[Samba] Schema version 87 and windows Hello

Mon Sep 28 06:27:30 UTC 2020

Hi Mason,

On 9/26/20 9:34 AM, Mason Schmitt via samba wrote:
> Hi Andrew,
> 
> I'm very interested in using Windows Hello for Business in small business
> environments, with Samba as the AD DC.
> 
good luck I got it kind of working with :1 samba DC, 1 windows 2012 DC,
1 windows 2016 ADFS
> 
> I'm sorry that I don't have great news.  The schema upgrade is the easy
>> part - we could do that by obtaining new schema from Microsoft:
>>
>> https://www.microsoft.com/en-nz/download/confirmation.aspx?id=23782
>> (and yes, the licence terms are something we can use!)
>>
>> Even upgrading the schema in-place isn't too hard, they even publish some
>> of the required parts here:
>>
>> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Schema-Updates.md
>> Creative Commons Attribution 4.0 International Public License (w00t!)
>>
>> So, a new schema is 'just' a matter of importing those and using the great
>> tools that Garming Sam wrote a couple of years back to ingest it.
>>
> 
> Is this all that would be required to enable a deployment based upon a
> traditional PKI?
> 
If you are using windows yes, if not then you would need to find a way
to replace the EDRS (there is a good doc about it here
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning)
> 
> 
>> And at the base, Windows Hello is just PKINIT under the hood, and our
>> Heimdal KDC knows about that.  Teaching it about the self-signed
>> certificates used (rather than traditional CA enrolment) also wouldn't
>> be impossible.
>>
> 
> If I'm understanding you correctly, it sounds like the only significant
> change (and perhaps not even that significant) would be some coding to
> support the self-signed cert scenario.
> 
sounds like you want to do a certificate trust deployment seems the
hardest because you would need a certificate authority that can talk
with ADFS.

> This all sounds really promising!  What would it take to sponsor the
> development of this?  Unfortunately, I don't have any developer resources
> to offer.
> 
> 
> 
>> But the big trouble is that the 'Hello for buisness' enrolment process
>> is all wrapped up in a flow via Active Directory Federation Services,
>> and we have *none* of that stack.
>>
> 
> I took a look at the slide deck presented at SambaXP 2019 (
> https://sambaxp.org/fileadmin/user_upload/sambaxp2019-slides/farooqi_sambaxp2019_WindowsHelloForBusiness.pdf)
> and specifically the provisioning process.  I see what you mean about the
> requirement for ADFS, to enable a user friendly self registration process.
> 
> However, for smaller environments, with a very low volume of new users
> being introduced, would it not be possible to forego the self provisioning
> process and substitute either a manual admin process or some light
> automation to generate key pairs on the client and push the necessary
> changes directly to the DC?  This would essentially be a Windows Hello for
> Business minimum viable product.
> 
well you would have to bypass the whole registration process it is
possible in theory but seems rather complex. I mean how do you register
the pin then?

Vincent
> 
> --
> Mason
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20200928/ff953408/signature.sig>