[Samba] Schema version 87 and windows Hello
mailist at kaminot.xyz
Mon Sep 28 06:27:30 UTC 2020
On 9/26/20 9:34 AM, Mason Schmitt via samba wrote:
> Hi Andrew,
> I'm very interested in using Windows Hello for Business in small business
> environments, with Samba as the AD DC.
good luck I got it kind of working with :1 samba DC, 1 windows 2012 DC,
1 windows 2016 ADFS
> I'm sorry that I don't have great news. The schema upgrade is the easy
>> part - we could do that by obtaining new schema from Microsoft:
>> (and yes, the licence terms are something we can use!)
>> Even upgrading the schema in-place isn't too hard, they even publish some
>> of the required parts here:
>> Creative Commons Attribution 4.0 International Public License (w00t!)
>> So, a new schema is 'just' a matter of importing those and using the great
>> tools that Garming Sam wrote a couple of years back to ingest it.
> Is this all that would be required to enable a deployment based upon a
> traditional PKI?
If you are using windows yes, if not then you would need to find a way
to replace the EDRS (there is a good doc about it here
>> And at the base, Windows Hello is just PKINIT under the hood, and our
>> Heimdal KDC knows about that. Teaching it about the self-signed
>> certificates used (rather than traditional CA enrolment) also wouldn't
>> be impossible.
> If I'm understanding you correctly, it sounds like the only significant
> change (and perhaps not even that significant) would be some coding to
> support the self-signed cert scenario.
sounds like you want to do a certificate trust deployment seems the
hardest because you would need a certificate authority that can talk
> This all sounds really promising! What would it take to sponsor the
> development of this? Unfortunately, I don't have any developer resources
> to offer.
>> But the big trouble is that the 'Hello for buisness' enrolment process
>> is all wrapped up in a flow via Active Directory Federation Services,
>> and we have *none* of that stack.
> I took a look at the slide deck presented at SambaXP 2019 (
> and specifically the provisioning process. I see what you mean about the
> requirement for ADFS, to enable a user friendly self registration process.
> However, for smaller environments, with a very low volume of new users
> being introduced, would it not be possible to forego the self provisioning
> process and substitute either a manual admin process or some light
> automation to generate key pairs on the client and push the necessary
> changes directly to the DC? This would essentially be a Windows Hello for
> Business minimum viable product.
well you would have to bypass the whole registration process it is
possible in theory but seems rather complex. I mean how do you register
the pin then?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba