similar to: Authenticating to samba LDAP using a TLS cert?

Alon, I should have provided more background. You are assuming that I could perform the PKINIT prior to connecting to the SSH server. In this case (and others) there is an interest in not exposing the kerberos servers to the world and thus someone connecting remotely would not be able to obtain a TGT or do a PKINIT. The goal would be for SSH to handle all the auth and only after connecting to

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

I know OpenSSH currently supports PKCS11 devices (such as smartcards) for publickey authentication, but I would love to see PKCS11 extended further. It is currently possible to perform PKCS11 certificate authentication, via pam_krb5.so (on Linux at least and likely something similar on other *NIX) which allows smartcard auth to a Kerberos (including AD) server, where a TGT can also be granted.

[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard

Hi to Samba list, dev, contributors and all the community. We are samba users for a long time now, and S4 since the early alpha version. We run now 5 DC for 700 users in our hospital and are very enthusiastic. This is definitely a great project. But now, we face a new challenge. We look over a new authentication method rather than the old user/password. Because we have many users switching

On Mon, 2018-03-19 at 11:55 +1300, Garming Sam via samba wrote: > Hi, > > Maybe this page might be helpful. I don't know how up to date it is, but > the expectation seems to be that it should be able to work with > alternative forms of authentication (with Kerberos PKINIT). > > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Yeah, I think something that

Hi, I'm currently using an AD with PKI/certificate authentication ( some of my users are even using smartcards ). Could I replace my Microsoft AD & certificates with a pure Samba solution ? any tricks, non features I should know ? If so , do you know any docker image maybe that I could start with to do my test ? ( or some VM ? ) Thanks _ -- This email has been checked for

I have a LOT of questions!!! This may take a while. I know some of this stuff is at the edge of what Samba4 is just becoming able to do, so if anyone who knows feels this is better posted on samba-technical I'd appreciate a cross-post from someone in a position to know for sure - I did consider posting it there straight away but I figured it's a dev list and I could at least get _some_ of

Hi all, I was just wondering if any of you are using biometric devices (eg: a fingerprint reader) or smartcards with Samba4 for network logon. Either as a replacement for a password or 'extra' as a 2nd factor. Would be interested in hearing experiences regarding this. Any information would be appreciated. Thanks in advance, Bram. -- Bram Matthys Software developer/IT consultant

Hello Lads, I am not a programmer in any shape or form, so bare with me. Windows AD can support biometric devices, such as fingerprint logins, it actually stores the fingerprint in the database. Will it be possible to store this information in a Samba4 AD enviroment? Cheers, Adrian Sender.

Dear List, I self-host my e-mail and run Dovecot since ever I do that. Dovecot version is 2.3.4.1 (f79e8e7e4), running on Debian testing. Now I am trying to configure Dovecot for client TLS certificates. I have a self-signed certificate whose private key resides on a smartcard (Yubikey, to be exact). I wanted Dovecot to accept that TLS client certificate instead of a password. So I searched and

> > Hi friends, > I need your help. > > I implemented > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities > enabling smart card logon on a Windows Server 2016 as a domain member of > Samba DC. > > Currently I

Hi all, I'm new to this mailing list, so I apologize if my question is "obsolete" for you. I'd like to know if anybody has a clear idea about how to connect smartcards to the SSH framework. I yet got a modified ssh-agent (by Stephen Pellicer) that uses SSP-Lite (CyberflexAccess driver by me) in order to use the smartcard instead of the HD files. Instead, I'd like to

====================================================== "It does not matter how slowly you go as long as you do not stop." Confucius ====================================================== Release Announcements --------------------- This is the first stable release of the Samba 4.5 release series. UPGRADING ========= NTLMv1

====================================================== "It does not matter how slowly you go as long as you do not stop." Confucius ====================================================== Release Announcements --------------------- This is the first stable release of the Samba 4.5 release series. UPGRADING ========= NTLMv1

does SAMBA4 support Kerberos S4U tokens? Background: I am trying to get OpenSSH for windows to work on machines joined to our SAMBA4 domain We are running Samba 4.7.3-Debian on Debian 9 When attempting to SSH in to a windows client using public key credentials for a domain user it fails. When attempting to SSH into a windows client using public key credentials for a local user it works just

Are there any plans on the table to add native support for two-factor authentication, such as password *and* public key? Visa PCI standards require two-factor authentication for remote access and if password+key was available in openssh it would be much easier to maintain and support than a full-blown vpn with all the cross-platform compatibility issues that come with one. Thanks! Jacob

Hi, I am not sure if this the right place for the question. Sorry if not ... My System: SuSE 9.2 OpenSSH 3.9p1 I have trouble to use a Smartcard with openssh. If i try to connect directly to the Smartcard, it fails: ssh -I 0:45 localhost card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied

Op 25-10-2023 om 17:13 schreef Alex via samba: > And will Samba regenerate it's own server certs from that CA, or do I need > to externally generate & renew them with openssl? > Does anything else need to be done before or after replacing the certs in > Samba? This won't break server/domain trust with domain joined workstations? Anything that server that uses TLS will

On Tue, 12 Jun 2018 08:28:10 +0200 Norbert Hanke via samba <samba at lists.samba.org> wrote: > Hi Taylor > > That's not hard to explain: > > The login to a local account is under the control of sshd, and if > that has enough privileges it works. > > The login to a domain account is a kerberos login which requires > either Username and Password, or possibly