[Samba] Broken support for Smart Card Logon in Windows 2003 and XP
Николай Домуховский
nick2005a.d at gmail.com
Tue Oct 5 15:11:09 MDT 2010
Hello.
As I can see this post: https://jira.it.su.se/jira/browse/HEIMDAL-241,
at least Samba 4.0.0alpha5 supported Smart Card logon for Windows XP
workstations.
Current version (Version 4.0.0alpha14-GIT-77d959f+) does not support
smart card logon on Windows XP workstation (but Windows 7 works well).
I tried to compare Kerberos traffic examples from genuine domain
controller and Samba's response and found at least one difference,
which could be a cause of issue: Samba (in fact, Heimdal) generates
PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax).
RFC 3852 says:
If the RecipientIdentifier
is the CHOICE issuerAndSerialNumber, then the version MUST be 0.
If the RecipientIdentifier is subjectKeyIdentifier, then the
version MUST be 2.
But Heimdal uses subjectKeyIdentifier in response and version number
0. MS uses issuerAndSerialNumber.
I tried to force Heimdal use issuerAndSerialNumber in response (simply
by commenting if statement in hx509_cms_create_signed function and
make sigctx.cmsidflag always equal CMS_ID_NAME), but this didn't work:
even after that, response from Samba contains subjectKeyIdentifier and
version number 0. So I think, that maybe this is a Heimdal bug and
there are some workaround - if you know it, please tell me.
In addition - here parsing results of Krb5 AS-REP packet fragments (I
used Netmon 3.4 - it somewhere better then Wireshark in parsing
Kerberos packets).
More information about the samba
mailing list