SOLVED Azure AD (Free Microsoft 365 version) and TrueNAS

[mgoulet65]

I know it was always complex and / or expensive to enable Azure AD authetication in Free/True NAS. Now that TrueNAS Scale is available is there any new news on this front? I have clients that use Microsoft 365 for office apps and receive free Azure AD with that. The ones that aren't actively using AD (small offices mostly) are starting to embrace using these accounts to authenticate their PC users.

It would be really great if they could also use those accounts to authenticate to TrueNAS for Samba shares. Anyone doing anything with this? Is there a guide anywhere? I haven't seen anything new since 2019.

 

[morganL]

It would require some users (with Azure AD support) to test... happy to help someone who is familiar with it.

 

[amichelf]

Hmm are you talking about cloud only users to authenticate against Scale?
In that case I think the best option would be to create an app in Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
and then federate truenas to accept tokens issued by AzureAD something similar to this.
Still I think the users have to be somehow created on the Truenas side unless you use SCIM2.0
So I think first thing here would be to allow either Oauth or SAML to be accepted on Truenas.

 

[mgoulet65]

Hmm are you talking about cloud only users to authenticate against Scale?
In that case I think the best option would be to create an app in Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
and then federate truenas to accept tokens issued by AzureAD something similar to this.
Still I think the users have to be somehow created on the Truenas side unless you use SCIM2.0
So I think first thing here would be to allow either Oauth or SAML to be accepted on Truenas.

Thanks for giving me some avenues to research.

 

[anodos]

I believe relevant place to start is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-suse-linux-vm

Since you need SMB authentication. We use winbindd on the backend and based on what I see in the docs suse docs, it looks like existing AD code base should work.

 

[anodos]

MS-SMB2 Section 1.4 offers some overview of authentication methods supported for SMB protocol:

[MS-SMB2]: Relationship to Other Protocols

The SMB 2 Protocol can be negotiated by using an SMB negotiate, as specified in [MS-SMB] section 1.7. After a dialect of

docs.microsoft.com

For authentication, the SMB 2 Protocol relies on Simple and Protected GSS-API Negotiation (SPNEGO), as described in [MS-AUTHSOD] section 2.1.2.3.1 and specified in [RFC4178] and [MS-SPNG], which in turn can rely on the Kerberos Protocol Extensions (as specified in [MS-KILE]) or the NT LAN Manager (NTLM) Authentication Protocol (as specified in [MS-NLMP]).

For these purposes SMB 2 == SMB 3.

 

[amichelf]

I believe relevant place to start is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-suse-linux-vm

Since you need SMB authentication. We use winbindd on the backend and based on what I see in the docs suse docs, it looks like existing AD code base should work.

Well that would be that you enable Azuer AD Domain Services in case you want to join AAD and use Kerberos. That requires na AAd P1 License at least and you need to have the machine connected to AAD through vnet and or a Site2Site VPN. While this might be doable it is not for free and might be too much overhead IMHO. And you could use SMB with AAD Accounts at most but no other services as you are bound to what is doable with kerberos.

 

[anodos]

Well that would be that you enable Azuer AD Domain Services in case you want to join AAD and use Kerberos. That requires na AAd P1 License at least and you need to have the machine connected to AAD through vnet and or a Site2Site VPN. While this might be doable it is not for free and might be too much overhead IMHO. And you could use SMB with AAD Accounts at most but no other services as you are bound to what is doable with kerberos.

Well, if SMB doesn't work, then there is not much point in integration IMHO.

 

[NateroniPizza]

Any updates on this? Has someone successfully set this up? Looking to try out the free Azure AD solely for directory services (I have no need of group policy) for my personal computers/homelab (as opposed to purchasing licensing and spinning up a local AD server), and looking for ways that it could potentially be used for TrueNAS SMB share auth as well.

 

[anodos]

Any updates on this? Has someone successfully set this up? Looking to try out the free Azure AD solely for directory services (I have no need of group policy) for my personal computers/homelab (as opposed to purchasing licensing and spinning up a local AD server), and looking for ways that it could potentially be used for TrueNAS SMB share auth as well.

The underlying technologies have not changed since the last time this was discussed. SMB authentication basically requires NTLM or Kerberos, which IIRC plain-jane azure AD does not provide.

 

[NateroniPizza]

The underlying technologies have not changed since the last time this was discussed. SMB authentication basically requires NTLM or Kerberos, which IIRC plain-jane azure AD does not provide.

Ok, thank you.

 

[morganL]

From what we understand, even Microsoft's windows server can't use this to manage SMB sharing on a remote site.

I marked this as "solved".. even though its a NEGATIVE solution.