[Samba] Smart card logon

Asier Baranguán abaranguan at elpagestion.com
Thu Feb 21 07:45:53 GMT 2008 

Andrew Bartlett escribió:

>> I'm not a coder (almost in C), but have the time and need for trying smartcard logon with 
>> Samba. I have all the tools ans software needed: smartcards+usb readers, usb tokens, PKI 
>> infraestructure... ¿how can I help?
> 
> How are you with setting up windows systems for smart card logins?

It's one task of my daily work. I've deployed smartcard logons in several customer
scenarios, with Windows 2003 Enterprise domains using n-level certification autorities,
using Microsoft CA Certificate Services and externally trusted certification authorities.
Some clients have Linux-based servers and workstations. Making smartcard logon work in
this systems would be very, very appreciated.

I can write you an in-depth kind of HOWTO of this topic if you want with my bad english
(you understand spanish?)

> Do you have much experience with virtualisation tools such as qemu/kvm?

I've played with qemu (not kvm) and some vmware products almost in a daily basis. All my
customer scenarios are previously recreated with this tools.

> I've not really looked at this area, but the first question I have is:
> how does a windows client know to accept a smart card login, and what
> certificate it should trust. 

Well, my knowledge about technical aspects doesn't go so far.

When you install some cryptographic device in a windows workstation, even without being
joined to a domain the logon screen changes and show you the option to perform a logon via
a smart card, but as far as I know this is only possible if the machine is joined to a
windows domain which must have a Windows 2003 Enterprise DC.

To accept a smartcard logon, windows servers trust certificates signed by certification
authorities which certificates are in the NTAuth store, in this registry location:

HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

This store is replicated between all the domain controllers and workstations, but I must
confirm the last. Perhaps you already know this.

> Accepting the PKINIT request already works (we test this in 'make
> test'), but surely there will be many more things to fix. 

You are talking about Samba3 or Samba4? I'd like to test this

--
Asier

-------------- next part --------------
A non-text attachment was scrubbed...
Name: abaranguan.vcf
Type: text/x-vcard
Size: 388 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080221/f2a6d1b7/abaranguan.vcf

More information about the samba-technical mailing list