Smartcard Authentication with Samba 3.0

Peter Koch samba02.z.pkoch at
Sat Dec 13 22:45:15 GMT 2003

Hi all,

I would like to add smartcard authentication to samba. Microsoft has
published a White paper "Windows 2000 Server Smart Card Logon" and
there's a chapter "How Smart Card Authentication works" with the
following info:

  Interactive Logon using a smart card begins when a user inserts
  a smart card into a smart card reader that signals the Windows
  2000 operating system to prompt for a Personal Identification
  Number (PIN) instead of a username, domain name and password.
  After a user inputs a PIN to the logon dialog, the operating
  system begins a sequence of actions to determine whether the
  user can be identified and authenticated based on credential
  information the user has provided (PIN and smart card).
  The logon request first goes to the LSA that subsequently
  forwards it to the Kerberos authentication package running
  on the client. The Kerberos package sends an authentication
  service (AS) request to the KDC service running on a domain
  controller to request authentication and a Ticket Granting
  Ticket (TGT). As part of the AS request, the client-side Kerberos
  package includes the user’s X.509 version 3 certificate,
  retrieved from the smart card, in the pre-authentication data
  fields of the AS request. An authenticator, included in the
  pre-authentication data fields, is digitally signed by the user’s
  private key so that the KDC can verify the AS request originated
  from the owner of the accompanying certificate.
  Upon successful verification of the user’s certificate, the KDC
  then uses CryptoAPI to verify the digital signature on the
  authenticator that was included as signed data in the
  pre-authentication data fields.
  Upon verifying that a user is who they say they are and that the
  certificate can be used to authenticate to the domain, the KDC
  service then queries the domain’s directory for account information.
  The KDC service retrieves user account information from Active
  Directory based on the User Principal Name (UPN) specified in
  the Subject Alternative Name field in the user’s public key
  certificate. The account information that the KDC retrieves
  from the directory is used to construct a TGT. The TGT will
  include the user’s Security ID (SID), the SIDs for any domain
  groups to which the user belongs, and potentially the SIDs for
  any universal groups in which the user is a member. The list
  of SIDs is included in the TGT’s authorization data fields.
  The KDC encrypts the TGT using a random key generated specifically
  for this purpose. The random key is itself encrypted using the
  public key from the user’s certificate and the encrypted key is
  included in the pre-authentication data field of the KDC’s response.
  The KDC signs the reply using its private key so that the client
  can verify the reply is from a trusted KDC.

As I'm not familiar with the samba source code, I need some starting
help. Where can I add debug statements that will output the
preauthentication data that a smartcard-client has sent to samba?

Any other suggestions or comments ??


Peter Koch
WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und
nutzen Sie die neuen Funktionen

More information about the samba-technical mailing list