[Samba] Smart card logon

Douglas E. Engert deengert at anl.gov
Tue Jan 29 21:59:42 GMT 2008 


Pau Garcia i Quiles wrote:
> Quoting "Douglas E. Engert" <deengert at anl.gov>:
> 
>> Pau Garcia i Quiles wrote:
>>> Quoting Asier Baranguán <abaranguan at elpagestion.com>:
>>>
>>>> Hi all
>>>>
>>>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
>>>> managed domain with a smartcard? I've readed somewhere that this is not
>>>> possible with Samba3, but /could/ be possible with the Samba4 package.
>>>>
>>>> Thanks
>>>
>>> Although I have never tried it, it should be possible by  configuring 
>>> Samba for PAM authentication  
>>> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html) 
>>> and  using an appropriate PAM module, such as  
>>> http://www.opensc-project.org/pam_p11/
>>
>> Actually what you want is the Kerberos PKINIT and a pam_krb5 that
>> understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
>> is part of newer versions of Samba. The Heimdal KDC then
>> accepts the PKINIT and returns Kerberos tickets. This is essentially
>> what Windows AD does today with smart card login. You login to the
>> domain.
>>
>> The OpenSC and many other smart card pam logins only log you into the
>> the local machine, not the domain.
> 
> Good to know PAM_KRB5 exists and can log into Samba.

I have not tried this. In theory it should. I have tried earlier of pam_krb5
with Heimdal clients and OpenSC smart cards to AD.

> 
> I was thinking of a much simpler solution consisting on chaining two PAM 
> modules: PAM P11 would get the credentials from the Smartcard and PAM 
> Winbind or whatever would check they are valid.
> 

The key point is "check they are valid". The Windbind client can not
be trusted Only the DC. This is the point of PKINIT, the DC is verifying
the credentials.


>> See http://www.eyrie.org/~eagle/software/pam-krb5/
>> for a pam_krb5 that works with Heimdal and PKINIT.
>>
>> PKINIT
>> http://www.ietf.org/rfc/rfc4557.txt
>>
>>>
>>> Even if PAM P11 is not ready for Samba use, it shouldn't be too  
>>> difficult (and take this with a grain of salt, given that PAM is  
>>> mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging" 
>>>  PAM P11 and one of the PAM modules included in Samba currently (PAM  
>>> password, PAM Winbind, etc).
>>
>> Pam Windbind probably needs some updates to have it use the Heimdal
>> PKINIT and the PKCS#11.
>>>
>>
>> -- 
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the samba mailing list