samba - Dec 2022 - 2FA for AD-users

Hello everybody,
I'm looking for a solution to use 2FA on a user login on a Windows client.
What I want:
Every time an AD-user is login on a windows system he must not only give 
his password but also a second factor. The second factor should be 
timebased. The way to generate the second factor can be the 
googleauthenticator via a smartphone app or any USB-device that can 
create a second factor.
I found an article in samba-wiki but it's with win7. Is there any solution?
There are some third party tools for a Windows-AD to realize 2FA for 
AD-users. Is there maybe a way to use this tools together with a 
Samba-AD. I know those tool are not Opensource and I have to pay for it, 
but this doesn't matters.
So any solution is welcome :-)

On 02-12-2022 13:12, Stefan Kania via samba wrote:
> Hello everybody,
> I'm looking for a solution to use 2FA on a user login on a Windows 
> client.
> What I want:
> Every time an AD-user is login on a windows system he must not only 
> give his password but also a second factor. The second factor should 
> be timebased. The way to generate the second factor can be the 
> googleauthenticator via a smartphone app or any USB-device that can 
> create a second factor.
> I found an article in samba-wiki but it's with win7. Is there any 
> solution?
> There are some third party tools for a Windows-AD to realize 2FA for 
> AD-users. Is there maybe a way to use this tools together with a 
> Samba-AD. I know those tool are not Opensource and I have to pay for 
> it, but this doesn't matters.
> So any solution is welcome :-)
>
Have a look at Privacyidea.
I use it for MFA web- and openvpn-login against Samba but it has a 
plugin for MFA windows login as well.

- Kees