[Samba] Schema version 87 and windows Hello

Andrew Bartlett abartlet at samba.org
Fri Sep 11 04:07:07 UTC 2020

On Sat, 2020-09-05 at 12:31 +0200, mailist via samba wrote:
> Hi all,
> I would like to set up windows Hello (in the sense user and
> management
> are pressuring me) but for both option the schema would need to be at
> least 87 (windows 2016). I looked on the roadmap, bugzilla but
> couldn't
> find anything regarding this topic. Would you know when this version
> would be available and what is needed in order to achieve so?
> As a separate question, do you know good alternative to windows hello
> for business (pin/fingerprint login)?

I'm sorry for taking to so long to reply.

I'm sorry that I don't have great news.  The schema upgrade is the easy
part - we could do that by obtaining new schema from Microsoft:

(and yes, the licence terms are something we can use!)

Even upgrading the schema in-place isn't too hard, they even publish some of the required parts here:
Creative Commons Attribution 4.0 International Public License (w00t!)
So, a new schema is 'just' a matter of importing those and using the great tools that Garming Sam wrote a couple of years back to ingest it.

And at the base, Windows Hello is just PKINIT under the hood, and our
Heimdal KDC knows about that.  Teaching it about the self-signed
certificates used (rather than traditional CA enrolment) also wouldn't
be impossible.

But the big trouble is that the 'Hello for buisness' enrolment process
is all wrapped up in a flow via Active Directory Federation Services,
and we have *none* of that stack.

Depending on the size of your organisation you might want to help us
make progress on some of this, but in the meantime I suggest using a
traditional smart card or a software based system that integrates with
whatever is on your devices (turning them into a bulky smart card)
without going via the actual Hello protocols.  

If you did really want to proceed, I would look at funding another
schema upgrade, testing real ADFS against Samba and seeing what APIs it
hits and then implementing those.  At least the Windows server would
only be needed at enrolment, I think.

I would love for Samba to do more here, but it need engineering
resources and a motivated backer.

Sorry I can't give you better news right now!

Andrew Bartlett
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list