[Samba] Schema version 87 and windows Hello

Mason Schmitt mason at ftlcomputing.com
Tue Sep 29 23:04:36 UTC 2020

> I am not that experiences about it^^
> I  think that one first step would be to strip the registration (key
> trust on my side), and once that would have been done submit the results
> to the samba team and see if it is worth funding/implementing.
> As I am not part of the samba team I cannot say more.

It sounds like you're suggesting that you're going to strictly focus on
what the regular day to day authentication process looks like for WHFB.  In
other words, just the PC to AD authentication piece and not the initial
self-registration with ADFS.  My guess is that subsequent steps would be to:
- confirm what needs to be stored in LDAP and what format it is stored in
- determine what registry keys and/or other configurations are changed on
the PC, that tell Windows Logon to request a PIN for unlocking the TPM and
then initiate the PKINIT authentication process

I don't have access to a functioning WHFB environment, so I'm not sure how
to help right now - other than offer encouragement and ideas.


More information about the samba mailing list