[Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 & Smart card logon

Charalampos Anargyrou charalampos.anargyrou at gmail.com
Thu Jul 12 02:47:25 MDT 2012 

I have finally found out that my problems had to do with wrong certificates.

The commands I used to generate the certificates where taken from 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration
I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, 
that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for 
the certificates in the first place).
Using the hxtool I created new certificates and ...
Success!

Now that Heimdal has been configured to accept PKINIT, it's time to 
configure Samba4 to know about the certificate.

Can anyone point me where to look for Samba 4 configuration options for 
PKINIT?

Kind Regards,
Charalampos


-------- Original Message --------
Subject: 	Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Thu, 05 Jul 2012 13:04:21 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	samba at lists.samba.org



Ok, I managed to solve some of my problems

I had typographic errors in my /etc/krb5.conf
Specifically I had

[kdc]
enable_pkinit = yes
pkinit_identify = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem

Changed to

[kdc]
enable-pkinit = yes
pkinit_identity = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem


I have also enabled debugging by stopping the samba service and started 
samba with:

samba -i -M single -d3


Tried again to test samba4kinit with certificate with:

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN

which again produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

but I can at least see in the console this:

Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos at SERVER.CENTOSDOMAIN
Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos at SERVER.CENTOSDOMAIN




-------- Original Message --------
Subject: 	Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Thu, 05 Jul 2012 12:01:13 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	samba at lists.samba.org



I've checked the source code and found out the enctypes I can test

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN

produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


For the rest enctypes

/opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos at SERVER.CENTOSDOMAIN

I get

samba4kinit: krb5_get_init_creds: KDC has no support for encryption type


Looking on the Internet, I found a suggestion to write

allow_weak_crypto = true

under

[libdefaults]

in /etc/krb5.conf, which I did, but I still get the same messages back


Can anyone understand what could be my problem?



-------- Original Message --------
Subject: 	Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Wed, 04 Jul 2012 20:22:12 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	samba at lists.samba.org



I have followed the instructions on 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and 
certificates with OpenSSL
I changed the /etc/krb5.conf file to include the new CA and certificates

I still get

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping



So I thought there must be something wrong with the configuration and 
not with the certificates
I switched back to the previous configuration I was using when I was 
getting the certificate not found error but I am still getting

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


That sounds to me that there is some cache I have to clean.
Am I right?
How I can 'reset' Samba so I can start over?



-------- Original Message --------
Subject: 	Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: 	Wed, 04 Jul 2012 12:50:05 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	Andrew Bartlett <abartlet at samba.org>
CC: 	samba at lists.samba.org



I didn't know I couldn't use kadmin.
It makes sense now.


What I tried is to start with Heimal config from the start.
I did:

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

to get the generated krb5.conf

Restarted Samba and checked kinit, which worked correctly.
I cleared the tickets cache with kdestroy.

I then changed /etc/krb5.conf to:

[libdefaults]
     default_realm = SERVER.CENTOSDOMAIN
     dns_lookup_realm = false
     dns_lookup_kdc = true

[appdefaults]
     pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem

[realms]
     SERVER.CENTOSDOMAIN = {
         pkinit_require_eku = true
         pkinit_require_krbtgt_otherName = true
         pkinit_win2k = yes
         pkinit_win2k_require_binding = no
     }

[kdc]
     enable_pkinit = yes
     pkinit_identify =
FILE:/home/virusakos/Downloads/server.centosdomain.pem
     pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
     pkinit_win2k_require_binding = yes
     pkinit_principal_in_certificate = yes


I created /usr/local/samba/var/heimdal/pki-mapping with contents:
virusakos at SERVER.CENTOSDOMAIN:C=GR,O=Byte  
Computers,CN=virusakos,UID=virusakos
virusakos at SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos


Restarted Samba and checked kinit without any options, which worked
correctly.
I cleared the tickets cache with kdestroy and then tried the following:

/opt/samba-master/bin/samba4kinit --request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/virus.pem  
virusakos at SERVER.CENTOSDOMAIN

There is no virus.pem so obviously I got

samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert
certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No
such file or directory


Trying again with the correct certificate file:

/opt/samba-master/bin/samba4kinit --request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/virusakos.pem  
virusakos at SERVER.CENTOSDOMAIN

Now, the error is different:

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


Any hints for the new error?
Does it sound like a configuration error or a certificate error?


Kind Regards,
Charalampos


On 7/4/12 2:39 AM, Andrew Bartlett wrote:
> On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
>> I still have no clue what's going on.
>>
>> In my attempt to find out what's happening, I found out I haven't done
>> neither 4.23.1 nor 4.23.2 in the Heimdal guide (
>>http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html  )
>> So I tried 4.23.2 i.e.:
>>
>> kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
>>myuser at SERVER.CENTOSDOMAIN
>>
>> and I received this error:
>>
>> kadmin: invalid option -- '-'
>>
>>
>> I then tried to do:
>>
>> kadmin
>>
>> to get into interactive mode so I can issue the modify command but I
>> receive this error:
>>
>> Authenticating as principalAdministrator/admin at SERVER.CENTOSDOMAIN  with
>> password.
>> kadmin: Client not found in Kerberos database while initializing kadmin
>> interface
>>
>> I was puzzled with the Administrator/admin so next I tried:
>>
>> kadmin -pAdministrator at SERVER.CENTOSDOMAIN
>>
>> with yet another error:
>>
>> Authenticating as principalAdministrator at SERVER.CENTOSDOMAIN  with password.
>> kadmin: Database error! Required KADM5 principal missing while
>> initializing kadmin interface
>>
>>
>> I also tried enabling debugging by using the instructions in
>>http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
>> but I don't see any error messages
>>
>>
>> 1) How can I enable debugging? I'm on CentOS 6.2
>> 2) According to the above, does it look like my installation is broken?
>> Or is there something I am missing?
> You can not use kadmin against Samba4 (we just don't expose the
> interfaces needed, sorry), and the configuration we test in our selftest
> doesn't need it.  This can all be done with just config file entries.
>
> Andrew Bartlett
>

More information about the samba mailing list