[Samba] SAMBA 4 DC and Smartcard authentication

Marcelo Andrade mrrandrade at gmail.com
Mon Aug 24 21:16:08 UTC 2015 

Hey folks!

I'm working on putting together a SAMBA 4 DC for smartcard login on our
workstations. Followed guidelines on
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login and obviously
everything works out fine!

So, after that, I went the next step: one of our requisites is to use
'real' officially provided certificates on our usb tokens.

With one of our official CAs, everything works fine, I can login normally
and I get this on log.samba from samba's Kerberos daemon:

*...*
*  Kerberos: AS-REQ username\@domain at DOMAIN from ipv4:192.168.1.69:53053
<http://192.168.1.69:53053> for krbtgt/DOMAIN at DOMAIN*
*  Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128*
*  Kerberos: Looking for PKINIT pa-data -- username\@domain at DOMAIN*
*  Kerberos: PK-INIT request of type PK-INIT-Win2k*
*  Kerberos: Trying to authorize PK-INIT subject DN CN=USER FULL
NAME,OU=Enterprise2,OU=Enterprise 1,OU=AC,O=Entity,C=CO*
*...*
*  Kerberos: found MS UPN SAN: username at domain*
*...*
*  Kerberos: PKINIT pre-authentication succeeded -- username\@domain at DOMAIN
using CN=USER FULL NAME,**OU=Enterprise2,OU=Enterprise
1,OU=AC,O=Entity,C=CO*
*...*


For this first type of certificate, the UPN field is username at domain.

Unfortunately, certificates that were generated with the other CA can't
login. Kerberos logs give me this:

*...*
*  Kerberos: AS-REQ userid\@domain at DOMAIN from ipv4:192.168.1.69:51088
<http://192.168.1.69:51088> for krbtgt/DOMAIN at DOMAIN*
*  Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128*
*  Kerberos: PK-INIT request of type PK-INIT-Win2k*
*  Kerberos: Trying to authorize PK-INIT subject DN CN=FULL USER
NAME:userid,OU=EnterpriseB,OU=Enterprise A,OU=AC-client,O=Entity,C=CO*
*...*
*  Kerberos: Decode of MS-UPN-SAN failed*
*...*
*  Kerberos: PKINIT no matching principals for CN=FULL USER
NAME:userid,OU=EnterpriseB,OU=Enterprise A,OU=AC-client,O=Entity,C=CO*


So, this one is a bit different:
- the UPN is coded to be userid at domain instead of username at domain.
- the certificate name is set to 'FULL USER NAME:userid' instead of just
plain 'FULL USER NAME'.

Which isnt a problem, because I set the userPrincipalName accordinly, as
well as set the DN to 'FULL USER NAME:userid' for those using the second
type of token.

Unfotunately, for some reason I'm getting 'no matching principals' for the
other user.

When I got this exact error before, it was caused by a mismatch of the
certificate's name when compared with the user entry's DN. But they match
('FULL USER NAME:userid').

Only difference in logs is the 'Decode of MS-UPN-SAN failed'. I'm trying to
extract more info from SAMBA, but log level 10 will give me nothing else
from kerberos.

Is there a way to extract more depuration info from the kerberos internals
to understand what is going on? Or any tips of places I should be looking
for?

More information about the samba mailing list