[Samba] Smart card logon

Douglas E. Engert deengert at anl.gov
Tue Jan 29 19:56:35 GMT 2008

Pau Garcia i Quiles wrote:
> Quoting Asier Baranguán <abaranguan at elpagestion.com>:
>> Hi all
>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
>> managed domain with a smartcard? I've readed somewhere that this is not
>> possible with Samba3, but /could/ be possible with the Samba4 package.
>> Thanks
> Although I have never tried it, it should be possible by configuring 
> Samba for PAM authentication 
> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html) 
> and using an appropriate PAM module, such as 
> http://www.opensc-project.org/pam_p11/

Actually what you want is the Kerberos PKINIT and a pam_krb5 that
understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
is part of newer versions of Samba. The Heimdal KDC then
accepts the PKINIT and returns Kerberos tickets. This is essentially
what Windows AD does today with smart card login. You login to the

The OpenSC and many other smart card pam logins only log you into the
the local machine, not the domain.

See http://www.eyrie.org/~eagle/software/pam-krb5/
for a pam_krb5 that works with Heimdal and PKINIT.


> Even if PAM P11 is not ready for Samba use, it shouldn't be too 
> difficult (and take this with a grain of salt, given that PAM is mystic 
> per se :-) to produce a new PAM-Samba-Smartcard by "merging" PAM P11 and 
> one of the PAM modules included in Samba currently (PAM password, PAM 
> Winbind, etc).

Pam Windbind probably needs some updates to have it use the Heimdal
PKINIT and the PKCS#11.


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the samba mailing list