I was trying to research whether multi factor authentication is possible with Samba AD.? There's not that information out there. We have both Linux systems with Winbind authenticating from Samba AD and Windows systems authenticating via Samba AD. ? I saw a message from Louis almost a year ago with some links, but as far as I can tell, not specifically tied to Samba AD (unless I misunderstood).? Rowland - you also mentioned the "freis-franken.org" link, but that doesn't exist anymore.? I'm not looking for LDAP-based proxy type solutions.? I'm looking for something that ties directly into winbind PAM module on Linux and on Windows.? I know if it's doable, someone is doing it.? :) Thoughts? Thanks, Jason.
I use PrivacyIdea as a MFA provider (via RADIUS, though that's just my usage case). It can authenticate directly against winbind or ldap backends, and has a PAM module for Linux clients. For Windows logins, there's a "Credential Provider", details here: https://community.privacyidea.org/t/using-privacy-idea-for-windows-logins/1082/2 . (YMMV, I haven't tried it for that. However, I've played with using it as a backend for Nginx Basic Authentication, which is neat.) Kris Lou klou at themusiclink.net On Thu, Nov 5, 2020 at 12:21 PM Jason Keltz via samba <samba at lists.samba.org> wrote:> I was trying to research whether multi factor authentication is possible > with Samba AD. There's not that information out there. We have both > Linux systems with Winbind authenticating from Samba AD and Windows > systems authenticating via Samba AD. I saw a message from Louis almost > a year ago with some links, but as far as I can tell, not specifically > tied to Samba AD (unless I misunderstood). Rowland - you also mentioned > the "freis-franken.org" link, but that doesn't exist anymore. I'm not > looking for LDAP-based proxy type solutions. I'm looking for something > that ties directly into winbind PAM module on Linux and on Windows. I > know if it's doable, someone is doing it. :) > > Thoughts? > > Thanks, > > Jason. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Thanks Kris, I greatly appreciate your response. I'll look into this.? I need to be able to do proper Kerberos authentication under at least Linux so that krb5 NFS works. There's some mention of Kerberos there. I just need to explore if it can do what I need. Jason. On Nov. 9, 2020, 3:17 a.m., at 3:17 a.m., Kris Lou via samba <samba at lists.samba.org> wrote:>I use PrivacyIdea as a MFA provider (via RADIUS, though that's just my >usage case). > >It can authenticate directly against winbind or ldap backends, and has >a >PAM module for Linux clients. For Windows logins, there's a >"Credential >Provider", details here: >https://community.privacyidea.org/t/using-privacy-idea-for-windows-logins/1082/2 >. > >(YMMV, I haven't tried it for that. However, I've played with using it >as >a backend for Nginx Basic Authentication, which is neat.) > >Kris Lou >klou at themusiclink.net > > >On Thu, Nov 5, 2020 at 12:21 PM Jason Keltz via samba ><samba at lists.samba.org> >wrote: > >> I was trying to research whether multi factor authentication is >possible >> with Samba AD. There's not that information out there. We have both >> Linux systems with Winbind authenticating from Samba AD and Windows >> systems authenticating via Samba AD. I saw a message from Louis >almost >> a year ago with some links, but as far as I can tell, not >specifically >> tied to Samba AD (unless I misunderstood). Rowland - you also >mentioned >> the "freis-franken.org" link, but that doesn't exist anymore. I'm >not >> looking for LDAP-based proxy type solutions. I'm looking for >something >> that ties directly into winbind PAM module on Linux and on Windows. >I >> know if it's doable, someone is doing it. :) >> >> Thoughts? >> >> Thanks, >> >> Jason. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba