[Samba] Fwd: Re: Samba 4 & Smart card logon

Charalampos Anargyrou charalampos.anargyrou at gmail.com
Wed Jul 4 03:50:05 MDT 2012


I didn't know I couldn't use kadmin.
It makes sense now.


What I tried is to start with Heimal config from the start.
I did:

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

to get the generated krb5.conf

Restarted Samba and checked kinit, which worked correctly.
I cleared the tickets cache with kdestroy.

I then changed /etc/krb5.conf to:

[libdefaults]
     default_realm = SERVER.CENTOSDOMAIN
     dns_lookup_realm = false
     dns_lookup_kdc = true

[appdefaults]
     pkinit_anchors = FILE:/home/virusakos/Downloads/SuperCA.pem

[realms]
     SERVER.CENTOSDOMAIN = {
         pkinit_require_eku = true
         pkinit_require_krbtgt_otherName = true
         pkinit_win2k = yes
         pkinit_win2k_require_binding = no
     }

[kdc]
     enable_pkinit = yes
     pkinit_identify = 
FILE:/home/virusakos/Downloads/server.centosdomain.pem
     pkinit_anchors = FILE:/home/virusakos/Downloads/SuperCA.pem
     pkinit_win2k_require_binding = yes
     pkinit_principal_in_certificate = yes


I created /usr/local/samba/var/heimdal/pki-mapping with contents:
virusakos at SERVER.CENTOSDOMAIN:C=GR,O=Byte 
Computers,CN=virusakos,UID=virusakos
virusakos at SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos


Restarted Samba and checked kinit without any options, which worked 
correctly.
I cleared the tickets cache with kdestroy and then tried the following:

/opt/samba-master/bin/samba4kinit --request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/virus.pem 
virusakos at SERVER.CENTOSDOMAIN

There is no virus.pem so obviously I got

samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert 
certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No 
such file or directory


Trying again with the correct certificate file:

/opt/samba-master/bin/samba4kinit --request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/virusakos.pem 
virusakos at SERVER.CENTOSDOMAIN

Now, the error is different:

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


Any hints for the new error?
Does it sound like a configuration error or a certificate error?


Kind Regards,
Charalampos


On 7/4/12 2:39 AM, Andrew Bartlett wrote:
> On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
>> I still have no clue what's going on.
>>
>> In my attempt to find out what's happening, I found out I haven't done
>> neither 4.23.1 nor 4.23.2 in the Heimdal guide (
>> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html )
>> So I tried 4.23.2 i.e.:
>>
>> kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
>> myuser at SERVER.CENTOSDOMAIN
>>
>> and I received this error:
>>
>> kadmin: invalid option -- '-'
>>
>>
>> I then tried to do:
>>
>> kadmin
>>
>> to get into interactive mode so I can issue the modify command but I
>> receive this error:
>>
>> Authenticating as principal Administrator/admin at SERVER.CENTOSDOMAIN with
>> password.
>> kadmin: Client not found in Kerberos database while initializing kadmin
>> interface
>>
>> I was puzzled with the Administrator/admin so next I tried:
>>
>> kadmin -p Administrator at SERVER.CENTOSDOMAIN
>>
>> with yet another error:
>>
>> Authenticating as principal Administrator at SERVER.CENTOSDOMAIN with password.
>> kadmin: Database error! Required KADM5 principal missing while
>> initializing kadmin interface
>>
>>
>> I also tried enabling debugging by using the instructions in
>> http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
>> but I don't see any error messages
>>
>>
>> 1) How can I enable debugging? I'm on CentOS 6.2
>> 2) According to the above, does it look like my installation is broken?
>> Or is there something I am missing?
> You can not use kadmin against Samba4 (we just don't expose the
> interfaces needed, sorry), and the configuration we test in our selftest
> doesn't need it.  This can all be done with just config file entries.
>
> Andrew Bartlett
>




More information about the samba mailing list