[Samba] Smart card logon

Pau Garcia i Quiles pgquiles at elpauer.org
Tue Jan 29 20:11:13 GMT 2008 

Quoting "Douglas E. Engert" <deengert at anl.gov>:

> Pau Garcia i Quiles wrote:
>> Quoting Asier Baranguán <abaranguan at elpagestion.com>:
>>
>>> Hi all
>>>
>>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
>>> managed domain with a smartcard? I've readed somewhere that this is not
>>> possible with Samba3, but /could/ be possible with the Samba4 package.
>>>
>>> Thanks
>>
>> Although I have never tried it, it should be possible by   
>> configuring Samba for PAM authentication   
>> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html) and   
>> using an appropriate PAM module, such as   
>> http://www.opensc-project.org/pam_p11/
>
> Actually what you want is the Kerberos PKINIT and a pam_krb5 that
> understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
> is part of newer versions of Samba. The Heimdal KDC then
> accepts the PKINIT and returns Kerberos tickets. This is essentially
> what Windows AD does today with smart card login. You login to the
> domain.
>
> The OpenSC and many other smart card pam logins only log you into the
> the local machine, not the domain.

Good to know PAM_KRB5 exists and can log into Samba.

I was thinking of a much simpler solution consisting on chaining two  
PAM modules: PAM P11 would get the credentials from the Smartcard and  
PAM Winbind or whatever would check they are valid.

> See http://www.eyrie.org/~eagle/software/pam-krb5/
> for a pam_krb5 that works with Heimdal and PKINIT.
>
> PKINIT
> http://www.ietf.org/rfc/rfc4557.txt
>
>>
>> Even if PAM P11 is not ready for Samba use, it shouldn't be too   
>> difficult (and take this with a grain of salt, given that PAM is   
>> mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging"  
>>  PAM P11 and one of the PAM modules included in Samba currently  
>> (PAM  password, PAM Winbind, etc).
>
> Pam Windbind probably needs some updates to have it use the Heimdal
> PKINIT and the PKCS#11.
>>
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444



-- 
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)

More information about the samba mailing list