We have a SSO/SAML enabled nextcloud.
We are using external storage to map SMB/CIFS share.
The only way I can get smb share working is, if I enable the “Log-in Credentials, save in database” authentication option.
But this is not a safe approach and has security concerns around it.
Is there any other way by which we can use kerberos tickets for authentication?
I.e. so the users don’t have to enter the credentials to access the SMB share and the credentials are not stored on the server?
Good day! Did anyone get to work?
In my case, LDAP works successfully, made friends with authorization through Kerberos (LDAP accounts matched successfully with REMOTE_USER only after lowering REALM in lowercase)
The most important thing left is to open the SMB folder as an authorized user
But it’s not clear what is meant by Kerberos ticket, as I understand it, when Kerberos is configured, the browser delegates who I am to the web server, then the ticket should already appear
Hod did you get gssapi to work. Do you have a description? I managed to use gssapi to work as authentication on apache2 but it is not working for nextcloud.
What are the settings I need to use in the sso app?
What are the settings I need to use for the users (currently I try to use local users that have the same name as the kerberos principals)
For users looking for a Solution for SSO/Kerberos- Integration of Nextcloud here is an important Update:
Using FreeIPA + Keycloak this has been working before (i guess).
With Authentik of 10/2024, now there is another solution to fully integrate Nextcloud via FreeIPA + Kerberos.
What you have to do in short:
Install FreeIPA, set up an AD with users in it
Connect Clients/Hosts to the Domain (e.g. on Linux using ipa-client, SSSD+Kerberos) which lets the users Logon to the Domain
Set up Authentik
Sync LDAP with FreeIPA, Setup SPNEGO to Authenticate in Autentik
Connect Nextcloud to Authentik via OIDC
Thats it. Hafe phun