Experience Report: Smart Card Login to Samba 4 domain

Raphael Schweber-Koren raphaelsk at raphaelsk.com
Tue Jan 22 17:54:44 MST 2013 

Great, I'll get to work on it.

(My mail client doesn’t appear handle inline responses well, so I've copied your questions/comments up here and then responded below)

-- Were those shares on hosts that use NTLM authentication, such as hosts accessed by IP address?

At least some of them weren't. The hosts were on domain-joined clients or on the Samba 4 DC, and were always accessed by DNS address. One's running Windows 7, and I accessed its shares both directly and through a DFS root share located on the Samba4 DC. The DFS redirect labels in the DFS root used the target host's DNS address. Not sure, perhaps the access to the DFS root share on the Samba DC was attempted via NTLM.

I was able to access the Win 7 shares using either my smart card (by re-entering the PIN, which makes sense), or by entering my username/password. Windows offered to and would save the username/password credentials for the length of the login session. I remember that it also offered to save the smart card credential -- I guess the certificate -- and I recall that almost immediately after I accepted the offer, the OS went into a tailspin that ended in a reboot. (I don't remember if it was a graceful reboot or a power-button induced one.)

At some point, Windows Credential Manager stopped working, and instead its control panel displayed the error code 0x80090345 and the message "The requested operation cannot be completed. The computer must be trusted for delegation, and the current user account must be configured to allow delegation" (which is the error message associated with that HRESULT value). The credential manager did not recover until I went back to password login, but it had lost all its stored data. 

--So, what might be happening here is that Samba, unlike windows, does not give out the user's password in reply to a smart card login.  I think it's really dumb behaviour, and makes the whole smart card thing pointless, but there is a field in the PAC that literally contains the user's hashed password.  We don't fill that in, but without it NTLMSSP authentication just can't work.

Just speculation, but a 2004 post that purports to from an MS engineer (http://us.generation-nt.com/answer/dpapi-protection-credentials-used-smartcard-logons-help-54894802.html) says that the Windows Data Protection API uses the password hash to secure its master key, and that when the user logs in with a smartcard, it gets the password-derived hash from the DC as part of the Kerberos authentication process. (Maybe the truth of this is in the WSPP docs.) Relatedly, my Crypto-DPAPI event log lists a "DPAPI created Master key" event once or twice a second during the day or so I used a smart card to login, and again (though not as frequently) during the several hours I used a dummy account and certificate to see if there was something in the policies attached to my account that was causing the crazy behavior. During the second go-round, I often switched back and forth between my regular account and the dummy account. Outside of those two time periods, there are zero "DPAPI created Master key" events. I wonder if, lacking a password hash, DPAPI just churned out new master keys, which knocked out all data encrypted by the old key, including anything saved by the credential manager. 

However, it seems pretty critical that I get a test setup going, as I'm relying on my memory for most of my "information" about what happened during that day or two.

- Raphael Schweber-Koren

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, January 21, 2013 10:31 PM
To: Raphael Schweber-Koren
Cc: samba-technical at lists.samba.org
Subject: Re: Experience Report: Smart Card Login to Samba 4 domain

On Tue, 2013-01-22 at 03:06 +0000, Raphael Schweber-Koren wrote:
> Hi,
> 
> I’ve been using Samba4 as an AD DC for a while now, and since the team 
> has asked for success/failure reports, here’s mine: following the 
> scattered information on this list and elsewhere on the Internet, I 
> successfully used a smart card to log into the Windows clients of a 
> Samba 4-hosted AD domain. That is, I stuck a smart card into a reader 
> on a domain-joined Windows 7 or 8 client, was prompted for the smart 
> card PIN, and after entering the correct PIN, was successfully logged 
> in to the Windows client as my domain user account.

Great!  I've had this code in Samba for a long time now, and even have tests (using file-based PKINIT and the Heimdal kinit client), but it is always great to hear about it working in real life. 

> In the course of getting this to work, I saw a previous discussion 
> about the topic on this list a few months back, where, if I read the 
> exchange correctly, someone who was having trouble setting up smart 
> card login agreed to document his hoped-for success if the team would 
> help him get past some of the obstacles he’d encountered. Did that 
> documentation ever get completed?
> https://wiki.samba.org/index.php/Samba4/Smart_Card_Login indicates 
> it’s not done yet, but I don’t want to waste everyone’s time if it’s 
> in the pipeline. If it isn’t, then is documenting this topic still 
> something the team would find useful?

Please do!  Add a wiki account, let me know the username (for approval) and got to town!

> If it is, then I’d be happy to write it up – among other things, it’d 
> probably be a good thing to have someone else take a look and alert me 
> to anything I did that I really, really shouldn’t have. I’d start with 
> the setup provided in the main Samba 4 How To (using a Windows 7 
> client instead of a Windows XP client), and would document the steps 
> required to enable a user to log in to the Windows 7 client with a 
> smart card.

I would really appreciate it if you did that, and am happy to read over the result. 

> That being said, a note of caution: after successfully logging in, I 
> experienced severe usability issues actually trying to get day-to-day 
> tasks done on the Windows client I had logged into. My guess is that 
> it has something to do with credential delegation working differently 
> when a user logs in with smart card credentials as opposed to password 
> credentials. One major example: when I log in with a password, network 
> file shares on both the Samba DC and other domain-joined Windows 
> clients don’t ask me for credentials in order to access the files on 
> those shares. However, when I logged in with my smart card, I was 
> prompted to enter my credentials when I attempted to access those same 
> network shares.

Were those shares on hosts that use NTLM authentication, such as hosts accessed by IP address?

> The system reverted to its previous behavior after I logged out and 
> then logged back in using my password. I have not directly compared 
> the experience with that provided by a Windows Server DC and CA 
> (however, I cannot imagine anyone using smart cards to login to 
> Windows if what I experienced was the “authentic” Windows experience 
> for users logging in using a smart card).
> I did get some weird error messages in my Samba logs, which looked 
> related, though I don’t know if they actually are or not – I didn’t 
> have time to try it out with the debug level turned up. Obviously, 
> that isn’t the “high quality feedback” you’re looking for -- so, even 
> if you don’t need the documentation, I’ll still build a test setup and 
> try to provide some hopefully useful bug reports – but I figured I’d 
> ask if the team still needed the set up documented.

So, what might be happening here is that Samba, unlike windows, does not give out the user's password in reply to a smart card login.  I think it's really dumb behaviour, and makes the whole smart card thing pointless, but there is a field in the PAC that literally contains the user's hashed password.  We don't fill that in, but without it NTLMSSP authentication just can't work. 

If that's what is going on (or even if it isn't), please file a bug.
I'm very happy to help if you want to try and patch it too! :-)

Details for the correct behaviour should be in the WSPP docs.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list