[Samba] Schema version 87 and windows Hello

Mason Schmitt mason at ftlcomputing.com
Sat Sep 26 07:34:04 UTC 2020

Hi Andrew,

I'm very interested in using Windows Hello for Business in small business
environments, with Samba as the AD DC.

I'm sorry that I don't have great news.  The schema upgrade is the easy
> part - we could do that by obtaining new schema from Microsoft:
> https://www.microsoft.com/en-nz/download/confirmation.aspx?id=23782
> (and yes, the licence terms are something we can use!)
> Even upgrading the schema in-place isn't too hard, they even publish some
> of the required parts here:
> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Schema-Updates.md
> Creative Commons Attribution 4.0 International Public License (w00t!)
> So, a new schema is 'just' a matter of importing those and using the great
> tools that Garming Sam wrote a couple of years back to ingest it.

Is this all that would be required to enable a deployment based upon a
traditional PKI?

> And at the base, Windows Hello is just PKINIT under the hood, and our
> Heimdal KDC knows about that.  Teaching it about the self-signed
> certificates used (rather than traditional CA enrolment) also wouldn't
> be impossible.

If I'm understanding you correctly, it sounds like the only significant
change (and perhaps not even that significant) would be some coding to
support the self-signed cert scenario.

This all sounds really promising!  What would it take to sponsor the
development of this?  Unfortunately, I don't have any developer resources
to offer.

> But the big trouble is that the 'Hello for buisness' enrolment process
> is all wrapped up in a flow via Active Directory Federation Services,
> and we have *none* of that stack.

I took a look at the slide deck presented at SambaXP 2019 (
and specifically the provisioning process.  I see what you mean about the
requirement for ADFS, to enable a user friendly self registration process.

However, for smaller environments, with a very low volume of new users
being introduced, would it not be possible to forego the self provisioning
process and substitute either a manual admin process or some light
automation to generate key pairs on the client and push the necessary
changes directly to the DC?  This would essentially be a Windows Hello for
Business minimum viable product.


More information about the samba mailing list