similar to: Authentication using federated identity

On Thu, Feb 8, 2024 at 1:18?PM Chris Rapier <rapier at psc.edu> wrote: > > I know that there are some methods to use federated identities (e.g. > OAuth2) with SSH authentication but, from what I've seen, they largely > seem clunky and require users to interact with web browsers to get one > time tokens. Which is sort of acceptable for occasional logins but > doesn't

Practically speaking, most popular IAM and SSO solutions offer OIDC SAML tokens but do not offer Kerberos tickets.? OpenID Connect is a standard which itself is based on RFC6749 (OAuth2). This provides a compelling reason to support it in addition to Kerberos.? I'll also note that OIDC tokens are easy to validate without a bidirectional trust relationship between the IdP and RP. SSH

On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote: > On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] > > ssh_config contains a Match ... exec [command to refresh the certificate]. > > This sort of works, except that it runs the command far too frequently. > > For example, ssh -O exit [name] refreshes the certificate, and it

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

On 30/01/2020 15:02, Christian, Mark wrote: > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: >> As a concrete example: I want Alice to be able to login as "alice" >> and >> "www" to machines in group "webserver" (only). Also, I want Bob to >> be >> able to login as "bob" and "www" to machines in group

Hi, I'm having an issue where clang-format is setting the executable bit on all source files it modifies when using the -i parameter. I spent some time troubleshooting this issue today, and I found that clang-format create a new temporary file, writes the formatted source into that file, then copies it over the old file. Deep in the bowels of openNativeFile in

I’m using Cygwin to interact with the source tree. My sources (I’m working on LLVM itself) were created by other developers (and by extension, created by git.exe on my machine), but a quick expirement of trying “touch foo” shows that Cygwin creates files with 644 mode. Finding the file I created in explorer and checking the properties shows it has the following NTFS permissions: My user: Read,

Hello all, I have taken the liberty of creating a new Samba software community over on Lemmy. I realize that mailing lists are the traditional way projects communicate but I wanted a place more public and easier to use. For those who do not know, Lemmy is a federated forms platform. Here are the links to the community: Lemmy form: !sambasoftware at lemmy.sdf.org lemmy,sdf.org:

Hi Stefan, We had a long weekend in New Zealand, I'm catching up now to your emails. Some of the slight differences between Windows tools I've already picked up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm always open to learning what things are missing or different etc. On 23/10/23 02:58, Stefan Kania via samba wrote: > Talking to myself again ;-) > >

Thanks Rob for chiming in. Stefan, I do want to be very clear, one of the big challanges that we as developers face building these kind of tools is that we don't run AD domains day-to-day. So we really value good feedback on the ergonomics. If you can test with our work in progress, we are keen to adapt the tooling where possible to be more in line with what is 'naturally expected, so

Talking to myself again ;-) Samba-tool is working a little bit different then the silo/policy management on a Windows-DC. On a Windows-DC after assigning the user and host to the silo you have to assign the silo to the user and the host. When assigning the user and host to the silo with samba-tool, the assignment to the user and the host will be done at the same time. So now my policy looks

Hello, I have an issue with debug logging when using a custom plugin for Dovecot. In my plugin, I create a child event of the session's user event: ```c struct event *plugin_event = event_create(list->ns->user->event); event_set_name(plugin_event, "oidc_shared_mailboxes_plugin"); event_set_min_log_level(plugin_event, LOG_TYPE_WARNING);

I was playing around again with Windows and when you add members to silos, or remove them, it should not set/unset assigned silo on the user. So I've got a new pull request in Draft state still where I remove that functionality, as well as add some new commands to samba-tool user command. It turned out to be easier to add sub commands to user, as edit user wasn't quite what I thought

Mapping between Windows DACLs and Posix user-group-other file permissions is complex, depends on externalities, and is necessarily lossy: http://www.cygwin.com/cygwin-ug-net/using-filemodes.html http://www.cygwin.com/cygwin-ug-net/ntsec.html While there's a lot of information at those links, they don't completely explain how the mapping works. (And who knows if GnuWin32 does the mapping

Hi! Apologies if this is not the correct place to ask. I am attempting a MFA analysis of a dataset based on wine chemical and sensory analysis, based on the STHDA tutorial [1]. (I am using this dataset here too, as an example dataset to work on without posting my actual data. I've tried this with both my data and the example data, with the exact same results.) The only issue I am having is

Is there any information iI can grab on implementing MFA via the samba 4 AD? Perhaps via the Okta API or SAML? JD

Hello all, I am trying to understand how SAMBA finds nearest Domain Controller when configured to use Active Directory for AuthN. There are some great articles and wikis about how to configure SAMBA against AD, but couldn't find much on what I was looking for. For example 1. Does Samba have built in dc locator functionality like windows clients ? 2. What is the default authN it uses, NTLM

Hello, I am currently trying to connect my Dovecot mail server to Microsoft's Azure-AD and use it as password and user database. I am using version 2.3.7.1. Using the Azure-AD as passdb already works. In this context I noticed that the scope implementation is not yet merged. Since I haven't found any hints for an OAuth2 userdb implementation yet, I wanted to ask if there are any plans

I changed some of the tls options following the document, now config is following: tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection

I'd like to: 1) use samba3 as a PDC, and 2) not use LDAP as the account backend database, and 3) specify samba to use but use "encrypt passwords = true", and 4) use an ldap server as the authentication source for samba. Is that possible? I'd assumed it would be given that samba is pam-aware, and I can tell pam to use ldap for authN. However, the man page for smb.conf seems to