[Samba] Schema version 87 and windows Hello
Mason Schmitt
mason at ftlcomputing.com
Sat Sep 26 07:34:04 UTC 2020
Hi Andrew,
I'm very interested in using Windows Hello for Business in small business
environments, with Samba as the AD DC.
I'm sorry that I don't have great news. The schema upgrade is the easy
> part - we could do that by obtaining new schema from Microsoft:
>
> https://www.microsoft.com/en-nz/download/confirmation.aspx?id=23782
> (and yes, the licence terms are something we can use!)
>
> Even upgrading the schema in-place isn't too hard, they even publish some
> of the required parts here:
>
> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Schema-Updates.md
> Creative Commons Attribution 4.0 International Public License (w00t!)
>
> So, a new schema is 'just' a matter of importing those and using the great
> tools that Garming Sam wrote a couple of years back to ingest it.
>
Is this all that would be required to enable a deployment based upon a
traditional PKI?
> And at the base, Windows Hello is just PKINIT under the hood, and our
> Heimdal KDC knows about that. Teaching it about the self-signed
> certificates used (rather than traditional CA enrolment) also wouldn't
> be impossible.
>
If I'm understanding you correctly, it sounds like the only significant
change (and perhaps not even that significant) would be some coding to
support the self-signed cert scenario.
This all sounds really promising! What would it take to sponsor the
development of this? Unfortunately, I don't have any developer resources
to offer.
> But the big trouble is that the 'Hello for buisness' enrolment process
> is all wrapped up in a flow via Active Directory Federation Services,
> and we have *none* of that stack.
>
I took a look at the slide deck presented at SambaXP 2019 (
https://sambaxp.org/fileadmin/user_upload/sambaxp2019-slides/farooqi_sambaxp2019_WindowsHelloForBusiness.pdf)
and specifically the provisioning process. I see what you mean about the
requirement for ADFS, to enable a user friendly self registration process.
However, for smaller environments, with a very low volume of new users
being introduced, would it not be possible to forego the self provisioning
process and substitute either a manual admin process or some light
automation to generate key pairs on the client and push the necessary
changes directly to the DC? This would essentially be a Windows Hello for
Business minimum viable product.
--
Mason
More information about the samba
mailing list