samba - Nov 2020 - Multi-factor Auth status

Is there any information iI can grab on implementing MFA via the samba 4 AD?
Perhaps via the Okta API or SAML?

JD

On Mon, 2020-11-09 at 23:00 +0000, Deas, Jim via samba
wrote:
> Is there any information iI can grab on implementing MFA via the
> samba 4 AD? Perhaps via the Okta API or SAML?
So Samba in this instance acts just as any other AD DC around 2008
functional level.  For web applications that can integrate with AD, and
then add MFA at that layer then it should work just like Windows does -
storing the password and perhaps some metadata in AD.

For Windows logon MFA is possible via smart card tokens, but that is a
heavy-weight approach for some. 

The lighter-weight options are harder as the APIs are fixed as NTLM or
Kerberos, but if something can be or pretend to be a smart card to
windows then that can be made to work.

Furthermore, we would like to make this work even better, so if you are
interested in that and can pitch in for the development effort I would
love to explore this more.  

Some have expressed ideas about MFA particularly for Linux clients, and
there we could potentially be much more flexible, as we can potentially
control the client and server side.

My ideal would be to support Windows Hello for Business, but that needs
a chunk of technologies (ADFS stuff) we don't have right now. 

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

Andrew,
 Yes, there is some room here to work.
 AD even inside Samba depends on several other network services so placing a
system like this in a DMZ will be a challenge but still preferred to NTLM given
it's age and support status.

What is needed is a better way to integrate IDM and SAML.

Regards,
JD

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org> 
Sent: Monday, November 9, 2020 4:10 PM
To: Deas, Jim <James.Deas at warnerbros.com>; samba at lists.samba.org
Subject: Re: [Samba] Multi-factor Auth status

 [CAUTION]This email originated outside Warner Bros.

On Mon, 2020-11-09 at 23:00 +0000, Deas, Jim via samba
wrote:
> Is there any information iI can grab on implementing MFA via the samba 
> 4 AD? Perhaps via the Okta API or SAML?
So Samba in this instance acts just as any other AD DC around 2008 functional
level.  For web applications that can integrate with AD, and then add MFA at
that layer then it should work just like Windows does - storing the password and
perhaps some metadata in AD.

For Windows logon MFA is possible via smart card tokens, but that is a
heavy-weight approach for some.

The lighter-weight options are harder as the APIs are fixed as NTLM or Kerberos,
but if something can be or pretend to be a smart card to windows then that can
be made to work.

Furthermore, we would like to make this work even better, so if you are
interested in that and can pitch in for the development effort I would love to
explore this more.

Some have expressed ideas about MFA particularly for Linux clients, and there we
could potentially be much more flexible, as we can potentially control the
client and server side.

My ideal would be to support Windows Hello for Business, but that needs a chunk
of technologies (ADFS stuff) we don't have right now.

Andrew Bartlett

-- 
Andrew Bartlett                      
https://urldefense.proofpoint.com/v2/url?u=https-3A__samba.org_-7Eabartlet_&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=QOhqVmgVq5KgW9upnuOC3j0n4JAMaC8Z62s4QnI1nkw&e=
Authentication Developer, Samba Team 
https://urldefense.proofpoint.com/v2/url?u=https-3A__samba.org&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=gmeYmvXdRExF701A79CBP_FOCmxqmNf4jHtHCR7FUM8&e=
Samba Developer, Catalyst IT          
https://urldefense.proofpoint.com/v2/url?u=https-3A__catalyst.net.nz_services_samba&d=DwICaQ&c=tq9bLrSQ8zIr87VusnUS9yAL0Jw_xnDiPuZjNR4EDIQ&r=Yd4eiGjwMXbQRycPv8dGGYrx9wd9fvcSjCY8hgQa09o&m=2DdUOAh-eEoRg1C9LYPrslXJgzIV7KQqt35Jkhem_Rg&s=F7nTR3mRdw3hNoND2iQQ2O83h4cectgqILkbaLsv4iw&e=