samba - Jan 2015 - OTP authentication

If I were going to do this, I would probably try moving to a Windows 
200x AD domain controller, and implementing RSA SecurID on that 
machine.  I have not worked with other OTP solutions.

As far as I understand, if Samba is configured as a domain controller, 
it expects to be able to handle the authentication itself.

OTP is , in my opinion, most valuable when you are exposing resources to 
the Internet (e.g. a remote access solution, web-based corporate e-mail 
etc.)


On 01/13/15 17:24, the2nd wrote:
> I've read about using clear text passwords with samba. But i think 
>  technically it should be possible that samba hands over the 
> authentication to another component. If you join samba to a windows 
> domain it does exaclty this. If you joined a linux machine to a 
> Windows Domain you can use winbind and ntlm_auth to authenticate third 
> party Software like squid against the windows dc also with sso. I 
> would like to use it the other way. If it would be possible that samba 
> calls an external tool to do ntlm challenge response auth i could use 
> it with OTPme. :)
>
> -------- Urspr?ngliche Nachricht --------
> Von: Gaiseric Vandal
> Datum:01.13.2015 22:57 (GMT+01:00)
> An: samba at lists.samba.org
> Betreff: Re: [Samba] OTP authentication
>
> On 01/13/15 16:21, the2nd at otpme.org wrote:
> > hi,
> >
> > i would like to ask if it would be possible to use samba with one time
> > passwords. i know there are commercial and OSS solutions to do this
> > (e.g. http://pgina.org/) but i would prefer to do it without any
> > software that needs to be installed on windows.
> >
> > would this technically be possible or is this already possible?
> >
> > regards
> > the2nd
>
>
> Samba at one point allowed you to use pam authentication. Which
> makes me think that you could then use it with the the RSA securid
> client software (or radius modules) to talk back to a RSA SecurID
> server.    It would require unencrypted passwords which would then add a
> new security risk.
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

it's not a certain project that i need this for. its a general question 
if this would be possible. i think OTPs are a good idea, also for 
windows logins.

maybe some of the samba devs can shed some light on this?

On 2015-01-14 15:49, Gaiseric Vandal wrote:
> If I were going to do this, I would probably try moving to a Windows
> 200x AD domain controller, and implementing RSA SecurID on that
> machine.  I have not worked with other OTP solutions.
> 
> As far as I understand, if Samba is configured as a domain controller,
> it expects to be able to handle the authentication itself.
> 
> OTP is , in my opinion, most valuable when you are exposing resources
> to the Internet (e.g. a remote access solution, web-based corporate
> e-mail etc.)
> 
> 
> On 01/13/15 17:24, the2nd wrote:
>> I've read about using clear text passwords with samba. But i think
>> technically it should be possible that samba hands over the 
>> authentication to another component. If you join samba to a windows 
>> domain it does exaclty this. If you joined a linux machine to a 
>> Windows Domain you can use winbind and ntlm_auth to authenticate third 
>> party Software like squid against the windows dc also with sso. I 
>> would like to use it the other way. If it would be possible that samba 
>> calls an external tool to do ntlm challenge response auth i could use 
>> it with OTPme. :)
>> 
>> -------- Urspr?ngliche Nachricht --------
>> Von: Gaiseric Vandal
>> Datum:01.13.2015 22:57 (GMT+01:00)
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] OTP authentication
>> 
>> On 01/13/15 16:21, the2nd at otpme.org wrote:
>> > hi,
>> >
>> > i would like to ask if it would be possible to use samba with one
time
>> > passwords. i know there are commercial and OSS solutions to do
this
>> > (e.g. http://pgina.org/) but i would prefer to do it without any
>> > software that needs to be installed on windows.
>> >
>> > would this technically be possible or is this already possible?
>> >
>> > regards
>> > the2nd
>> 
>> 
>> Samba at one point allowed you to use pam authentication. Which
>> makes me think that you could then use it with the the RSA securid
>> client software (or radius modules) to talk back to a RSA SecurID
>> server.    It would require unencrypted passwords which would then add 
>> a
>> new security risk.
>> 
>> 
>> 
>> -- To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba