[Samba] Schema version 87 and windows Hello

mailist mailist at kaminot.xyz
Fri Sep 11 15:33:58 UTC 2020 

Hi,

thank you for your answer :)

ohhh that is new I thought that samba 4 was to this day incompatible
with a schema update >= v67 (it is I think somewhere it is  written in
the documentation that the reason why windows > 2016 can't be used as
domain controller is partly due to the schema that is what bothered me))

I already have set up an ADFS (win 2016) (works with heimdal krb without
problems, MIT seems to also work). The problem is with the enterprise
Device Registration Service that requires a schema of windows 2016
(which I thought was not yet supported by samba).

For me making heimdal do this would be pointless. The idea that I had
was to have a windows 2012 R2 ADDC with whom the ADFS would be only
talking (great no krb problems) so the key trust model would technically
work :) the only point missing was the schema.

Thank you so much for your answers you actually helped me a lot :)

Yes the smart card login was the alternative thought (probably even
better but users like fashion).

(and yes it looks like ADFS is only needed for the enrollment but with
windows better wireshark everything)

I am just an Ops but I would love to help if there is smth I can do.

Thx for the great work that you guys are doing

Vincent

On 9/11/20 6:07 AM, Andrew Bartlett via samba wrote:
> On Sat, 2020-09-05 at 12:31 +0200, mailist via samba wrote:
>> Hi all,
>>
>> I would like to set up windows Hello (in the sense user and
>> management
>> are pressuring me) but for both option the schema would need to be at
>> least 87 (windows 2016). I looked on the roadmap, bugzilla but
>> couldn't
>> find anything regarding this topic. Would you know when this version
>> would be available and what is needed in order to achieve so?
>>
>> As a separate question, do you know good alternative to windows hello
>> for business (pin/fingerprint login)?
> G'Day,
> 
> I'm sorry for taking to so long to reply.
> 
> I'm sorry that I don't have great news.  The schema upgrade is the easy
> part - we could do that by obtaining new schema from Microsoft:
> 
> https://www.microsoft.com/en-nz/download/confirmation.aspx?id=23782 
> (and yes, the licence terms are something we can use!)
> 
> Even upgrading the schema in-place isn't too hard, they even publish some of the required parts here:
> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Schema-Updates.md
> Creative Commons Attribution 4.0 International Public License (w00t!)
>       
> So, a new schema is 'just' a matter of importing those and using the great tools that Garming Sam wrote a couple of years back to ingest it.
> 
> And at the base, Windows Hello is just PKINIT under the hood, and our
> Heimdal KDC knows about that.  Teaching it about the self-signed
> certificates used (rather than traditional CA enrolment) also wouldn't
> be impossible.
> 
> But the big trouble is that the 'Hello for buisness' enrolment process
> is all wrapped up in a flow via Active Directory Federation Services,
> and we have *none* of that stack.
> 
> Depending on the size of your organisation you might want to help us
> make progress on some of this, but in the meantime I suggest using a
> traditional smart card or a software based system that integrates with
> whatever is on your devices (turning them into a bulky smart card)
> without going via the actual Hello protocols.  
> 
> If you did really want to proceed, I would look at funding another
> schema upgrade, testing real ADFS against Samba and seeing what APIs it
> hits and then implementing those.  At least the Windows server would
> only be needed at enrolment, I think.
> 
> I would love for Samba to do more here, but it need engineering
> resources and a motivated backer.
> 
> Sorry I can't give you better news right now!
> 
> Andrew Bartlett
>         
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20200911/52ed1a7c/signature.sig>

More information about the samba mailing list