samba - Dec 2022 - 2FA for AD-users

Am 02.12.22 um 13:59 schrieb Stefan Kania via samba:
> 
> 
> Am 02.12.22 um 13:17 schrieb Kees van Vloten via samba:
>> On 02-12-2022 13:12, Stefan Kania via samba wrote:
>>> Hello everybody,
>>> I'm looking for a solution to use 2FA on a user login on a
Windows
>>> client.
>>> What I want:
>>> Every time an AD-user is login on a windows system he must not only
>>> give his password but also a second factor. The second factor
should
>>> be timebased. The way to generate the second factor can be the 
>>> googleauthenticator via a smartphone app or any USB-device that can
>>> create a second factor.
>>> I found an article in samba-wiki but it's with win7. Is there
any
>>> solution?
>>> There are some third party tools for a Windows-AD to realize 2FA
for
>>> AD-users. Is there maybe a way to use this tools together with a 
>>> Samba-AD. I know those tool are not Opensource and I have to pay
for
>>> it, but this doesn't matters.
>>> So any solution is welcome :-)
>>>
>>
>> Have a look at Privacyidea.
>> I use it for MFA web- and openvpn-login against Samba but it has a 
>> plugin for MFA windows login as well.
>>
>> - Kees
>>
> Thank's Kees,
> I looked at it, but I think you can generate a 2FA for users located in 
> an AD to authenticate against web-application, but I can't find any
hint
> on how to set up the Windows-authentcation. I don't need a new 
> login-screen for Windows (what some commercial tools have) I could do 
> the 2FA like it's possible with OpenLDAP give the username and then the
> password2fs combination. Protecting a web-application is no problem the 
> problem is always the userlogin to the workstation :-(. But that's what
> I'm looking for.
> 
> 
> 
I found it :-) but up to now it only shows how it works with an 
Microsoft-AD. I contacted a company which provides solutions for 
PrivacyIDEA if it would work with Samba-AD. Let's wait and see ;-)

On 02-12-2022 16:26, Stefan Kania via samba wrote:
>
>
> Am 02.12.22 um 13:59 schrieb Stefan Kania via samba:
>>
>>
>> Am 02.12.22 um 13:17 schrieb Kees van Vloten via samba:
>>> On 02-12-2022 13:12, Stefan Kania via samba wrote:
>>>> Hello everybody,
>>>> I'm looking for a solution to use 2FA on a user login on a
Windows
>>>> client.
>>>> What I want:
>>>> Every time an AD-user is login on a windows system he must not
only
>>>> give his password but also a second factor. The second factor 
>>>> should be timebased. The way to generate the second factor can
be
>>>> the googleauthenticator via a smartphone app or any USB-device
that
>>>> can create a second factor.
>>>> I found an article in samba-wiki but it's with win7. Is
there any
>>>> solution?
>>>> There are some third party tools for a Windows-AD to realize
2FA
>>>> for AD-users. Is there maybe a way to use this tools together
with
>>>> a Samba-AD. I know those tool are not Opensource and I have to
pay
>>>> for it, but this doesn't matters.
>>>> So any solution is welcome :-)
>>>>
>>>
>>> Have a look at Privacyidea.
>>> I use it for MFA web- and openvpn-login against Samba but it has a 
>>> plugin for MFA windows login as well.
>>>
>>> - Kees
>>>
>> Thank's Kees,
>> I looked at it, but I think you can generate a 2FA for users located 
>> in an AD to authenticate against web-application, but I can't find 
>> any hint on how to set up the Windows-authentcation. I don't need a
>> new login-screen for Windows (what some commercial tools have) I 
>> could do the 2FA like it's possible with OpenLDAP give the username
>> and then the password2fs combination. Protecting a web-application is 
>> no problem the problem is always the userlogin to the workstation 
>> :-(. But that's what I'm looking for.
>>
>>
>>
> I found it :-) but up to now it only shows how it works with an 
> Microsoft-AD. I contacted a company which provides solutions for 
> PrivacyIDEA if it would work with Samba-AD. Let's wait and see ;-)
>
You could also try the forum: https://community.privacyidea.org