similar to: Your advices regarding authentication methods compatible with S4

On Mon, 2018-03-19 at 11:55 +1300, Garming Sam via samba wrote: > Hi, > > Maybe this page might be helpful. I don't know how up to date it is, but > the expectation seems to be that it should be able to work with > alternative forms of authentication (with Kerberos PKINIT). > > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Yeah, I think something that

Hi Andrew, Hi Sam, Many thanks for your quick replies, we already worked on this doc page but due to the lack of smart card reader/writer, we did not finished the setup. We'll buy some hadware and create a testing S4 lab to finish this config. What about biometry ? Is there a way to store any biometrical information into the ldap backend ? Is there by any chance any other third-party

Hi, Maybe this page might be helpful. I don't know how up to date it is, but the expectation seems to be that it should be able to work with alternative forms of authentication (with Kerberos PKINIT). https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Cheers, Garming On 16/03/18 22:43, Olivier BILHAUT via samba wrote: > > > Hi to Samba list, dev, contributors and all

Hi All ! Using Samba Version 4.1.12, updated from source from 4.0beta1 I've created a user, let say kerbuser, for a web server to authenticate with kerberos and provide SSO to the end-users. In my example, my domain is MYDOMAIN.LOCAL, the apache server is webserver.mydomain.local and the AD user is kerbuser I've added a principal on the user and exported everything in a keytab so

Hi Andrew, Thanks for your reply. We tried successfully the --full-sync option from first to second DC. Unfortunately, afterwards the second DC was still in a corrupted state. The "Deleted Objects" still contained the ugly groups with the missing attribute... So we achieved to get a successfull replication after editing the "deleted objects" with ldbedit. We have deleted

> > Hi friends, > I need your help. > > I implemented > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities > enabling smart card logon on a Windows Server 2016 as a domain member of > Samba DC. > > Currently I

Hi all, I would like to set up windows Hello (in the sense user and management are pressuring me) but for both option the schema would need to be at least 87 (windows 2016). I looked on the roadmap, bugzilla but couldn't find anything regarding this topic. Would you know when this version would be available and what is needed in order to achieve so? As a separate question, do you know good

Hi samba4 mates ! We work with a Samba4 in production (10 users) from a few month now, and we wonder about the new specific policy templates that can be created by Microsoft in their recent (or future releases, but we are not rushed) releases. How could we add them to the AD to be able to apply them to the hosts? For example, with windows 7 there is a *new* policy in the Computer

Hi Andrew, I'm very interested in using Windows Hello for Business in small business environments, with Samba as the AD DC. I'm sorry that I don't have great news. The schema upgrade is the easy > part - we could do that by obtaining new schema from Microsoft: > > https://www.microsoft.com/en-nz/download/confirmation.aspx?id=23782 > (and yes, the licence terms are

Alon, I should have provided more background. You are assuming that I could perform the PKINIT prior to connecting to the SSH server. In this case (and others) there is an interest in not exposing the kerberos servers to the world and thus someone connecting remotely would not be able to obtain a TGT or do a PKINIT. The goal would be for SSH to handle all the auth and only after connecting to

Please tell me in technical details how current revocation support works, or give links. Then I will be able to give an answer. On Fri, May 25, 2018 at 7:16 AM, Damien Miller <djm at mindrot.org> wrote: > > > On Fri, 25 May 2018, Yegor Ievlev wrote: > >> Can you implement revocation support? > > What do you want that the existing revocation support lacks?

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

Release Announcements ===================== This is the first release candidate of Samba 4.19.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING ========= NEW FEATURES/CHANGES

Release Announcements ===================== This is the first release candidate of Samba 4.19.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING ========= NEW FEATURES/CHANGES

I know OpenSSH currently supports PKCS11 devices (such as smartcards) for publickey authentication, but I would love to see PKCS11 extended further. It is currently possible to perform PKCS11 certificate authentication, via pam_krb5.so (on Linux at least and likely something similar on other *NIX) which allows smartcard auth to a Kerberos (including AD) server, where a TGT can also be granted.

Can you implement revocation support? On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm at mindrot.org> wrote: > No way, sorry. > > The OpenSSH certificate format was significantly motivated by X.509's > syntactic and semantic complexity, and the consequent attack surface in > the sensitive pre-authentication paths of our code. We're very happy to > be able to

Release Announcements ===================== This is the second release candidate of Samba 4.19.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING ========= NEW FEATURES/CHANGES

Release Announcements ===================== This is the second release candidate of Samba 4.19.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING ========= NEW FEATURES/CHANGES

Release Announcements ===================== This is the third release candidate of Samba 4.19.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING ========= NEW FEATURES/CHANGES

Release Announcements ===================== This is the third release candidate of Samba 4.19.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.19 will be the next version of the Samba suite. UPGRADING ========= NEW FEATURES/CHANGES