[Samba] Samba 4 & Smart card logon

Andrew Bartlett abartlet at samba.org
Mon Jul 2 16:26:26 MDT 2012

On Mon, 2012-07-02 at 17:24 +0300, Charalampos Anargyrou wrote:
> Hello list,
> I have installed and configured a domain with Samba version 
> 4.0.0beta2-GIT-7e80b89 on a CentOS 6.2
> I can successfully join a Windows PC in the domain (both Windows XP and 
> Windows 7 tested)
> Now, I am trying to move a step forward and I would like to configure 
> Samba to accept Windows smart card logon
> This is a requirement for a project I am involved to
> I have already installed the required client on Windows and I have a 
> smart card for testing
> I have already installed EJBCA as my CA on CentOS 6.2
> On Samba wiki the how to in 
> http://wiki.samba.org/index.php/Samba4/Smart_Card_Login is not ready, so 
> if anyone can help I will appreciate it
> According to the headers in the how to, I have to configure Heimdal to 
> accept PKINIT
> I found a guide on 
> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
> I've also found a guide on 
> http://k5wiki.kerberos.org/wiki/Pkinit_configuration for MIT Kerberos 
> which has some more info on the certificates
> I have created the Kerberos certificate according to what I have 
> understood from the guides but I don't know how to test if the 
> certificate is correct
> So, my first question is how to test if the Kerberos certificate is correct?
> Second question is when I create a client certificate (I think I 
> understood from the guides how to create) how I will test it?
> Will a kinit command like "kinit -C FILE:$HOME/clientcert.crt 
> example-user at EXAMPLE-DOMAIN" be enough to test the client certificate?

I think so, see testprogs/blackbox/test_pkinit.sh for our tests of this

> And a final question (for now) is if there is any kind of documentation 
> related to "Configure Samba4 to know about the certificate" and where I 
> can find it?

Sorry, while some have had success with this, we didn't end up getting
it documented.  If you could fill in the wiki with your experiences,
that would be most valuable to others!

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list