I want to make ADCS support better and I need some advice

Joe Dillon joseph at outurnate.com
Sat Nov 11 02:09:03 UTC 2023

I want to improve samba's support for auto-enrolling and auto-renewing certificates.  I've identified a few key issues I want to resolve:

1. Certificate Services Web Enrollment is required for discovering the PKI environment.  Web enrollment, while *probably* installed on a CA, isn't a component of auto enrollment, per MS-CAESO.  Additionally, CAWE *most likely* presents a certificate anchored by the PKI environment, which presents a chicken-egg type problem for using it to discover CA certificates.  Samba breaks this dependency cycle by retrieving the CA over HTTP, but that presents an opportunity for an attacker to potentially inject a rogue CA.
2. Samba's discovery of enrollment services/other PKI configuration assumes the current domain is the forest root domain.  I'm trying to work on this as a good first issue.
3. The GP client is currently limited to interacting with CA servers that expose WCCE and WSTEP endpoints.  These are optional roles, and as a result aren't guaranteed to exist.  Samba has MSRPC support, which is very unique on *nix platforms.  Samba could support MS-ICPR for CA servers that don't provide the web protocols.

I really want to help improve the above.  My challenge is my python skills.  I've written most of an MS-CAESO client in rust.  Should I complete this rust client, would it be of any use?  Should it be wrapped up in a nice python API?  Can I submit the necessary code to add MS-ICPR support to samba - purely so I could consume it myself?  Should I scrap the whole thing, learn python, and rewrite it?

Looking for advice more than anything

Joe Dillon

More information about the samba-technical mailing list