[Samba] Samba 4 & Smart card logon
Charalampos Anargyrou
charalampos.anargyrou at gmail.com
Tue Jul 3 03:25:49 MDT 2012
Hello Andrew,
Thanks for your reply.
Yes I could fill in the wiki if I manage to make it work :-)
I'm trying to test the Kerberos configuration with the certificates I
have created
I'm getting this error:
samba4kinit: krb5_pk_enterprise_certs: Failed to find PKINIT
certificate: Certificate not found
using this command:
samba4kinit --pk-user=FILE:/home/myuser/Downloads/myuser.pem --pk-enterprise
Does the error mean my certificates are wrong or does it mean I have not
configured kerberos properly?
Here is my /etc/krb5.conf
[libdefaults]
default_realm = SERVER.CENTOSDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
[appdefaults]
pkinit_anchors = FILE:/usr/local/samba/private/tls/SuperCA.pem
[realms]
SERVER.CENTOSDOMAIN = {
kdc = server.centosdomain:88
default_domain = centosdomain
pkinit_require_eku = true
pkinit_require_krbtgt_otherName = true
pkinit_win2k = no
pkinit_win2k_require_binding = yes
}
[domain_realm]
.centosdomain = SERVER.CENTOSDOMAIN
centosdomain = SERVER.CENTOSDOMAIN
[kdc]
enable-pkinit = yes
pkinit_identify =
FILE:/usr/local/samba/private/tls/server.centosdomain.pem
pkinit_anchors = FILE:/usr/local/samba/private/tls/SuperCA.pem
pkinit_win2k_require_binding = yes
pkinit_principal_in_certificate = yes
Any ideas how to find out what's wrong?
Kind Regards,
Charalampos
On 7/3/12 1:26 AM, Andrew Bartlett wrote:
> On Mon, 2012-07-02 at 17:24 +0300, Charalampos Anargyrou wrote:
>> Hello list,
>>
>> I have installed and configured a domain with Samba version
>> 4.0.0beta2-GIT-7e80b89 on a CentOS 6.2
>>
>> I can successfully join a Windows PC in the domain (both Windows XP and
>> Windows 7 tested)
>>
>> Now, I am trying to move a step forward and I would like to configure
>> Samba to accept Windows smart card logon
>> This is a requirement for a project I am involved to
>>
>> I have already installed the required client on Windows and I have a
>> smart card for testing
>> I have already installed EJBCA as my CA on CentOS 6.2
>>
>> On Samba wiki the how to in
>> http://wiki.samba.org/index.php/Samba4/Smart_Card_Login is not ready, so
>> if anyone can help I will appreciate it
>> According to the headers in the how to, I have to configure Heimdal to
>> accept PKINIT
>> I found a guide on
>> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
>> I've also found a guide on
>> http://k5wiki.kerberos.org/wiki/Pkinit_configuration for MIT Kerberos
>> which has some more info on the certificates
>>
>> I have created the Kerberos certificate according to what I have
>> understood from the guides but I don't know how to test if the
>> certificate is correct
>> So, my first question is how to test if the Kerberos certificate is correct?
>> Second question is when I create a client certificate (I think I
>> understood from the guides how to create) how I will test it?
>> Will a kinit command like "kinit -C FILE:$HOME/clientcert.crt
>> example-user at EXAMPLE-DOMAIN" be enough to test the client certificate?
> I think so, see testprogs/blackbox/test_pkinit.sh for our tests of this
> functionality.
>
>> And a final question (for now) is if there is any kind of documentation
>> related to "Configure Samba4 to know about the certificate" and where I
>> can find it?
> Sorry, while some have had success with this, we didn't end up getting
> it documented. If you could fill in the wiki with your experiences,
> that would be most valuable to others!
>
> Andrew Bartlett
>
More information about the samba
mailing list