[Samba] Broken support for Smart Card Logon in Windows 2003 and XP

Николай Домуховский nick2005a.d at gmail.com
Tue Oct 5 15:11:09 MDT 2010

As I can see this post: https://jira.it.su.se/jira/browse/HEIMDAL-241,
at least  Samba 4.0.0alpha5 supported Smart Card logon for Windows XP
Current version (Version 4.0.0alpha14-GIT-77d959f+) does not support
smart card logon on Windows XP workstation (but Windows 7 works well).
I tried to compare Kerberos traffic examples from genuine domain
controller and Samba's response and found at least one difference,
which could be a cause of issue: Samba (in fact, Heimdal) generates
PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax).
RFC 3852 says:

 If the RecipientIdentifier
 is the CHOICE issuerAndSerialNumber, then the version MUST be 0.
 If the RecipientIdentifier is subjectKeyIdentifier, then the
 version MUST be 2.

But Heimdal uses subjectKeyIdentifier in response and version number
0. MS uses issuerAndSerialNumber.
I tried to force Heimdal use issuerAndSerialNumber in response (simply
by commenting if statement in hx509_cms_create_signed function and
make sigctx.cmsidflag always equal CMS_ID_NAME), but this didn't work:
even after that, response from Samba contains subjectKeyIdentifier and
version number 0. So I think, that maybe this is a Heimdal bug and
there are some workaround - if you know it, please tell me.

In addition - here parsing results of Krb5 AS-REP packet fragments (I
used Netmon 3.4 - it somewhere better then Wireshark in parsing
Kerberos packets).

More information about the samba mailing list