[Samba] Smart card logon
Douglas E. Engert
deengert at anl.gov
Tue Jan 29 19:56:35 GMT 2008
Pau Garcia i Quiles wrote:
> Quoting Asier Baranguán <abaranguan at elpagestion.com>:
>
>> Hi all
>>
>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
>> managed domain with a smartcard? I've readed somewhere that this is not
>> possible with Samba3, but /could/ be possible with the Samba4 package.
>>
>> Thanks
>
> Although I have never tried it, it should be possible by configuring
> Samba for PAM authentication
> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html)
> and using an appropriate PAM module, such as
> http://www.opensc-project.org/pam_p11/
Actually what you want is the Kerberos PKINIT and a pam_krb5 that
understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
is part of newer versions of Samba. The Heimdal KDC then
accepts the PKINIT and returns Kerberos tickets. This is essentially
what Windows AD does today with smart card login. You login to the
domain.
The OpenSC and many other smart card pam logins only log you into the
the local machine, not the domain.
See http://www.eyrie.org/~eagle/software/pam-krb5/
for a pam_krb5 that works with Heimdal and PKINIT.
PKINIT
http://www.ietf.org/rfc/rfc4557.txt
>
> Even if PAM P11 is not ready for Samba use, it shouldn't be too
> difficult (and take this with a grain of salt, given that PAM is mystic
> per se :-) to produce a new PAM-Samba-Smartcard by "merging" PAM P11 and
> one of the PAM modules included in Samba currently (PAM password, PAM
> Winbind, etc).
Pam Windbind probably needs some updates to have it use the Heimdal
PKINIT and the PKCS#11.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the samba
mailing list