[Samba] Samba 4 & Smart card logon

Charalampos Anargyrou charalampos.anargyrou at gmail.com
Tue Jul 3 03:25:49 MDT 2012

Hello Andrew,

Thanks for your reply.

Yes I could fill in the wiki if I manage to make it work :-)

I'm trying to test the Kerberos configuration with the certificates I 
have created
I'm getting this error:

samba4kinit: krb5_pk_enterprise_certs: Failed to find PKINIT 
certificate: Certificate not found

using this command:

samba4kinit --pk-user=FILE:/home/myuser/Downloads/myuser.pem --pk-enterprise

Does the error mean my certificates are wrong or does it mean I have not 
configured kerberos properly?

Here is my /etc/krb5.conf

         default_realm = SERVER.CENTOSDOMAIN
         dns_lookup_realm = true
         dns_lookup_kdc = true

         pkinit_anchors = FILE:/usr/local/samba/private/tls/SuperCA.pem

                 kdc = server.centosdomain:88
                 default_domain = centosdomain
                 pkinit_require_eku = true
                 pkinit_require_krbtgt_otherName = true
                 pkinit_win2k = no
                 pkinit_win2k_require_binding = yes

         .centosdomain = SERVER.CENTOSDOMAIN
         centosdomain = SERVER.CENTOSDOMAIN

         enable-pkinit = yes
         pkinit_identify = 
         pkinit_anchors = FILE:/usr/local/samba/private/tls/SuperCA.pem
         pkinit_win2k_require_binding = yes
         pkinit_principal_in_certificate = yes

Any ideas how to find out what's wrong?

Kind Regards,

On 7/3/12 1:26 AM, Andrew Bartlett wrote:
> On Mon, 2012-07-02 at 17:24 +0300, Charalampos Anargyrou wrote:
>> Hello list,
>> I have installed and configured a domain with Samba version
>> 4.0.0beta2-GIT-7e80b89 on a CentOS 6.2
>> I can successfully join a Windows PC in the domain (both Windows XP and
>> Windows 7 tested)
>> Now, I am trying to move a step forward and I would like to configure
>> Samba to accept Windows smart card logon
>> This is a requirement for a project I am involved to
>> I have already installed the required client on Windows and I have a
>> smart card for testing
>> I have already installed EJBCA as my CA on CentOS 6.2
>> On Samba wiki the how to in
>> http://wiki.samba.org/index.php/Samba4/Smart_Card_Login is not ready, so
>> if anyone can help I will appreciate it
>> According to the headers in the how to, I have to configure Heimdal to
>> accept PKINIT
>> I found a guide on
>> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
>> I've also found a guide on
>> http://k5wiki.kerberos.org/wiki/Pkinit_configuration for MIT Kerberos
>> which has some more info on the certificates
>> I have created the Kerberos certificate according to what I have
>> understood from the guides but I don't know how to test if the
>> certificate is correct
>> So, my first question is how to test if the Kerberos certificate is correct?
>> Second question is when I create a client certificate (I think I
>> understood from the guides how to create) how I will test it?
>> Will a kinit command like "kinit -C FILE:$HOME/clientcert.crt
>> example-user at EXAMPLE-DOMAIN" be enough to test the client certificate?
> I think so, see testprogs/blackbox/test_pkinit.sh for our tests of this
> functionality.
>> And a final question (for now) is if there is any kind of documentation
>> related to "Configure Samba4 to know about the certificate" and where I
>> can find it?
> Sorry, while some have had success with this, we didn't end up getting
> it documented.  If you could fill in the wiki with your experiences,
> that would be most valuable to others!
> Andrew Bartlett

More information about the samba mailing list