Experience Report: Smart Card Login to Samba 4 domain

[Raphael Schweber-Koren]

Hi,

I’ve been using Samba4 as an AD DC for a while now, and since the team has asked for success/failure reports, here’s mine: following the scattered information on this list and elsewhere on the Internet, I successfully used a smart card to log into the Windows clients of a Samba 4-hosted AD domain. That is, I stuck a smart card into a reader on a domain-joined Windows 7 or 8 client, was prompted for the smart card PIN, and after entering the correct PIN, was successfully logged in to the Windows client as my domain user account.

In the course of getting this to work, I saw a previous discussion about the topic on this list a few months back, where, if I read the exchange correctly, someone who was having trouble setting up smart card login agreed to document his hoped-for success if the team would help him get past some of the obstacles he’d encountered. Did that documentation ever get completed? https://wiki.samba.org/index.php/Samba4/Smart_Card_Login indicates it’s not done yet, but I don’t want to waste everyone’s time if it’s in the pipeline. If it isn’t, then is documenting this topic still something the team would find useful?

If it is, then I’d be happy to write it up – among other things, it’d probably be a good thing to have someone else take a look and alert me to anything I did that I really, really shouldn’t have. I’d start with the setup provided in the main Samba 4 How To (using a Windows 7 client instead of a Windows XP client), and would document the steps required to enable a user to log in to the Windows 7 client with a smart card.

That being said, a note of caution: after successfully logging in, I experienced severe usability issues actually trying to get day-to-day tasks done on the Windows client I had logged into. My guess is that it has something to do with credential delegation working differently when a user logs in with smart card credentials as opposed to password credentials. One major example: when I log in with a password, network file shares on both the Samba DC and other domain-joined Windows clients don’t ask me for credentials in order to access the files on those shares. However, when I logged in with my smart card, I was prompted to enter my credentials when I attempted to access those same network shares. The system reverted to its previous behavior after I logged out and then logged back in using my password. I have not directly compared the experience with that provided by a Windows Server DC and CA (however, I cannot imagine anyone using smart cards to login to Windows if what I experienced was the “authentic” Windows experience for users logging in using a smart card).
I did get some weird error messages in my Samba logs, which looked related, though I don’t know if they actually are or not – I didn’t have time to try it out with the debug level turned up. Obviously, that isn’t the “high quality feedback” you’re looking for -- so, even if you don’t need the documentation, I’ll still build a test setup and try to provide some hopefully useful bug reports – but I figured I’d ask if the team still needed the set up documented.

-Raphael Schweber-Koren