[Samba] Samba 4 & Smart card logon
Charalampos Anargyrou
charalampos.anargyrou at gmail.com
Thu Sep 20 04:31:21 MDT 2012
I would really like to make Samba 4 work with smart card logon.
Can anyone point me where to look for Samba 4 configuration options for
PKINIT?
Kind Regards,
Charalampos
On 7/12/12 11:47 AM, Charalampos Anargyrou wrote:
>
> I have finally found out that my problems had to do with wrong
> certificates.
>
> The commands I used to generate the certificates where taken from
> http://k5wiki.kerberos.org/wiki/Pkinit_configuration
> I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba
> 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki
> for the certificates in the first place).
> Using the hxtool I created new certificates and ...
> Success!
>
> Now that Heimdal has been configured to accept PKINIT, it's time to
> configure Samba4 to know about the certificate.
>
> Can anyone point me where to look for Samba 4 configuration options
> for PKINIT?
>
> Kind Regards,
> Charalampos
>
>
> -------- Original Message --------
> Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Thu, 05 Jul 2012 13:04:21 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: samba at lists.samba.org
>
>
>
> Ok, I managed to solve some of my problems
>
> I had typographic errors in my /etc/krb5.conf
> Specifically I had
>
> [kdc]
> enable_pkinit = yes
> pkinit_identify =
> FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem
>
> Changed to
>
> [kdc]
> enable-pkinit = yes
> pkinit_identity =
> FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem
>
>
> I have also enabled debugging by stopping the samba service and
> started samba with:
>
> samba -i -M single -d3
>
>
> Tried again to test samba4kinit with certificate with:
>
> /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> which again produces
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
> but I can at least see in the console this:
>
> Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from
> ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
> Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
> Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: PKINIT: failed to verify signature: No signers where found:
> 569890
> Kerberos: PKINIT: Couldn't find signers certificate
> Kerberos: Failed to decode PKINIT PA-DATA -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> virusakos at SERVER.CENTOSDOMAIN
> Kerberos: AS-REQ virusakos at SERVER.CENTOSDOMAIN from
> ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN at SERVER.CENTOSDOMAIN
> Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
> Kerberos: Looking for PKINIT pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: PKINIT: failed to verify signature: No signers where found:
> 569890
> Kerberos: PKINIT: Couldn't find signers certificate
> Kerberos: Failed to decode PKINIT PA-DATA -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: Looking for ENC-TS pa-data -- virusakos at SERVER.CENTOSDOMAIN
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> virusakos at SERVER.CENTOSDOMAIN
>
>
>
>
> -------- Original Message --------
> Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Thu, 05 Jul 2012 12:01:13 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: samba at lists.samba.org
>
>
>
> I've checked the source code and found out the enctypes I can test
>
> /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> produces
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
> For the rest enctypes
>
> /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96
> --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
> /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96
> --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
> /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
> /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac
> --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> I get
>
> samba4kinit: krb5_get_init_creds: KDC has no support for encryption type
>
>
> Looking on the Internet, I found a suggestion to write
>
> allow_weak_crypto = true
>
> under
>
> [libdefaults]
>
> in /etc/krb5.conf, which I did, but I still get the same messages back
>
>
> Can anyone understand what could be my problem?
>
>
>
> -------- Original Message --------
> Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Wed, 04 Jul 2012 20:22:12 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: samba at lists.samba.org
>
>
>
> I have followed the instructions on
> http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA
> and certificates with OpenSSL
> I changed the /etc/krb5.conf file to include the new CA and certificates
>
> I still get
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
> So I thought there must be something wrong with the configuration and
> not with the certificates
> I switched back to the previous configuration I was using when I was
> getting the certificate not found error but I am still getting
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
> That sounds to me that there is some cache I have to clean.
> Am I right?
> How I can 'reset' Samba so I can start over?
>
>
>
> -------- Original Message --------
> Subject: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
> Date: Wed, 04 Jul 2012 12:50:05 +0300
> From: Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
> To: Andrew Bartlett <abartlet at samba.org>
> CC: samba at lists.samba.org
>
>
>
> I didn't know I couldn't use kadmin.
> It makes sense now.
>
>
> What I tried is to start with Heimal config from the start.
> I did:
>
> cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
>
> to get the generated krb5.conf
>
> Restarted Samba and checked kinit, which worked correctly.
> I cleared the tickets cache with kdestroy.
>
> I then changed /etc/krb5.conf to:
>
> [libdefaults]
> default_realm = SERVER.CENTOSDOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [appdefaults]
> pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
>
> [realms]
> SERVER.CENTOSDOMAIN = {
> pkinit_require_eku = true
> pkinit_require_krbtgt_otherName = true
> pkinit_win2k = yes
> pkinit_win2k_require_binding = no
> }
>
> [kdc]
> enable_pkinit = yes
> pkinit_identify =
> FILE:/home/virusakos/Downloads/server.centosdomain.pem
> pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
> pkinit_win2k_require_binding = yes
> pkinit_principal_in_certificate = yes
>
>
> I created /usr/local/samba/var/heimdal/pki-mapping with contents:
> virusakos at SERVER.CENTOSDOMAIN:C=GR,O=Byte
> Computers,CN=virusakos,UID=virusakos
> virusakos at SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos
>
>
> Restarted Samba and checked kinit without any options, which worked
> correctly.
> I cleared the tickets cache with kdestroy and then tried the following:
>
> /opt/samba-master/bin/samba4kinit --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/virus.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> There is no virus.pem so obviously I got
>
> samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert
> certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No
> such file or directory
>
>
> Trying again with the correct certificate file:
>
> /opt/samba-master/bin/samba4kinit --request-pac --renewable
> --pk-user=FILE:/home/virusakos/Downloads/virusakos.pem
> virusakos at SERVER.CENTOSDOMAIN
>
> Now, the error is different:
>
> samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
>
>
> Any hints for the new error?
> Does it sound like a configuration error or a certificate error?
>
>
> Kind Regards,
> Charalampos
>
>
> On 7/4/12 2:39 AM, Andrew Bartlett wrote:
> > On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
> >> I still have no clue what's going on.
> >>
> >> In my attempt to find out what's happening, I found out I haven't done
> >> neither 4.23.1 nor 4.23.2 in the Heimdal guide (
> >>http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html )
> >> So I tried 4.23.2 i.e.:
> >>
> >> kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
> >>myuser at SERVER.CENTOSDOMAIN
> >>
> >> and I received this error:
> >>
> >> kadmin: invalid option -- '-'
> >>
> >>
> >> I then tried to do:
> >>
> >> kadmin
> >>
> >> to get into interactive mode so I can issue the modify command but I
> >> receive this error:
> >>
> >> Authenticating as principalAdministrator/admin at SERVER.CENTOSDOMAIN with
> >> password.
> >> kadmin: Client not found in Kerberos database while initializing kadmin
> >> interface
> >>
> >> I was puzzled with the Administrator/admin so next I tried:
> >>
> >> kadmin -pAdministrator at SERVER.CENTOSDOMAIN
> >>
> >> with yet another error:
> >>
> >> Authenticating as principalAdministrator at SERVER.CENTOSDOMAIN with password.
> >> kadmin: Database error! Required KADM5 principal missing while
> >> initializing kadmin interface
> >>
> >>
> >> I also tried enabling debugging by using the instructions in
> >>http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
> >> but I don't see any error messages
> >>
> >>
> >> 1) How can I enable debugging? I'm on CentOS 6.2
> >> 2) According to the above, does it look like my installation is broken?
> >> Or is there something I am missing?
> > You can not use kadmin against Samba4 (we just don't expose the
> > interfaces needed, sorry), and the configuration we test in our selftest
> > doesn't need it. This can all be done with just config file entries.
> >
> > Andrew Bartlett
> >
>
>
>
>
>
>
>
>
>
>
>
>
>
>
More information about the samba
mailing list