Olivier BILHAUT
2018-Mar-16 09:43 UTC
[Samba] Your advices regarding authentication methods compatible with S4
Hi to Samba list, dev, contributors and all the community. We are samba users for a long time now, and S4 since the early alpha version. We run now 5 DC for 700 users in our hospital and are very enthusiastic. This is definitely a great project. But now, we face a new challenge. We look over a new authentication method rather than the old user/password. Because we have many users switching pretty fast from a host to another, we need to facilitate and speed up their authentication process as much as possible. I ask for your experience and your help on any technology that exists that we can plug on our S4 domain to append a new method to the existing one. This can be fingerprint, a smart card or whatever, but we need something compatible with our beloved samba 4. Thanks for your comments. -- Olivier B.
Garming Sam
2018-Mar-18 22:55 UTC
[Samba] Your advices regarding authentication methods compatible with S4
Hi, Maybe this page might be helpful. I don't know how up to date it is, but the expectation seems to be that it should be able to work with alternative forms of authentication (with Kerberos PKINIT). https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Cheers, Garming On 16/03/18 22:43, Olivier BILHAUT via samba wrote:> > > Hi to Samba list, dev, contributors and all the community. > > We are > samba users for a long time now, and S4 since the early alpha version. > We run now 5 DC for 700 users in our hospital and are very enthusiastic. > This is definitely a great project. > > But now, we face a new challenge. > We look over a new authentication method rather than the old > user/password. Because we have many users switching pretty fast from a > host to another, we need to facilitate and speed up their authentication > process as much as possible. > > I ask for your experience and your help > on any technology that exists that we can plug on our S4 domain to > append a new method to the existing one. This can be fingerprint, a > smart card or whatever, but we need something compatible with our > beloved samba 4. > > Thanks for your comments. > -- > > Olivier B. >
Andrew Bartlett
2018-Mar-19 03:36 UTC
[Samba] Your advices regarding authentication methods compatible with S4
On Mon, 2018-03-19 at 11:55 +1300, Garming Sam via samba wrote:> Hi, > > Maybe this page might be helpful. I don't know how up to date it is, but > the expectation seems to be that it should be able to work with > alternative forms of authentication (with Kerberos PKINIT). > > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_LoginYeah, I think something that presents as smart card login is likely to be the best bet. Smart cards are a pain, but could certainly help with the speed (compared with long complex passwords). The PKINIT stuff is meant to work, certainly worth a play in the lab. The main thing I would want to check on is revocation of the certificates (for when a badge is lost/stolen). We may need to work on that to use some kind of online check or to get Heimdal to re-load the Certificate Revocation list if it doesn't already. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba