Is there any information iI can grab on implementing MFA via the samba 4 AD? Perhaps via the Okta API or SAML? JD
On Mon, 2020-11-09 at 23:00 +0000, Deas, Jim via samba wrote:> Is there any information iI can grab on implementing MFA via the > samba 4 AD? Perhaps via the Okta API or SAML?So Samba in this instance acts just as any other AD DC around 2008 functional level. For web applications that can integrate with AD, and then add MFA at that layer then it should work just like Windows does - storing the password and perhaps some metadata in AD. For Windows logon MFA is possible via smart card tokens, but that is a heavy-weight approach for some. The lighter-weight options are harder as the APIs are fixed as NTLM or Kerberos, but if something can be or pretend to be a smart card to windows then that can be made to work. Furthermore, we would like to make this work even better, so if you are interested in that and can pitch in for the development effort I would love to explore this more. Some have expressed ideas about MFA particularly for Linux clients, and there we could potentially be much more flexible, as we can potentially control the client and server side. My ideal would be to support Windows Hello for Business, but that needs a chunk of technologies (ADFS stuff) we don't have right now. Andrew Bartlett -- Andrew Bartlett samba.org/~abartlet Authentication Developer, Samba Team samba.org Samba Developer, Catalyst IT catalyst.net.nz/services/samba
Andrew, Yes, there is some room here to work. AD even inside Samba depends on several other network services so placing a system like this in a DMZ will be a challenge but still preferred to NTLM given it's age and support status. What is needed is a better way to integrate IDM and SAML. Regards, JD -----Original Message----- From: Andrew Bartlett <abartlet at samba.org> Sent: Monday, November 9, 2020 4:10 PM To: Deas, Jim <James.Deas at warnerbros.com>; samba at lists.samba.org Subject: Re: [Samba] Multi-factor Auth status [CAUTION]This email originated outside Warner Bros. On Mon, 2020-11-09 at 23:00 +0000, Deas, Jim via samba wrote:> Is there any information iI can grab on implementing MFA via the samba > 4 AD? Perhaps via the Okta API or SAML?So Samba in this instance acts just as any other AD DC around 2008 functional level. For web applications that can integrate with AD, and then add MFA at that layer then it should work just like Windows does - storing the password and perhaps some metadata in AD. For Windows logon MFA is possible via smart card tokens, but that is a heavy-weight approach for some. The lighter-weight options are harder as the APIs are fixed as NTLM or Kerberos, but if something can be or pretend to be a smart card to windows then that can be made to work. Furthermore, we would like to make this work even better, so if you are interested in that and can pitch in for the development effort I would love to explore this more. Some have expressed ideas about MFA particularly for Linux clients, and there we could potentially be much more flexible, as we can potentially control the client and server side. My ideal would be to support Windows Hello for Business, but that needs a chunk of technologies (ADFS stuff) we don't have right now. Andrew Bartlett -- Andrew Bartlett urldefense.proofpoint.com/v2/url?u=https-3A__samba.org_-7Eabartlet_&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=QOhqVmgVq5KgW9upnuOC3j0n4JAMaC8Z62s4QnI1nkw&e= Authentication Developer, Samba Team urldefense.proofpoint.com/v2/url?u=https-3A__samba.org&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=gmeYmvXdRExF701A79CBP_FOCmxqmNf4jHtHCR7FUM8&e= Samba Developer, Catalyst IT urldefense.proofpoint.com/v2/url?u=https-3A__catalyst.net.nz_services_samba&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=F7nTR3mRdw3hNoND2iQQ2O83h4cectgqILkbaLsv4iw&e=