2

Do you know of any way on how to secure samba shares with 2FA in Linux server for Windows clients?

I have set up several windows 10 clients and one linux server. The linux server is reachable via wireguard only. It serves a Nextcloud instance and access to Samba File Shares. When a client wants to log in to the samba shares, it has to authenticate by username and password. I would like to add a second factor authentication to that so that a user / client has to authenticate with its username + password and a Yubikey or QRCode or whatever second factor my be usable in conjunction with the samba server.

Improve this question
2

2 Answers 2

Reset to default
1

One possibility would be to use firewall rules on the Samba server to block access. Before connecting Samba, users could authorize via a web page, using the "second" authentication factor, and then their IP address could be permitted through the firewall, and they could continue with regular Samba login. Not a smooth and well-integrated approach, but it's a solution that could be implemented on a Linux server.

I just implemented a system that monitors smbstatus to restrict users to their statically assigned VPN addresses. See https://serverfault.com/a/1116288/127791.

Improve this answer
0

Yes, it is possible to configure 2FA authentication for Samba shares.

Samba can be set up with LDAP-based authentication. The LDAP server can act as a proxy, handling authentication with both the real LDAP backend and the 2FA server. The user will have the following login scenarios:

  • Username/Password + Push Notification for 2FA.
  • Username/Password + OTP, where both passwords are concatenated since the LDAP protocol does not support challenge-based authentication. In this case, the 2FA backend will validate the combined LDAP and OTP passwords.

Not all 2FA providers support this method, but some do.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.