Merge basic pGina stuff into Privacy Idea Windows CP?

Hello all,

First post here but I’m following the project already for some time because I’m interested to see if it can replace my current pGina integration.

First I’m going to explain my current setup, next I want to dream about how the ideal world will look like with Privacy Idea

The current setup:
I have a CentOS server with 389-DS ldap, mail and samba shares. The client PC’s all have Windows 10 installed. All clients also have pGina (https://github.com/MutonUfoAI/pgina) installed and connect to the ldap-server when a user wants to login. If the user is allowed, a login script is run to connect the different samba shares and user network home as network drives.
This setup worked quite well, but with Windows 10 things start to break because of the changes in the CP.

Dream with Privacy Idea …
First I don’t know a lot about Privacy Idea, so maybe I’m completely wrong. But this will give me the opportunity to think about the unthinkable
Because Windows is changing the CP it’s better to keep your own developped CP as minimum as possible. For pGina this means stripping off a lot of weight like UI and plugins, so the user connects first to a backend (hello Privacy Idea). This backend then does all the stuff needed and sends data back to the CP which then can act on it. So the idea here is to have a Windows CP which connects to Privacy Idea. Privacy Idea then checks the credentials etc. with 389-ds ldap (bit like http://mutonufoai.github.io/pgina/documentation/user.html#how_pgina_works) and then returns something. It would be very nice to have the possibility to execute a script or run a CP-plugin to connect the samba shares, maybe even create a Kerberos ticket, all on the client side. To think a a lot further maybe group policies can be added as well, so the client PC’s have the right policies applied.

I know, there is a Windows CP for Privacy Idea, but I don’t have any idea how it works right know and if it is possible to have something like my dream. Also you can say “We are not creating a Active Directory Server”. But please think a bit about it.

Also, this is not really about two-factor authentication, but just a very basic login. But two-factor should also be possible.

Any thoughts?

We are not creating an active directory server.

OK, kidding asside. I think pGina does to much stuff. There are a lot of things you mention, that are not the responsibility of a credential provider.
The thing with the privacyIDEA Credential Provider is, that we try to integrate into a Windows environment, since this is what 99,5% of the use cases require. This means,

1. We need to do a kerberos authentication
2. We need to leave stuff like shares to the group policies and other mechanisms

Currently we do this by actually requesting the Windows password from the user. During a domain login, this is the Active-Directory-Password but it can also be the password of a local account.

And even if you do not want to use Microsoft Active Directory, you can still go for Samba 4, which would actually work just the same.

The only thing I am missing in the privacyIDEA credential provider is to obtain a keberos ticket without the need to present the active directory password.

Thanks for clearing things up!. I have worked with samba (3) as a domain controller which didn’t work quite well, so we decided to move to an environment where pGina is used to authenticate the user and use the samba plugin to connect the shares. Also the idea was to have the possibility to have a mixed environment (Linux, MacOS, Windows) without much effort.

As you said, it’s way more then a CP should do (I also don’t have a lot of programming experience on Windows) but is it possible to create hooks into the CP which hands off data to a mechanism which can do something with it? Like the user doesn’t exist on the client yet, so a new user and home directory etc should be created. This can be done by a hook or mechanism, but those need information about what to do.

But can I use the current Privacy Idea CP for ldap authentication?

Use Samba 4. This way you have a complete active directory (kerberos)

I do not know if this is possible but I also do not think that this is necessary. Since you have all these features if you have a correct domain and not running all the logic on the client.

This happens automatically if the windows machine is a member of your samba 4 domain.

No. At the end of the day the credential provider performs a windows authentication. And this is usually a local user authentication or a kerberos authentication in the domain.

But we will think about, if there is any use case, that would make sense for us.