[Samba] Multi-factor Auth status

Andrew Bartlett abartlet at samba.org
Tue Nov 10 00:10:11 UTC 2020

On Mon, 2020-11-09 at 23:00 +0000, Deas, Jim via samba wrote:
> Is there any information iI can grab on implementing MFA via the
> samba 4 AD? Perhaps via the Okta API or SAML?

So Samba in this instance acts just as any other AD DC around 2008
functional level.  For web applications that can integrate with AD, and
then add MFA at that layer then it should work just like Windows does -
storing the password and perhaps some metadata in AD.

For Windows logon MFA is possible via smart card tokens, but that is a
heavy-weight approach for some. 

The lighter-weight options are harder as the APIs are fixed as NTLM or
Kerberos, but if something can be or pretend to be a smart card to
windows then that can be made to work.

Furthermore, we would like to make this work even better, so if you are
interested in that and can pitch in for the development effort I would
love to explore this more.  

Some have expressed ideas about MFA particularly for Linux clients, and
there we could potentially be much more flexible, as we can potentially
control the client and server side.

My ideal would be to support Windows Hello for Business, but that needs
a chunk of technologies (ADFS stuff) we don't have right now. 

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list