[Samba] Smart card logon

Douglas E. Engert deengert at anl.gov
Tue Jan 29 21:59:42 GMT 2008

Pau Garcia i Quiles wrote:
> Quoting "Douglas E. Engert" <deengert at anl.gov>:
>> Pau Garcia i Quiles wrote:
>>> Quoting Asier Baranguán <abaranguan at elpagestion.com>:
>>>> Hi all
>>>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
>>>> managed domain with a smartcard? I've readed somewhere that this is not
>>>> possible with Samba3, but /could/ be possible with the Samba4 package.
>>>> Thanks
>>> Although I have never tried it, it should be possible by  configuring 
>>> Samba for PAM authentication  
>>> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html) 
>>> and  using an appropriate PAM module, such as  
>>> http://www.opensc-project.org/pam_p11/
>> Actually what you want is the Kerberos PKINIT and a pam_krb5 that
>> understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
>> is part of newer versions of Samba. The Heimdal KDC then
>> accepts the PKINIT and returns Kerberos tickets. This is essentially
>> what Windows AD does today with smart card login. You login to the
>> domain.
>> The OpenSC and many other smart card pam logins only log you into the
>> the local machine, not the domain.
> Good to know PAM_KRB5 exists and can log into Samba.

I have not tried this. In theory it should. I have tried earlier of pam_krb5
with Heimdal clients and OpenSC smart cards to AD.

> I was thinking of a much simpler solution consisting on chaining two PAM 
> modules: PAM P11 would get the credentials from the Smartcard and PAM 
> Winbind or whatever would check they are valid.

The key point is "check they are valid". The Windbind client can not
be trusted Only the DC. This is the point of PKINIT, the DC is verifying
the credentials.

>> See http://www.eyrie.org/~eagle/software/pam-krb5/
>> for a pam_krb5 that works with Heimdal and PKINIT.
>> http://www.ietf.org/rfc/rfc4557.txt
>>> Even if PAM P11 is not ready for Samba use, it shouldn't be too  
>>> difficult (and take this with a grain of salt, given that PAM is  
>>> mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging" 
>>>  PAM P11 and one of the PAM modules included in Samba currently (PAM  
>>> password, PAM Winbind, etc).
>> Pam Windbind probably needs some updates to have it use the Heimdal
>> PKINIT and the PKCS#11.
>> -- 
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the samba mailing list