[Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 & Smart card logon
Gémes Géza
geza at kzsdabas.hu
Thu Jul 12 10:52:08 MDT 2012
2012-07-12 10:47 keltezéssel, Charalampos Anargyrou írta:
>
> I have finally found out that my problems had to do with wrong
> certificates.
>
> The commands I used to generate the certificates where taken from
> http://k5wiki.kerberos.org/wiki/Pkinit_configuration
> I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba
> 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki
> for the certificates in the first place).
> Using the hxtool I created new certificates and ...
> Success!
>
> Now that Heimdal has been configured to accept PKINIT, it's time to
> configure Samba4 to know about the certificate.
>
> Can anyone point me where to look for Samba 4 configuration options
> for PKINIT?
>
> Kind Regards,
> Charalampos
>
>
> -------- Original Message --------
> Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card
> logon
> Date: Thu, 05 Jul 2012 13:04:21 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: samba at lists.samba.org
>
>
>
> Ok, I managed to solve some of my problems
>
> I had typographic errors in my /etc/krb5.conf
> Specifically I had
>
> [kdc]
> enable_pkinit = yes
> pkinit_identify =
> FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem
>
> Changed to
>
> [kdc]
> enable-pkinit = yes
> pkinit_identity =
> FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem
>
>
> I have also enabled debugging by stopping the samba service and
> started samba with:
>
> samba -i -M single -d3
>
>
> Tried again to test samba4kinit with certificate with:
>
> /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> which again produces
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
> but I can at least see in the console this:
>
> Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from
> ipv4:172.16.9.134:49289 for
> krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
> Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
> Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: PKINIT: failed to verify signature: No signers where found:
> 569890
> Kerberos: PKINIT: Couldn't find signers certificate
> Kerberos: Failed to decode PKINIT PA-DATA --
> virusakos at SERVER.CENTOSDOMAIN
> Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> virusakos at SERVER.CENTOSDOMAIN
> Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from
> ipv4:172.16.9.134:44976 for
> krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
> Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
> Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: PKINIT: failed to verify signature: No signers where found:
> 569890
> Kerberos: PKINIT: Couldn't find signers certificate
> Kerberos: Failed to decode PKINIT PA-DATA --
> virusakos at SERVER.CENTOSDOMAIN
> Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> virusakos at SERVER.CENTOSDOMAIN
>
>
>
>
> -------- Original Message --------
> Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Thu, 05 Jul 2012 12:01:13 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: samba at lists.samba.org
>
>
>
> I've checked the source code and found out the enctypes I can test
>
> /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> produces
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
> For the rest enctypes
>
> /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96
> --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
> /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96
> --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
> /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
> /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> I get
>
> samba4kinit: krb5_get_init_creds: KDC has no support for encryption type
>
>
> Looking on the Internet, I found a suggestion to write
>
> allow_weak_crypto = true
>
> under
>
> [libdefaults]
>
> in /etc/krb5.conf, which I did, but I still get the same messages back
>
>
> Can anyone understand what could be my problem?
>
>
>
> -------- Original Message --------
> Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Wed, 04 Jul 2012 20:22:12 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: samba at lists.samba.org
>
>
>
> I have followed the instructions on
> http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA
> and certificates with OpenSSL
> I changed the /etc/krb5.conf file to include the new CA and certificates
>
> I still get
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
>
> So I thought there must be something wrong with the configuration and
> not with the certificates
> I switched back to the previous configuration I was using when I was
> getting the certificate not found error but I am still getting
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
> That sounds to me that there is some cache I have to clean.
> Am I right?
> How I can 'reset' Samba so I can start over?
>
>
>
> -------- Original Message --------
> Subject: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Wed, 04 Jul 2012 12:50:05 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: Andrew Bartlett <abartlet at samba.org>
> CC: samba at lists.samba.org
>
>
>
> I didn't know I couldn't use kadmin.
> It makes sense now.
>
>
> What I tried is to start with Heimal config from the start.
> I did:
>
> cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
>
> to get the generated krb5.conf
>
> Restarted Samba and checked kinit, which worked correctly.
> I cleared the tickets cache with kdestroy.
>
> I then changed /etc/krb5.conf to:
>
> [libdefaults]
> default_realm = SERVER.CENTOSDOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [appdefaults]
> pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
>
> [realms]
> SERVER.CENTOSDOMAIN = {
> pkinit_require_eku = true
> pkinit_require_krbtgt_otherName = true
> pkinit_win2k = yes
> pkinit_win2k_require_binding = no
> }
>
> [kdc]
> enable_pkinit = yes
> pkinit_identify =
> FILE:/home/virusakos/Downloads/server.centosdomain.pem
> pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
> pkinit_win2k_require_binding = yes
> pkinit_principal_in_certificate = yes
>
>
> I created /usr/local/samba/var/heimdal/pki-mapping with contents:
> virusakos at SERVER.CENTOSDOMAIN:C=GR,O=Byte
> Computers,CN=virusakos,UID=virusakos
> virusakos at SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos
>
>
> Restarted Samba and checked kinit without any options, which worked
> correctly.
> I cleared the tickets cache with kdestroy and then tried the following:
>
> /opt/samba-master/bin/samba4kinit --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/virus.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> There is no virus.pem so obviously I got
>
> samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert
> certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No
> such file or directory
>
>
> Trying again with the correct certificate file:
>
> /opt/samba-master/bin/samba4kinit --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/virusakos.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> Now, the error is different:
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
> Any hints for the new error?
> Does it sound like a configuration error or a certificate error?
>
>
> Kind Regards,
> Charalampos
>
>
> On 7/4/12 2:39 AM, Andrew Bartlett wrote:
>> On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
>>> I still have no clue what's going on.
>>>
>>> In my attempt to find out what's happening, I found out I haven't done
>>> neither 4.23.1 nor 4.23.2 in the Heimdal guide (
>>> http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
>>> )
>>> So I tried 4.23.2 i.e.:
>>>
>>> kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
>>> myuser at SERVER.CENTOSDOMAIN
>>>
>>> and I received this error:
>>>
>>> kadmin: invalid option -- '-'
>>>
>>>
>>> I then tried to do:
>>>
>>> kadmin
>>>
>>> to get into interactive mode so I can issue the modify command but I
>>> receive this error:
>>>
>>> Authenticating as principalAdministrator/admin at SERVER.CENTOSDOMAIN
>>> with
>>> password.
>>> kadmin: Client not found in Kerberos database while initializing kadmin
>>> interface
>>>
>>> I was puzzled with the Administrator/admin so next I tried:
>>>
>>> kadmin -pAdministrator at SERVER.CENTOSDOMAIN
>>>
>>> with yet another error:
>>>
>>> Authenticating as principalAdministrator at SERVER.CENTOSDOMAIN with
>>> password.
>>> kadmin: Database error! Required KADM5 principal missing while
>>> initializing kadmin interface
>>>
>>>
>>> I also tried enabling debugging by using the instructions in
>>> http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
>>>
>>> but I don't see any error messages
>>>
>>>
>>> 1) How can I enable debugging? I'm on CentOS 6.2
>>> 2) According to the above, does it look like my installation is broken?
>>> Or is there something I am missing?
>> You can not use kadmin against Samba4 (we just don't expose the
>> interfaces needed, sorry), and the configuration we test in our selftest
>> doesn't need it. This can all be done with just config file entries.
>>
>> Andrew Bartlett
>>
>
>
Hi,
IMHO the Heimdal Kerberos included in Samba4 reads and conforms to
settings in the traditional krb5.conf. The provision script generates on
in the private subdirectory. Just to be on the safe side I've symlinked
it to /etc. This way I can be sure that everything on the Samba4 box
uses the same kerberos settings.
Regards
Geza Gemes
More information about the samba
mailing list