[Samba] Smart card logon
Douglas E. Engert
deengert at anl.gov
Tue Jan 29 21:59:42 GMT 2008
Pau Garcia i Quiles wrote:
> Quoting "Douglas E. Engert" <deengert at anl.gov>:
>
>> Pau Garcia i Quiles wrote:
>>> Quoting Asier Baranguán <abaranguan at elpagestion.com>:
>>>
>>>> Hi all
>>>>
>>>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
>>>> managed domain with a smartcard? I've readed somewhere that this is not
>>>> possible with Samba3, but /could/ be possible with the Samba4 package.
>>>>
>>>> Thanks
>>>
>>> Although I have never tried it, it should be possible by configuring
>>> Samba for PAM authentication
>>> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html)
>>> and using an appropriate PAM module, such as
>>> http://www.opensc-project.org/pam_p11/
>>
>> Actually what you want is the Kerberos PKINIT and a pam_krb5 that
>> understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
>> is part of newer versions of Samba. The Heimdal KDC then
>> accepts the PKINIT and returns Kerberos tickets. This is essentially
>> what Windows AD does today with smart card login. You login to the
>> domain.
>>
>> The OpenSC and many other smart card pam logins only log you into the
>> the local machine, not the domain.
>
> Good to know PAM_KRB5 exists and can log into Samba.
I have not tried this. In theory it should. I have tried earlier of pam_krb5
with Heimdal clients and OpenSC smart cards to AD.
>
> I was thinking of a much simpler solution consisting on chaining two PAM
> modules: PAM P11 would get the credentials from the Smartcard and PAM
> Winbind or whatever would check they are valid.
>
The key point is "check they are valid". The Windbind client can not
be trusted Only the DC. This is the point of PKINIT, the DC is verifying
the credentials.
>> See http://www.eyrie.org/~eagle/software/pam-krb5/
>> for a pam_krb5 that works with Heimdal and PKINIT.
>>
>> PKINIT
>> http://www.ietf.org/rfc/rfc4557.txt
>>
>>>
>>> Even if PAM P11 is not ready for Samba use, it shouldn't be too
>>> difficult (and take this with a grain of salt, given that PAM is
>>> mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging"
>>> PAM P11 and one of the PAM modules included in Samba currently (PAM
>>> password, PAM Winbind, etc).
>>
>> Pam Windbind probably needs some updates to have it use the Heimdal
>> PKINIT and the PKCS#11.
>>>
>>
>> --
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the samba
mailing list