Experience Report: Smart Card Login to Samba 4 domain

Andrew Bartlett abartlet at samba.org
Mon Jan 21 20:31:23 MST 2013

On Tue, 2013-01-22 at 03:06 +0000, Raphael Schweber-Koren wrote:
> Hi,
> I’ve been using Samba4 as an AD DC for a while now, and since the team
> has asked for success/failure reports, here’s mine: following the
> scattered information on this list and elsewhere on the Internet, I
> successfully used a smart card to log into the Windows clients of a
> Samba 4-hosted AD domain. That is, I stuck a smart card into a reader
> on a domain-joined Windows 7 or 8 client, was prompted for the smart
> card PIN, and after entering the correct PIN, was successfully logged
> in to the Windows client as my domain user account.

Great!  I've had this code in Samba for a long time now, and even have
tests (using file-based PKINIT and the Heimdal kinit client), but it is
always great to hear about it working in real life. 

> In the course of getting this to work, I saw a previous discussion
> about the topic on this list a few months back, where, if I read the
> exchange correctly, someone who was having trouble setting up smart
> card login agreed to document his hoped-for success if the team would
> help him get past some of the obstacles he’d encountered. Did that
> documentation ever get completed?
> https://wiki.samba.org/index.php/Samba4/Smart_Card_Login indicates
> it’s not done yet, but I don’t want to waste everyone’s time if it’s
> in the pipeline. If it isn’t, then is documenting this topic still
> something the team would find useful?

Please do!  Add a wiki account, let me know the username (for approval)
and got to town!

> If it is, then I’d be happy to write it up – among other things, it’d
> probably be a good thing to have someone else take a look and alert me
> to anything I did that I really, really shouldn’t have. I’d start with
> the setup provided in the main Samba 4 How To (using a Windows 7
> client instead of a Windows XP client), and would document the steps
> required to enable a user to log in to the Windows 7 client with a
> smart card.

I would really appreciate it if you did that, and am happy to read over
the result. 

> That being said, a note of caution: after successfully logging in, I
> experienced severe usability issues actually trying to get day-to-day
> tasks done on the Windows client I had logged into. My guess is that
> it has something to do with credential delegation working differently
> when a user logs in with smart card credentials as opposed to password
> credentials. One major example: when I log in with a password, network
> file shares on both the Samba DC and other domain-joined Windows
> clients don’t ask me for credentials in order to access the files on
> those shares. However, when I logged in with my smart card, I was
> prompted to enter my credentials when I attempted to access those same
> network shares. 

Were those shares on hosts that use NTLM authentication, such as hosts
accessed by IP address?

> The system reverted to its previous behavior after I logged out and
> then logged back in using my password. I have not directly compared
> the experience with that provided by a Windows Server DC and CA
> (however, I cannot imagine anyone using smart cards to login to
> Windows if what I experienced was the “authentic” Windows experience
> for users logging in using a smart card).
> I did get some weird error messages in my Samba logs, which looked
> related, though I don’t know if they actually are or not – I didn’t
> have time to try it out with the debug level turned up. Obviously,
> that isn’t the “high quality feedback” you’re looking for -- so, even
> if you don’t need the documentation, I’ll still build a test setup and
> try to provide some hopefully useful bug reports – but I figured I’d
> ask if the team still needed the set up documented.

So, what might be happening here is that Samba, unlike windows, does not
give out the user's password in reply to a smart card login.  I think
it's really dumb behaviour, and makes the whole smart card thing
pointless, but there is a field in the PAC that literally contains the
user's hashed password.  We don't fill that in, but without it NTLMSSP
authentication just can't work. 

If that's what is going on (or even if it isn't), please file a bug.
I'm very happy to help if you want to try and patch it too! :-)

Details for the correct behaviour should be in the WSPP docs.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list