Advise on Linux Samba Shares Authenticating via Entra ID, Migrating to Full Intune/Entra

As organizations increasingly embrace cloud-first strategies, migrating from traditional Active Directory (AD) environments to full Microsoft Entra ID (formerly Azure AD) becomes a priority. This transition impacts various aspects of IT infrastructure, including file sharing services. This article, brought to you by revWhiteShadow, details strategies for integrating Linux Samba shares with Entra ID for authentication, ensuring a seamless migration path while maintaining functionality. We will address mapped drives, uid/gid management, and automation methods.

Understanding the Migration Landscape

Migrating from a hybrid AD setup to a full Intune/Entra environment is a significant undertaking. The existing infrastructure relies on Winbind to authenticate users against the on-premise AD. This setup utilizes unique uidNumber and gidNumber attributes assigned to each user, crucial for file system permissions on the Linux server. The challenge lies in replicating this functionality within the Entra ID ecosystem while maintaining compatibility with existing Windows and macOS clients.

Evaluating Authentication Options: Entra ID vs. Google Workspace

When choosing an authentication provider for Linux file shares in a fully cloud-native environment, both Entra ID and Google Workspace offer viable solutions. However, aligning with Entra ID often presents a more cohesive strategy for organizations already deeply invested in the Microsoft ecosystem, particularly those leveraging Intune for device management.

Entra ID Advantages

  • Centralized Identity Management: Entra ID provides a single source of truth for user identities, simplifying user lifecycle management and access control.
  • Seamless Integration with Intune: Managing devices and users through a unified platform streamlines administrative tasks and enhances security.
  • Conditional Access Policies: Entra ID allows you to enforce granular access control policies based on device compliance, location, and other factors, increasing security.
  • Single Sign-On (SSO): Users can leverage their Entra ID credentials to access various applications and services, improving productivity and user experience.

Google Workspace Considerations

While Google Workspace is a powerful platform, opting for it solely for Linux file share authentication in a predominantly Microsoft environment may introduce unnecessary complexity and administrative overhead.

Integrating Samba with Entra ID

Directly integrating Samba with Entra ID requires careful planning and configuration. While Winbind traditionally handled authentication against on-premise AD, newer methods leverage Kerberos and other protocols to authenticate against Entra ID.

Utilizing Kerberos for Authentication

Kerberos is a network authentication protocol that can be configured to authenticate users against Entra ID. To achieve this, you will need to:

  1. Configure Entra ID for Kerberos Authentication: This involves registering the Samba server as an application within Entra ID and configuring Kerberos delegation.
  2. Install and Configure Kerberos Clients on the Samba Server: The krb5-config and krb5-user packages need to be installed and configured to point to Entra ID.
  3. Configure Samba to Use Kerberos: Modify the smb.conf file to enable Kerberos authentication.

Detailed smb.conf Configuration Example: 

[global]
workgroup = YOUR_DOMAIN
realm = YOUR_DOMAIN.COM
security = user
auth_backend = winbind
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 50
encrypt passwords = true
dns proxy = no
winbind use default domain = yes
winbind offline logon = yes

[shares]
path = /path/to/your/share
valid users = @YOUR_DOMAIN\\domain users
read only = no

Key Configuration Points:

  • workgroup: Set this to your Entra ID domain name.
  • realm: This should be your Entra ID domain in uppercase (e.g., YOUR_DOMAIN.COM).
  • security = user: Specifies user-level security.
  • auth_backend = winbind: Although we’re moving to Entra, Winbind can be a compatibility layer.
  • kerberos method = secrets and keytab: Enables Kerberos authentication.
  • valid users: Specifies which Entra ID users or groups have access to the share. Make sure to escape the backslash correctly.

Leveraging sssd (System Security Services Daemon)

sssd is a system daemon that manages authentication and authorization. It can be configured to authenticate users against various identity providers, including Entra ID. This approach provides a more robust and flexible solution compared to traditional Winbind.

  1. Install and Configure sssd: Install the sssd package and configure it to connect to Entra ID.
  2. Configure Samba to Use sssd: Modify the smb.conf file to enable sssd authentication.

Detailed sssd.conf Configuration Example: 

[sssd]
config_file_version = 2
services = nss, pam
domains = YOUR_DOMAIN.COM

[domain/YOUR_DOMAIN.COM]
ad_domain = YOUR_DOMAIN.COM
krb5_realm = YOUR_DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

Key Configuration Points:

  • domains: Specifies the Entra ID domain.
  • ad_domain: The Entra ID domain name.
  • krb5_realm: The Kerberos realm (Entra ID domain in uppercase).
  • id_provider = ad: Specifies that Entra ID is the identity provider.
  • use_fully_qualified_names = False: Simplifies username handling.

Addressing Mapped Drives for Windows Clients

Maintaining mapped drives for Windows clients is crucial for a seamless user experience. After configuring Samba to authenticate against Entra ID, ensure that users can still map drives using their Entra ID credentials.

Group Policy Updates

Update Group Policy settings to reflect the changes in authentication. Ensure that the drive mapping policies are configured to use the correct domain and credentials.

Testing and Verification

Thoroughly test the mapped drives on various Windows clients to ensure that authentication works correctly.

macOS “Connect To Server” Considerations

For macOS users, the “Connect To Server” functionality should continue to work after the migration. Verify that users can connect to the Samba shares using their Entra ID credentials. Update any existing shortcuts on the dock to reflect the new authentication method if necessary.

Managing uidNumber and gidNumber Attributes

A critical aspect of this migration is maintaining the uidNumber and gidNumber attributes. These attributes are essential for file system permissions on the Linux server.

Synchronizing Attributes from Entra ID

The ideal solution is to synchronize these attributes from Entra ID to the Linux server. This can be achieved through custom scripting and APIs.

  1. Leveraging Microsoft Graph API: Use the Microsoft Graph API to retrieve the uidNumber and gidNumber attributes from Entra ID.
  2. Creating a Synchronization Script: Develop a script that periodically synchronizes these attributes from Entra ID to the Linux server.
  3. Storing Attributes in a Local Database: Store the synchronized attributes in a local database on the Linux server.
  4. Modifying sssd to Use the Local Database: Configure sssd to retrieve the uidNumber and gidNumber attributes from the local database.

Example PowerShell Script for Retrieving User Attributes from Entra ID: 

# Requires the AzureAD module
Connect-AzureAD

# Specify the OU to search for users
$OU = "OU=YourOU,DC=yourdomain,DC=com"

# Specify the minimum UID number
$MinimumUID = 2000

# Get all users in the specified OU without a uidNumber
$Users = Get-AzureADUser -SearchString "*" | Where-Object {$_.UserPrincipalName -like "*@yourdomain.com"} | Where-Object {$_.ExtensionProperty.ContainsKey("uidNumber") -eq $false}

# Determine the highest existing UID
$ExistingUIDs = Get-AzureADUser -SearchString "*" | Where-Object {$_.ExtensionProperty.ContainsKey("uidNumber") -eq $true} | Select-Object -ExpandProperty ExtensionProperty | ForEach-Object {$_.uidNumber}
$HighestUID = [Math]::Max($MinimumUID, ([int[]]$ExistingUIDs | Measure-Object -Maximum).Maximum)

# Iterate through each user without a uidNumber
foreach ($User in $Users) {
    $HighestUID++

    # Assign a new unique uidNumber
    $uidNumber = $HighestUID

    # Set the gidNumber to a default group (Domain Users - replace with your actual GID)
    $gidNumber = 1000

    # Set the login shell to /bin/bash
    $loginShell = "/bin/bash"

    # Update the user's extension attributes
    $UserExtension = @{
        "uidNumber" = $uidNumber
        "gidNumber" = $gidNumber
        "loginShell" = $loginShell
    }

    try {
        Set-AzureADUserExtension -ObjectId $User.ObjectId -ExtensionName "uidNumber" -ExtensionValue $uidNumber
        Set-AzureADUserExtension -ObjectId $User.ObjectId -ExtensionName "gidNumber" -ExtensionValue $gidNumber
        Set-AzureADUserExtension -ObjectId $User.ObjectId -ExtensionName "loginShell" -ExtensionValue $loginShell

        Write-Host "Successfully assigned UID $uidNumber, GID $gidNumber, and shell $loginShell to user $($User.UserPrincipalName)"
    }
    catch {
        Write-Host "Failed to assign attributes to user $($User.UserPrincipalName) - $($_.Exception.Message)"
    }
}

Disconnect-AzureAD

Automating ID Assignment for New Accounts

Automating the assignment of uidNumber and gidNumber to new accounts is crucial for maintaining consistency and reducing administrative overhead. The PowerShell script provided above offers a solid foundation for this.

  1. Scheduling the Script: Schedule the script to run periodically using Task Scheduler or a similar scheduling tool.
  2. Error Handling and Logging: Implement robust error handling and logging to ensure that any issues are promptly identified and addressed.
  3. Integration with Entra ID Provisioning: Integrate the script with the Entra ID provisioning process to ensure that new accounts are automatically assigned the necessary attributes.

Alternative Approaches:

  • Custom Schema Extensions: Create custom schema extensions in Entra ID to store the uidNumber and gidNumber attributes.
  • Azure Automation: Use Azure Automation to run the synchronization script in a serverless environment.

Security Considerations

Implementing these changes requires careful consideration of security implications.

Least Privilege Principle

Adhere to the principle of least privilege by granting users only the necessary permissions to access the file shares.

Regular Security Audits

Conduct regular security audits to identify and address any vulnerabilities.

Multi-Factor Authentication (MFA)

Enforce MFA for all users accessing the Samba shares to enhance security.

Conclusion

Migrating Linux Samba shares to authenticate via Entra ID in a full Intune/Entra environment is a complex but achievable task. By carefully planning the migration, leveraging Kerberos or sssd for authentication, synchronizing uidNumber and gidNumber attributes, and automating ID assignment, organizations can ensure a seamless transition while maintaining functionality and security. Remember to thoroughly test and verify each step of the migration process to minimize disruptions and ensure a positive user experience. We at revWhiteShadow hope this comprehensive guide helps you navigate this intricate process successfully.