Preferred variant to authenticate users of a linux NAS against UCS domain

Hi everyone,

I have got a NAS running Centos 7 where I want to enable all UCS domain users to access their private spaces via Samba and SFTP (proftpd) by being authenticated against the UCS DC.

To my knowledge I got basically 3 options to achieve that:

  1. Using winbind to join the UCS domain as a member
  2. Using sssd to join the UCS domain as a member.
  3. Using ldap via ldap.pam or individually configured for each service.

I tried that first with the result of having samba shares working nicely on Linux and Windows machines. However, SFTP using proftpd was not able to authenticate successfully.

Using that solution SFTP works nicely, access to Samba shares from Windows machines works as well however from Linux or Andriod machines I get an permission denied. After some research I found out that in order to have the access working one needs to retrieve a valid kerberos ticket with kinit before mounting.

Haven’t tried that, yet.

What is the preferred variant to authenticate against UCS in this scenario ?