Samba4: SamLogonWithFlags on RPCNetlogon

Andrew Bartlett abartlet at samba.org
Wed Jun 25 01:38:46 GMT 2008 

On Tue, 2008-06-24 at 19:36 +0900, 西崎 隆志 wrote:
> Dear all,
> 
> I installed Samba4 alpha4, and now I am trying Windows Smart-Card Logon to Samba4-DC.

Very interesting!

> I arranged a server and user certificates referring the Heimdal web site.
> 
> And now, I am testing Samba's netlogon process.
> Samba makes responses to the netlogon requests such as "ServerReqChallnenge", "ServerAuthenticate3", and "LogonGetDomainInfo".
> However, when a client windows machine sent a "LogonSamLogonWithFlags" request to the samba DC, it did not make a response.
> 
> In my smbd.log, I found the following message:
> ndr_pull_error(2): Bad switch value 4

It looks like we need to implement 'generic package logons'. 

> And I found that this message was generated in the function "ndr_pull_netr_LogonLevel()" called by the function "ndr_pull_netr_LogonSamLogonWithFlags()" in "librpc/gen_ndr/ndr_netlogon.c".
> In the logon-level function, there is not "case 4".
> I copied "case 6" part to "case 4" part, but it did not work well.
> 
> Would you please give me some advice?

So, looking at the Microsoft WSPP docs, this looks quite sane to manage.

(The WSPP docs are at
http://msdn.microsoft.com/en-us/library/cc197979.aspx)

Implementing the IDL is the easy part. See MS-NRPC section 2.2.1.4.2.

However, this is just a wrapper (see MS-APDS), so you need to implement
MS-RCMP.  None of these protocols look particularly difficult.  Indeed
if this is the main task, then getting Samba4 to accept smart card login
may be quite simple.

I suggest using Heimdal's X.509 library to parse the certificate, if
possible.

I'm really keen to see this happen, so please let me know how you would
like to work on this - would you like to have a go, or does the above
look just a bit too complex?  

Is there a file-based certificate system for windows, that I can use for
testing?

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080625/ba7b7158/attachment.bin

More information about the samba-technical mailing list