Use Azure AD for Linux authentication

I wanted to authenticate Samba as an Office 365 user, so as a preliminary preparation, I will be able to use Azure AD for Linux authentication.


Debian 10.2 Nodejs v10.19.0 (apt) aad-login Office365

Referenced site

Authenticate Linux login with Azure AD! !!


Basically, it is a procedure of the reference site, but there was something to do + α.

Create an application with Azure AD

Perform "App Registration" from the Azure console. Name: Easy-to-understand name Supported account types: "Accounts contained only in this organization directory"

When you register the application, the application (client ID) will be displayed on the overview page, so copy it.

Application manifest fix

When the manifest page is displayed, the manifest is displayed in JSON, so set the following items. "allowPublicClient": true In my case the initial value was set to null.

If you forget this setting, when you authenticate AADSTS7000218: The request body must contain the following parameter: And authentication fails.

API permission settings

The administrator had to agree to the permissions by opening the API permissions page. Click the "Give administrator consent to [name]" button to give consent. If you add a green check mark to the status item, "It was given to [name]", it's OK.

If you do not make this setting, when you authenticate ʻAADSTS65001: The user or administrator has not consented to use the application with ID {client ID} named'[app name]'.` And authentication fails.

Install aad-login

This is the work on the Linux server side.


sudo apt update
sudo apt install -y nodejs npm git
cd /tmp
git clone
cd aad-login/
mkdir -p /opt/aad-login
cp aad-login.js package.json /opt/aad-login/
cp aad-login /usr/local/bin/
cd /opt/aad-login/
npm install

aad-login settings


var directory = '[domain name of office365]';
var clientid = '[Application ID]';

As you can see by looking at add-login.js, since ʻusername +'@' + directory` is authenticated as userid, the domain that can be used for authentication in office365 is described in directory.

pam.d settings

Add it to the beginning of common-auth as described in git of aad-login.


~ Omitted ~
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

#↓ Add here ↓
auth sufficient expose_authtok /usr/local/bin/aad-login
#↑ Add here ↑

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore] nullok_secure
# here's the fallback if no module succeeds
auth    requisite             
# prime the stack with a positive return value if there isn't one already;
~ Omitted ~

Add user

I had to add the user I wanted to authenticate in advance. It will be added before @.

#hoge@For directory
useradd hoge

<< When executed without adding a user >> When is executed, "# 010 # 012 # 015 INCORRECT # 010 # 012 # 015" is set as the password and it seems that authentication cannot be performed.

It seems to check if there is a user before doing auth, and if there is no user, the password will be replaced with the above.

I feel like I can't help it for personal use (゜ ゜)

So far, I realized that Samba is different from user management, and realized that the original purpose could not be achieved ...

Recommended Posts

Use Azure AD for Linux authentication
How to use fingerprint authentication for KDE
Why use linux
pyenv for linux
Check! How to use Azure Key Vault with Azure SDK for Python! (Measures around authentication)
[For memo] Linux Part 2
What is Linux for?
Linux command for self-collection
Linux Kernel Build for DE10nano
Use Github Desktop on Linux
Linux distribution recommended for beginners
Flutter platform channels for Linux
Use WDC-433SU2M2 with Manjaro Linux
Linux Command Dictionary (for myself)
Use sshpass on Amazon linux2
Linux command memorandum [for beginners]
Use Linux on Windows 10 (WSL2)
Convenient Linux shortcuts (for beginners)