[Samba] OTP authentication

Andrew Bartlett abartlet at samba.org
Mon Jan 26 12:03:56 MST 2015

On Thu, 2015-01-22 at 16:20 +0100, the2nd at otpme.org wrote:
> talking about samba 4 with kerberos and windows clients, do you know 
> what preauth type is used when using standard auth with static 
> passwords?
> i personally would prefer a solution where no changes are needed on the 
> client side. if it would be possible to hand over the preauth data to a 
> third party tool for verification, like i described previously,there 
> where no need to transmit the otp from the client to samba/kdc. the 
> third party tool just needs to return the valid otp to the kdc. there 
> would also be no reason to implement all otp types and features in the 
> kdc. there are already working otp solutions, commercial and open 
> source.

My suggestion involves knowing a fairly small number of possible
passwords, and then modifying the Heimdal KDC to operate in a loop,
walking over the list of keys generated from those passwords, provided
to Heimdal from the OTP provider (this is totally the reverse to the way
OTP setups are traditionally done).  It would be CPU intensive, but
might allow interop in limited circumstances that otherwise would
require client changes.

> yesterday i asked on the freeradius mailing list if it would be possible 
> to use a radius request/response for otp verification (via preauth data) 
> and returning of the valid otp.
> http://freeradius.1045715.n5.nabble.com/encrypted-response-parameter-td5731415.html
> it looks like this would be possible as there is an response attribute 
> "Tunnel-Password" which is encrypted.
> however, implementing most of this is out of my scope as i dont have the 
> (coding) skills to do it. ;)
> so it depens on, if there is someone else who is willing to implement 
> it.
> but i think many admins would be happy if it would be possible to use 
> OTPs without the need for any client changes.
> and i also think that at least other open source projects like 
> privacyidea would be happy to add support for this.
> my perfect setup would look like this:
> - setup freeradius with an tool like otpme that knows how to verify 
> preauth data

The issue there is that you just move the KDC into otpme.  Verifying the
pre-auth data and returning an encrypted response is pretty much the
whole of the AS-REQ element of the KDC, or at least the hard parts.  

> - configure samba/kdc to send preauth data via a radius request to this 
> server and get back the clear text otp over an secure channel
> using radius would also be nice because i guess it could also be used in 
> samba3 environments where no kerberos is envolved. i'm not sure about 
> this but i guess it should be possible that samba3 sends an mschap/ntlm 
> request via radius when a user logs in?

A radius module was never written for Samba's pluggable auth module, but
there is no reason it couldn't technically be done on top of mschap.
Pushing NTLMv2 in might require the server to be 'flexible' with what it
accepts in terms of packet length, but if we control the stack, we can
be flexible. 

This would limit you to situations where you can use NTLM (classic
domains etc), but remains interesting. 

> btw. Alan DeKok from freeradius is willing to help with the radius part 
> if there is someone who is interested in implementing this.
> i personally woud be really happy about such a feature as samba is 
> currently the only oss software i was not able to get going with otpme.
> regards
> the2nd

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list