[Samba] Fwd: Re: Fwd: Re: Samba 4 & Smart card logon

Charalampos Anargyrou charalampos.anargyrou at gmail.com
Wed Jul 4 11:22:12 MDT 2012

I have followed the instructions on 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and 
certificates with OpenSSL
I changed the /etc/krb5.conf file to include the new CA and certificates

I still get

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

So I thought there must be something wrong with the configuration and 
not with the certificates
I switched back to the previous configuration I was using when I was 
getting the certificate not found error but I am still getting

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

That sounds to me that there is some cache I have to clean.
Am I right?
How I can 'reset' Samba so I can start over?

-------- Original Message --------
Subject: 	Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Wed, 04 Jul 2012 12:50:05 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	Andrew Bartlett <abartlet at samba.org>
CC: 	samba at lists.samba.org

I didn't know I couldn't use kadmin.
It makes sense now.

What I tried is to start with Heimal config from the start.
I did:

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

to get the generated krb5.conf

Restarted Samba and checked kinit, which worked correctly.
I cleared the tickets cache with kdestroy.

I then changed /etc/krb5.conf to:

     default_realm = SERVER.CENTOSDOMAIN
     dns_lookup_realm = false
     dns_lookup_kdc = true

     pkinit_anchors = FILE:/home/virusakos/Downloads/SuperCA.pem

         pkinit_require_eku = true
         pkinit_require_krbtgt_otherName = true
         pkinit_win2k = yes
         pkinit_win2k_require_binding = no

     enable_pkinit = yes
     pkinit_identify =
     pkinit_anchors = FILE:/home/virusakos/Downloads/SuperCA.pem
     pkinit_win2k_require_binding = yes
     pkinit_principal_in_certificate = yes

I created /usr/local/samba/var/heimdal/pki-mapping with contents:
virusakos at SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos

Restarted Samba and checked kinit without any options, which worked
I cleared the tickets cache with kdestroy and then tried the following:

/opt/samba-master/bin/samba4kinit --request-pac --renewable

There is no virus.pem so obviously I got

samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert
certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No
such file or directory

Trying again with the correct certificate file:

/opt/samba-master/bin/samba4kinit --request-pac --renewable

Now, the error is different:

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

Any hints for the new error?
Does it sound like a configuration error or a certificate error?

Kind Regards,

On 7/4/12 2:39 AM, Andrew Bartlett wrote:
> On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
>> I still have no clue what's going on.
>> In my attempt to find out what's happening, I found out I haven't done
>> neither 4.23.1 nor 4.23.2 in the Heimdal guide (
>> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html )
>> So I tried 4.23.2 i.e.:
>> kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
>> and I received this error:
>> kadmin: invalid option -- '-'
>> I then tried to do:
>> kadmin
>> to get into interactive mode so I can issue the modify command but I
>> receive this error:
>> Authenticating as principal Administrator/admin at SERVER.CENTOSDOMAIN with
>> password.
>> kadmin: Client not found in Kerberos database while initializing kadmin
>> interface
>> I was puzzled with the Administrator/admin so next I tried:
>> kadmin -p Administrator at SERVER.CENTOSDOMAIN
>> with yet another error:
>> Authenticating as principal Administrator at SERVER.CENTOSDOMAIN with password.
>> kadmin: Database error! Required KADM5 principal missing while
>> initializing kadmin interface
>> I also tried enabling debugging by using the instructions in
>> http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
>> but I don't see any error messages
>> 1) How can I enable debugging? I'm on CentOS 6.2
>> 2) According to the above, does it look like my installation is broken?
>> Or is there something I am missing?
> You can not use kadmin against Samba4 (we just don't expose the
> interfaces needed, sorry), and the configuration we test in our selftest
> doesn't need it.  This can all be done with just config file entries.
> Andrew Bartlett

More information about the samba mailing list