[Samba] OTP authentication

the2nd at otpme.org the2nd at otpme.org
Wed Jan 14 09:53:59 MST 2015

it's not a certain project that i need this for. its a general question 
if this would be possible. i think OTPs are a good idea, also for 
windows logins.

maybe some of the samba devs can shed some light on this?

On 2015-01-14 15:49, Gaiseric Vandal wrote:
> If I were going to do this, I would probably try moving to a Windows
> 200x AD domain controller, and implementing RSA SecurID on that
> machine.  I have not worked with other OTP solutions.
> As far as I understand, if Samba is configured as a domain controller,
> it expects to be able to handle the authentication itself.
> OTP is , in my opinion, most valuable when you are exposing resources
> to the Internet (e.g. a remote access solution, web-based corporate
> e-mail etc.)
> On 01/13/15 17:24, the2nd wrote:
>> I've read about using clear text passwords with samba. But i think  
>> technically it should be possible that samba hands over the 
>> authentication to another component. If you join samba to a windows 
>> domain it does exaclty this. If you joined a linux machine to a 
>> Windows Domain you can use winbind and ntlm_auth to authenticate third 
>> party Software like squid against the windows dc also with sso. I 
>> would like to use it the other way. If it would be possible that samba 
>> calls an external tool to do ntlm challenge response auth i could use 
>> it with OTPme. :)
>> -------- Ursprüngliche Nachricht --------
>> Von: Gaiseric Vandal
>> Datum:01.13.2015 22:57 (GMT+01:00)
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] OTP authentication
>> On 01/13/15 16:21, the2nd at otpme.org wrote:
>> > hi,
>> >
>> > i would like to ask if it would be possible to use samba with one time
>> > passwords. i know there are commercial and OSS solutions to do this
>> > (e.g. http://pgina.org/) but i would prefer to do it without any
>> > software that needs to be installed on windows.
>> >
>> > would this technically be possible or is this already possible?
>> >
>> > regards
>> > the2nd
>> Samba at one point allowed you to use pam authentication. Which
>> makes me think that you could then use it with the the RSA securid
>> client software (or radius modules) to talk back to a RSA SecurID
>> server.    It would require unencrypted passwords which would then add 
>> a
>> new security risk.
>> -- To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list