[Samba] Multi-factor Auth status

Deas, Jim James.Deas at warnerbros.com
Tue Nov 10 02:08:18 UTC 2020 

Andrew,
 Yes, there is some room here to work.
 AD even inside Samba depends on several other network services so placing a system like this in a DMZ will be a challenge but still preferred to NTLM given it's age and support status.

What is needed is a better way to integrate IDM and SAML.

Regards,
JD

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org> 
Sent: Monday, November 9, 2020 4:10 PM
To: Deas, Jim <James.Deas at warnerbros.com>; samba at lists.samba.org
Subject: Re: [Samba] Multi-factor Auth status

 [CAUTION]This email originated outside Warner Bros.

On Mon, 2020-11-09 at 23:00 +0000, Deas, Jim via samba wrote:
> Is there any information iI can grab on implementing MFA via the samba 
> 4 AD? Perhaps via the Okta API or SAML?

So Samba in this instance acts just as any other AD DC around 2008 functional level.  For web applications that can integrate with AD, and then add MFA at that layer then it should work just like Windows does - storing the password and perhaps some metadata in AD.

For Windows logon MFA is possible via smart card tokens, but that is a heavy-weight approach for some. 

The lighter-weight options are harder as the APIs are fixed as NTLM or Kerberos, but if something can be or pretend to be a smart card to windows then that can be made to work.

Furthermore, we would like to make this work even better, so if you are interested in that and can pitch in for the development effort I would love to explore this more.  

Some have expressed ideas about MFA particularly for Linux clients, and there we could potentially be much more flexible, as we can potentially control the client and server side.

My ideal would be to support Windows Hello for Business, but that needs a chunk of technologies (ADFS stuff) we don't have right now. 

Andrew Bartlett

-- 
Andrew Bartlett                       https://urldefense.proofpoint.com/v2/url?u=https-3A__samba.org_-7Eabartlet_&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=QOhqVmgVq5KgW9upnuOC3j0n4JAMaC8Z62s4QnI1nkw&e= 
Authentication Developer, Samba Team  https://urldefense.proofpoint.com/v2/url?u=https-3A__samba.org&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=gmeYmvXdRExF701A79CBP_FOCmxqmNf4jHtHCR7FUM8&e= 
Samba Developer, Catalyst IT          
https://urldefense.proofpoint.com/v2/url?u=https-3A__catalyst.net.nz_services_samba&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=F7nTR3mRdw3hNoND2iQQ2O83h4cectgqILkbaLsv4iw&e=

More information about the samba mailing list