samba - Mar 2018 - Your advices regarding authentication methods compatible with S4

On Mon, 2018-03-19 at 11:55 +1300, Garming Sam via samba
wrote:
> Hi,
> 
> Maybe this page might be helpful. I don't know how up to date it is,
but
> the expectation seems to be that it should be able to work with
> alternative forms of authentication (with Kerberos PKINIT).
> 
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Yeah, I think something that presents as smart card login is likely to
be the best bet.  Smart cards are a pain, but could certainly help with
the speed (compared with long complex passwords). 

The PKINIT stuff is meant to work, certainly worth a play in the lab. 
The main thing I would want to check on is revocation of the
certificates (for when a badge is lost/stolen).   We may need to work
on that to use some kind of online check or to get Heimdal to re-load
the Certificate Revocation list if it doesn't already. 

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Hi Andrew, Hi Sam, 

Many thanks for your quick replies, we already
worked on this doc page but due to the lack of smart card reader/writer,
we did not finished the setup. We'll buy some hadware and create a
testing S4 lab to finish this config. 

What about biometry ? Is there a
way to store any biometrical information into the ldap backend ? 

Is
there by any chance any other third-party authentication method/tool
that we can plug on S4 ? We would be pleased to avoid using another
smart card if possible. 

Cheers. 

--

Olivier B

Le 2018-03-19 04:36,
Andrew Bartlett a écrit : 
> On Mon, 2018-03-19 at 11:55 +1300, Garming
Sam via samba wrote:
> 
>> Hi, Maybe this page might be helpful. I don't
know how up to date it is, but the expectation seems to be that it
should be able to work with alternative forms of authentication (with
Kerberos PKINIT).
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
[1]
> 
>
Yeah, I think something that presents as smart card login is likely
to
>
be the best bet. Smart cards are a pain, but could certainly help
with
>
the speed (compared with long complex passwords). 
> 
> The PKINIT stuff
is meant to work, certainly worth a play in the lab. 
> The main thing I
would want to check on is revocation of the
> certificates (for when a
badge is lost/stolen). We may need to work
> on that to use some kind of
online check or to get Heimdal to re-load
> the Certificate Revocation
list if it doesn't already. 
> 
> Andrew Bartlett
 

Links:
------
[1]
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login

On Mon, 2018-03-19 at 12:01 +0100, Olivier BILHAUT via samba
wrote:
>  
> 
> Hi Andrew, Hi Sam, 
> 
> Many thanks for your quick replies, we already
> worked on this doc page but due to the lack of smart card reader/writer,
> we did not finished the setup. We'll buy some hadware and create a
> testing S4 lab to finish this config. 
> 
> What about biometry ? Is there a
> way to store any biometrical information into the ldap backend ? 
Not out of the box, but LDAP can be extended, that is the best part
about it.   
> Is
> there by any chance any other third-party authentication method/tool
> that we can plug on S4 ? We would be pleased to avoid using another
> smart card if possible. 
Indeed.  Most of the systems that do this hook into AD however by
pretending to be a smart-card system however, even if they are really
not so.  AD sees a smart card at the protocol level, but that is
emulated and just unlocked by the door card and fingerprint, for
example. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba