on apache2 but it is not working for nextcloud.
What are the settings I need to use in the sso app?
What are the settings I need to use for the users (currently I try to use local users that have the same name as the kerberos principals)