Integrating Samba 4 Active Directory with Authentik via LDAPS

2025-04-294 min read
SambaActive DirectoryAuthentikLDAPHome LabLDAPSLDAP ServerNetwork SecurityAuthentication

If you're running both Samba AD and Authentik, binding them together over LDAPS gives you the best of both worlds: AD manages users and groups, while Authentik handles SSO for web applications. This post covers how I configured that integration end to end, from generating TLS certificates to syncing users.

Overview

  • Samba 4 AD acts as the LDAP and Kerberos provider.

  • Authentik serves as the Identity Provider (IdP), using the AD as its LDAP source for authentication.

  • LDAPS secures credential transmission between Authentik and Samba.

Prerequisites

  • A working Samba 4 Active Directory Domain Controller

  • A running Authentik instance (Docker or native)

  • DNS resolution and time synchronization between the two systems

  • Samba server with LDAPS enabled and a trusted certificate

Step 1: Enable LDAPS on Samba 4

  1. Generate an internal CA and a server certificate for Samba:
hljs bash
# Generate internal CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

# Generate Samba key and CSR
openssl genrsa -out samba.key 4096
openssl req -new -key samba.key -out samba.csr

# Sign server certificate
openssl x509 -req -in samba.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out samba.crt -days 825 -sha256
  1. Update /etc/samba/smb.conf:
hljs bash
tls enabled = yes
tls keyfile = /etc/samba/ssl/samba.key
tls certfile = /etc/samba/ssl/samba.crt
tls cafile = /etc/samba/ssl/ca.crt
  1. Restart Samba:
hljs bash
systemctl restart samba-ad-dc
  1. Test LDAPS:
hljs bash
openssl s_client -connect <samba_fqdn>:636 -CAfile ca.crt

Step 2: Create a Bind User in Samba

I created a dedicated service account in AD for Authentik to bind with:

hljs bash
samba-tool user create authentik-bind

Assign a strong password and note the DN (e.g., CN=authentik-bind,CN=Users,DC=example,DC=lan).

Step 3: Upload the CA Certificate to Authentik

  1. Navigate to Certificates in the Authentik admin UI.

  2. Create a new certificate entry and upload your ca.crt.

  3. Name it appropriately (e.g., Internal AD CA).

Step 4: Configure the LDAP Source in Authentik

  1. Go to Directory > LDAP Sources > Create.

  2. Fill in the fields:

  • Server URI: ldaps://<samba_fqdn>

  • TLS Verification Certificate: Select your uploaded CA cert

  • Bind CN: Full DN of the bind user

  • Bind Password: The service account password

  • Base DN: DC=example,DC=lan

  • User Object Filter: (objectClass=person)

  • Group Object Filter: (objectClass=group)

  • Group Membership Field: member

  • Object Uniqueness Field: objectSid

  1. Select appropriate user/group property mappings (the default Active Directory mappings work well).

  2. Save and test the connection.

Step 5: Add the LDAP Source to the Authentication Flow

  1. Go to Flows > default-authentication-flow > Edit.

  2. Add a new Source (Login) stage.

  3. Select your Samba 4 LDAP source.

  4. Save the flow.

Step 6: Sync Users

  1. Navigate to Directory > LDAP Source.

  2. Click Manual Sync to import users.

  3. Users should appear under Users, with their DN, UPN, and objectSid attributes visible.

Notes

  • Authentik does not write back to Samba AD. Any changes to user details in Authentik are local and will be overwritten on the next sync.

  • Always secure LDAPS using a trusted internal CA or public CA to prevent man-in-the-middle attacks.

  • Syncs can be scheduled or triggered manually depending on your directory update frequency.

Outcome

With this setup, Authentik authenticates users against Samba 4 AD over secure LDAPS. Authentik remains the central SSO provider for web applications, while Samba manages the authoritative user directory.

Lessons Learned

  • Use objectSid as the uniqueness field. Other attributes like objectGUID can cause sync issues with Samba 4. objectSid is stable and unique across the domain.
  • Test LDAPS independently before configuring Authentik. Run openssl s_client against port 636 first. If the TLS handshake fails there, it will fail in Authentik too — and the error messages will be less helpful.
  • Certificate expiry matters. The server cert above is set to 825 days. Set a calendar reminder or you'll be debugging "connection refused" errors in two years.
  • Authentik syncs are one-way. User changes made in Authentik get overwritten on the next LDAP sync. Always make user/group changes in Samba AD.

Provisioning Authentik for SSO on a Self-Hosted Ubuntu Server (Docker-Based) Provisioning Samba Active Directory Domain Controller and Windows Domain Integration

← Previous

Provisioning Authentik for SSO on a Self-Hosted Ubuntu Server (Docker-Based)

Next →

Provisioning Traefik with Docker Compose and TLS Termination via Internal CA