I wanted to authenticate Samba as an Office 365 user, so as a preliminary preparation, I will be able to use Azure AD for Linux authentication.
Debian 10.2 Nodejs v10.19.0 (apt) aad-login Office365
Authenticate Linux login with Azure AD! !!
Basically, it is a procedure of the reference site, but there was something to do + α.
Perform "App Registration" from the Azure console. Name: Easy-to-understand name Supported account types: "Accounts contained only in this organization directory"
When you register the application, the application (client ID) will be displayed on the overview page, so copy it.
When the manifest page is displayed, the manifest is displayed in JSON, so set the following items.
"allowPublicClient": true
In my case the initial value was set to null.
If you forget this setting, when you authenticate
AADSTS7000218: The request body must contain the following parameter:
And authentication fails.
The administrator had to agree to the permissions by opening the API permissions page. Click the "Give administrator consent to [name]" button to give consent. If you add a green check mark to the status item, "It was given to [name]", it's OK.
If you do not make this setting, when you authenticate ʻAADSTS65001: The user or administrator has not consented to use the application with ID {client ID} named'[app name]'.` And authentication fails.
This is the work on the Linux server side.
bash
sudo apt update
sudo apt install -y nodejs npm git
cd /tmp
git clone https://github.com/bureado/aad-login
cd aad-login/
mkdir -p /opt/aad-login
cp aad-login.js package.json /opt/aad-login/
cp aad-login /usr/local/bin/
cd /opt/aad-login/
npm install
aad-login.js
var directory = '[domain name of office365]';
var clientid = '[Application ID]';
As you can see by looking at add-login.js, since ʻusername +'@' + directory` is authenticated as userid, the domain that can be used for authentication in office365 is described in directory.
Add it to the beginning of common-auth as described in git of aad-login.
/etc/pam.d/common-auth
~ Omitted ~
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#↓ Add here ↓
auth sufficient pam_exec.so expose_authtok /usr/local/bin/aad-login
#↑ Add here ↑
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
~ Omitted ~
I had to add the user I wanted to authenticate in advance. It will be added before @.
#hoge@For directory
useradd hoge
<< When executed without adding a user >> When pam_exec.so is executed, "# 010 # 012 # 015 INCORRECT # 010 # 012 # 015" is set as the password and it seems that authentication cannot be performed.
It seems to check if there is a user before doing auth, and if there is no user, the password will be replaced with the above.
I feel like I can't help it for personal use (゜ ゜)
So far, I realized that Samba is different from user management, and realized that the original purpose could not be achieved ...
Recommended Posts