[Samba] Broken support for Smart Card Logon in Windows 2003 and XP
Michael Wood
esiotrot at gmail.com
Wed Oct 6 03:49:53 MDT 2010
This seems like a question for the samba-technical list. I have added
it to the Cc list. The Heimdal mailing list might also be able to
help.
2010/10/5 Николай Домуховский <nick2005a.d at gmail.com>:
> Hello.
> As I can see this post: https://jira.it.su.se/jira/browse/HEIMDAL-241,
> at least Samba 4.0.0alpha5 supported Smart Card logon for Windows XP
> workstations.
> Current version (Version 4.0.0alpha14-GIT-77d959f+) does not support
> smart card logon on Windows XP workstation (but Windows 7 works well).
> I tried to compare Kerberos traffic examples from genuine domain
> controller and Samba's response and found at least one difference,
> which could be a cause of issue: Samba (in fact, Heimdal) generates
> PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax).
> RFC 3852 says:
>
> If the RecipientIdentifier
> is the CHOICE issuerAndSerialNumber, then the version MUST be 0.
> If the RecipientIdentifier is subjectKeyIdentifier, then the
> version MUST be 2.
>
>
> But Heimdal uses subjectKeyIdentifier in response and version number
> 0. MS uses issuerAndSerialNumber.
> I tried to force Heimdal use issuerAndSerialNumber in response (simply
> by commenting if statement in hx509_cms_create_signed function and
> make sigctx.cmsidflag always equal CMS_ID_NAME), but this didn't work:
> even after that, response from Samba contains subjectKeyIdentifier and
> version number 0. So I think, that maybe this is a Heimdal bug and
> there are some workaround - if you know it, please tell me.
>
> In addition - here parsing results of Krb5 AS-REP packet fragments (I
> used Netmon 3.4 - it somewhere better then Wireshark in parsing
> Kerberos packets).
>
>
> From Windows DC:
>
> - Kerberos: AS Response
> + Length: Length = 2890
> - AsRep: Kerberos AS Response
> + ApplicationTag:
> - KdcRep: KRB_AS_REP (11)
> + SequenceHeader:
> + Tag0:
> + PvNo: 5
> + Tag1:
> + MsgType: KRB_AS_REP (11)
> + Tag2:
> - Padata:
> + SequenceOfHeader:
> - PaData: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/
> PA_PK_AS_REP_WINDOWS_OLD (15)
> + SequenceHeader:
> + Tag1:
> + PaDataType: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/
> PA_PK_AS_REP_WINDOWS_OLD (15)
> + Tag2:
> + OctetStringHeader:
> - PkAsRepOld:
> + Tag1:
> - EncKeyPack:
> + SequenceHeader:
> + ContentType: IdEnvelopedData (1.2.840.113549.1.7.3)
> + Tag0:
> - Content: 0x1
> - IdEnvelopedData: 0x1
> + SequenceHeader:
> + Version: v0 (0)
> - RecipientInfos:
> + SetOfHeader:
> - Info:
> - Ktri:
> + SequenceHeader:
> + Version: v0 (0)
> - RId:
> - IssuerAndSerialNumber:
> + SequenceHeader:
> + Issuer: ru,neyvabank,CA
> + SerialNumber: 1077249724
> + KeyEncryptionAlgorithm: RsaEncryption (1.2.840.113549.1.1.1)
>
> From Samba:
>
> - Kerberos: AS Response
> + Length: Length = 2960
> - AsRep: Kerberos AS Response
> + ApplicationTag:
> - KdcRep: KRB_AS_REP (11)
> + SequenceHeader:
> + Tag0:
> + PvNo: 5
> + Tag1:
> + MsgType: KRB_AS_REP (11)
> + Tag2:
> - Padata:
> + SequenceOfHeader:
> - PaData: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/
> PA_PK_AS_REP_WINDOWS_OLD (15)
> + SequenceHeader:
> + Tag1:
> + PaDataType: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/
> PA_PK_AS_REP_WINDOWS_OLD (15)
> + Tag2:
> + OctetStringHeader:
> - PkAsRepOld:
> + Tag1:
> - EncKeyPack:
> + SequenceHeader:
> + ContentType: IdEnvelopedData (1.2.840.113549.1.7.3)
> + Tag0:
> - Content: 0x1
> - IdEnvelopedData: 0x1
> + SequenceHeader:
> + Version: v0 (0)
> - RecipientInfos:
> + SetOfHeader:
> - Info:
> - Ktri:
> + SequenceHeader:
> + Version: v0 (0)
> - RId:
> + SubjectKeyIdentifier:
> + KeyEncryptionAlgorithm: RsaEncryption (1.2.840.113549.1.1.1)
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list