{"id":695,"date":"2017-10-18T20:58:52","date_gmt":"2017-10-19T02:58:52","guid":{"rendered":"https:\/\/www.jumpcloud.com\/engineering-blog\/?p=695"},"modified":"2022-11-01T15:58:40","modified_gmt":"2022-11-01T19:58:40","slug":"introducing-ldap-authentication-samba-file-servers-nas-devices","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/introducing-ldap-authentication-samba-file-servers-nas-devices","title":{"rendered":"LDAP Authentication: Samba File Servers & NAS devices"},"content":{"rendered":"
\n
\"\"<\/a><\/figure><\/div>\n\n\n

Today, we’re happy to announce that JumpCloud’s LDAP<\/a> services can now be leveraged to securely authenticate<\/a> users accessing their digital assets stored on Samba File Servers and NAS appliances. Setup and configuration guidance can be seen in this Knowledge Base Article<\/a>.<\/p>\n\n\n\n

JumpCloud’s update to its LDAP services focused deeply on security in this latest release, ensuring that the required SMB\/CIFS authentication transaction between a client host (e.g. Windows) and a Samba-based File Server (e.g. Synology, QNAP or a Linux Samba server) is a protected transaction.<\/p>\n\n\n

\n
\"\"<\/a><\/figure><\/div>\n\n\n

The SMB\/CIFS authentication protocol is widely known for its ill-equipped security protections, primarily based on its use of the Windows NT password utilizing MD4 hashing<\/a>. This was deployed at a time where the Internet (e.g. ‘the cloud’) played virtually no role in IT services, especially authentication and directory services. Today, the Internet plays a major role in IT. However, there is still a wide ecosystem of Linux Samba servers and Samba-based commercial Network Attached Storage (NAS) appliances available and in heavy use. The primary OS requiring SMB is Windows, an OS which composes a large majority of our customer base and thus requires SMB authentication with the Linux Samba server. As a result, JumpCloud pushed deep into the realm of securing the authentication transaction between these on-premise resources to our cloud-based authentication services. The end result of the implementation now enables IT admins to securely map a wider array of resources to a user. This ranges from providing access to the user’s Mac, Windows, and Linux systems, to the networks they need access to, to authenticating their on-prem and web-based applications, and now, with this release, secure authentication to traditional file storage resources.<\/p>\n\n\n\n

Today’s release announcement focused primarily on our LDAP endpoint, to enable the required Samba\/SMB needs while ensuring its security. From a reference architecture diagram perspective, please refer to the following chart to understand the basic authentication flow:<\/p>\n\n\n

\n
\"\"<\/a><\/figure><\/div>\n\n\n

As shown in the ‘Your Samba File Server\/NAS’ visualization above, an IT admin will configure the server to have its authentication deferred to an external LDAP directory, instead of utilizing the servers own locally stored user accounts. You can see an example of this utilizing Synology here on our Knowledge Base<\/a>. JumpCloud’s user object as represented in our LDAP service will contain the appropriate Samba attributes required to complete the authentication request, as shown in the graphic above. The sambaNTpassword<\/em> is one of these attributes which is conditionally applied for security reasons. To the topic of security, JumpCloud has laid in place numerous layers of protection for the Samba-specific information. These include:<\/p>\n\n\n\n