Smartcard Authentication with Samba 3.0
samba02.z.pkoch at spamgourmet.com
Sat Dec 13 22:45:15 GMT 2003
I would like to add smartcard authentication to samba. Microsoft has
published a White paper "Windows 2000 Server Smart Card Logon" and
there's a chapter "How Smart Card Authentication works" with the
Interactive Logon using a smart card begins when a user inserts
a smart card into a smart card reader that signals the Windows
2000 operating system to prompt for a Personal Identification
Number (PIN) instead of a username, domain name and password.
After a user inputs a PIN to the logon dialog, the operating
system begins a sequence of actions to determine whether the
user can be identified and authenticated based on credential
information the user has provided (PIN and smart card).
The logon request first goes to the LSA that subsequently
forwards it to the Kerberos authentication package running
on the client. The Kerberos package sends an authentication
service (AS) request to the KDC service running on a domain
controller to request authentication and a Ticket Granting
Ticket (TGT). As part of the AS request, the client-side Kerberos
package includes the users X.509 version 3 certificate,
retrieved from the smart card, in the pre-authentication data
fields of the AS request. An authenticator, included in the
pre-authentication data fields, is digitally signed by the users
private key so that the KDC can verify the AS request originated
from the owner of the accompanying certificate.
Upon successful verification of the users certificate, the KDC
then uses CryptoAPI to verify the digital signature on the
authenticator that was included as signed data in the
pre-authentication data fields.
Upon verifying that a user is who they say they are and that the
certificate can be used to authenticate to the domain, the KDC
service then queries the domains directory for account information.
The KDC service retrieves user account information from Active
Directory based on the User Principal Name (UPN) specified in
the Subject Alternative Name field in the users public key
certificate. The account information that the KDC retrieves
from the directory is used to construct a TGT. The TGT will
include the users Security ID (SID), the SIDs for any domain
groups to which the user belongs, and potentially the SIDs for
any universal groups in which the user is a member. The list
of SIDs is included in the TGTs authorization data fields.
The KDC encrypts the TGT using a random key generated specifically
for this purpose. The random key is itself encrypted using the
public key from the users certificate and the encrypted key is
included in the pre-authentication data field of the KDCs response.
The KDC signs the reply using its private key so that the client
can verify the reply is from a trusted KDC.
As I'm not familiar with the samba source code, I need some starting
help. Where can I add debug statements that will output the
preauthentication data that a smartcard-client has sent to samba?
Any other suggestions or comments ??
WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und
nutzen Sie die neuen Funktionen http://f.web.de/features/?mc=021130
More information about the samba-technical