0

I want to setup 2factor authentication for both Linux and windows machine and want to manage the password via LDAP server.

For this, I am using LDAP(which provides TOTP functionality) to authenticate Linux machine and Samba for windows machines.

My LDAP server is configured and i am able to access Linux server with 2FA authentication (userpasswd + TOTP)

Samba is also running fine and i am able to access windows server with samba user password (as samba doesn't provide TOTP functionality).

Now, i don't know how to setup the integration between LDAP and samba. so that any user created in LDAP with password ( user pwd string + totp ) can be used as samba user to login to windows machines. Basically samba user can authenticate with LDAP server with TOTP passwd.

Here is my slapd.conf and samba file

cat etc/openldap/slapd.conf

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema

pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args

modulepath /usr/local/libexec/openldap
moduleload pw-totp.so
password-hash {TOTP1ANDPW}

database mdb
maxsize 1073741824
suffix "dc=antares,dc=net"
rootdn "cn=Manager,dc=antares,dc=net"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq
overlay totp
database monitor

TLSCACertificateFile /etc/pki/tls/openldap/server_cert.pem
TLSCertificateFile /etc/pki/tls/openldap/server_cert.pem
TLSCertificateKeyFile /etc/pki/tls/openldap/server_key.pem
----------------------------------------------------------


cat /usr/local/samba/etc/smb.conf
[global]
netbios name = LDAPSRV
realm = ANTARES.NET
server role = active directory domain controller
workgroup = ANTARES
idmap_ldb:use rfc2307 = yes
security = user
passdb backend = ldapsam:ldap://192.168.1.86:3389/
ldap suffix = dc=antares,dc=net
ldap admin dn = cn=Manager,dc=antares,dc=net
ldap passwd sync = yes
ldap ssl = no

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/antares.net/scripts
read only = No'''

manish pandey
  • 1

1 Answers1

0

Now, i don't know how to setup the integration between LDAP and samba. so that any user created in LDAP with password ( user pwd string + totp ) can be used as samba user to login to windows machines. Basically samba user can authenticate with LDAP server with TOTP passwd.

You cannot set up such integration. SMB servers never receive the plaintext password from clients, so they cannot forward it to an LDAP server – they only receive an NTLM challenge response which cannot be separated into "password + TOTP" anymore, it can only be verified against the static hash stored in sambaNTPassword.

user1686
  • 10,162
  • 1
  • 26
  • 42
  • Could you please suggest any open Source software or any method which can support 2FA authentication[passwd+totp] for both Linux and windows machines. – manish pandey Oct 03 '22 at 05:45