Fix smartcard offline logon and NTLM authentication

Stefan Metzmacher metze at
Wed Jul 20 08:44:31 UTC 2016

Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
> On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
>> I've added more PAC tests to
>> master4-smart-base
>> Some of this is already reviewed by G√ľnther and on its way to master.
>> Please have a look.
> Thanks. 
>> master4-smart-ok
>> is rebased on master4-smart-base.
>> I'm not sure what tests you see as a requirement to let this in...
> I understand your frustration.  Hopefully the below spells it out a bit
> more clearly.
>> And
>> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
> In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a runtime
> assertion of the UPN_DNS_INFO, and the PAC ordering, and anything else
> (within reason) that we can detect.  
> This is because the torture/auth/pac.c code no longer runs the same PAC
> marshalling code as the KDC, because we let Heimdal do more of that
> now.  That is probably why those tests still pass (they expect a byte
> -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add

Done, see the master4-smart-tmp branch.

> Further, I would like to see that test run against the server using
> PKINIT credentials, and to assert the presence of the CREDENTIALS
> structure in the right place, and ideally decrypted.  (I will accept
> not decrypted however). 
> That would, in my view, provide the testing needed for the smart-card
> changes.
> I'll make a start on these requirements today.  As I don't have the
> instructions on setting up smart cards logons with AD, I may need you
> to verify the tests on Windows 2012R2 if I can't work it out.

The instructions I used are available at
see the comments in

The manage-ca scripts are also in master:selftest/manage-ca/
You just need a .cnf and .sh file for your own domain.

But concentrate on getting it working in autobuild, the thing I need
help with is the way how to do a pkinit, when given 3 files,
the ca cert, the user cert and the user private key without passphrase,
with that information we need to kinit and the result needs to be
in a cli_credentials structure.

I guess we can then just pass that cli_credentials structure to
We can use cli_credentials_get_password() => NULL as indication for pkinit
and expect a PAC_CREDENTIAL_INFO element.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list