[Samba] Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 & Smart card logon

Charalampos Anargyrou charalampos.anargyrou at gmail.com
Thu Jul 5 04:04:21 MDT 2012 

Ok, I managed to solve some of my problems

I had typographic errors in my /etc/krb5.conf
Specifically I had

[kdc]
         enable_pkinit = yes
         pkinit_identify = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem

Changed to

[kdc]
         enable-pkinit = yes
         pkinit_identity = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem


I have also enabled debugging by stopping the samba service and started 
samba with:

samba -i -M single -d3


Tried again to test samba4kinit with certificate with:

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN

which again produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

but I can at least see in the console this:

Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos at SERVER.CENTOSDOMAIN
Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos at SERVER.CENTOSDOMAIN




-------- Original Message --------
Subject: 	Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Thu, 05 Jul 2012 12:01:13 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	samba at lists.samba.org



I've checked the source code and found out the enctypes I can test

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN

produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


For the rest enctypes

/opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN

I get

samba4kinit: krb5_get_init_creds: KDC has no support for encryption type


Looking on the Internet, I found a suggestion to write

allow_weak_crypto = true

under

[libdefaults]

in /etc/krb5.conf, which I did, but I still get the same messages back


Can anyone understand what could be my problem?



-------- Original Message --------
Subject: 	Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Wed, 04 Jul 2012 20:22:12 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	samba at lists.samba.org



I have followed the instructions on 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and 
certificates with OpenSSL
I changed the /etc/krb5.conf file to include the new CA and certificates

I still get

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping



So I thought there must be something wrong with the configuration and 
not with the certificates
I switched back to the previous configuration I was using when I was 
getting the certificate not found error but I am still getting

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


That sounds to me that there is some cache I have to clean.
Am I right?
How I can 'reset' Samba so I can start over?



-------- Original Message --------
Subject: 	Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Wed, 04 Jul 2012 12:50:05 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	Andrew Bartlett <abartlet at samba.org>
CC: 	samba at lists.samba.org



I didn't know I couldn't use kadmin.
It makes sense now.


What I tried is to start with Heimal config from the start.
I did:

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

to get the generated krb5.conf

Restarted Samba and checked kinit, which worked correctly.
I cleared the tickets cache with kdestroy.

I then changed /etc/krb5.conf to:

[libdefaults]
     default_realm = SERVER.CENTOSDOMAIN
     dns_lookup_realm = false
     dns_lookup_kdc = true

[appdefaults]
     pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem

[realms]
     SERVER.CENTOSDOMAIN = {
         pkinit_require_eku = true
         pkinit_require_krbtgt_otherName = true
         pkinit_win2k = yes
         pkinit_win2k_require_binding = no
     }

[kdc]
     enable_pkinit = yes
     pkinit_identify =
FILE:/home/virusakos/Downloads/server.centosdomain.pem
     pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
     pkinit_win2k_require_binding = yes
     pkinit_principal_in_certificate = yes


I created /usr/local/samba/var/heimdal/pki-mapping with contents:
virusakos at SERVER.CENTOSDOMAIN:C=GR,O=Byte  
Computers,CN=virusakos,UID=virusakos
virusakos at SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos


Restarted Samba and checked kinit without any options, which worked
correctly.
I cleared the tickets cache with kdestroy and then tried the following:

/opt/samba-master/bin/samba4kinit --request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/virus.pem  
virusakos at SERVER.CENTOSDOMAIN

There is no virus.pem so obviously I got

samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert
certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No
such file or directory


Trying again with the correct certificate file:

/opt/samba-master/bin/samba4kinit --request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/virusakos.pem  
virusakos at SERVER.CENTOSDOMAIN

Now, the error is different:

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


Any hints for the new error?
Does it sound like a configuration error or a certificate error?


Kind Regards,
Charalampos


On 7/4/12 2:39 AM, Andrew Bartlett wrote:
> On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
>> I still have no clue what's going on.
>>
>> In my attempt to find out what's happening, I found out I haven't done
>> neither 4.23.1 nor 4.23.2 in the Heimdal guide (
>>http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html  )
>> So I tried 4.23.2 i.e.:
>>
>> kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
>>myuser at SERVER.CENTOSDOMAIN
>>
>> and I received this error:
>>
>> kadmin: invalid option -- '-'
>>
>>
>> I then tried to do:
>>
>> kadmin
>>
>> to get into interactive mode so I can issue the modify command but I
>> receive this error:
>>
>> Authenticating as principalAdministrator/admin at SERVER.CENTOSDOMAIN  with
>> password.
>> kadmin: Client not found in Kerberos database while initializing kadmin
>> interface
>>
>> I was puzzled with the Administrator/admin so next I tried:
>>
>> kadmin -pAdministrator at SERVER.CENTOSDOMAIN
>>
>> with yet another error:
>>
>> Authenticating as principalAdministrator at SERVER.CENTOSDOMAIN  with password.
>> kadmin: Database error! Required KADM5 principal missing while
>> initializing kadmin interface
>>
>>
>> I also tried enabling debugging by using the instructions in
>>http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
>> but I don't see any error messages
>>
>>
>> 1) How can I enable debugging? I'm on CentOS 6.2
>> 2) According to the above, does it look like my installation is broken?
>> Or is there something I am missing?
> You can not use kadmin against Samba4 (we just don't expose the
> interfaces needed, sorry), and the configuration we test in our selftest
> doesn't need it.  This can all be done with just config file entries.
>
> Andrew Bartlett
>

More information about the samba mailing list