[Samba] Smart Card Login on Windows 10 Issue

A Bee abee.c7527 at gmail.com
Tue Nov 21 13:22:16 UTC 2017 

Hi,

I'm trying to set up smart card logon on my machine :
Windows 10 Pro with Samba as AD DC on a VM (Ubuntu Server 16.04.3 LTS 64bit)
I followed the tutorial on the wiki and authentication works fine, I can
log in as Administrator or as a user (config is below) with their password.

Then I tried to set up smart card login, using the wiki tutorial. When I
try to log in with the smart card, I get an "Remote Procedure Call
failure". On the Samba logs, it says the user managed to authenticate:

> PK-INIT request of type Pk-INIT-Win2k
> Found MS UPN SAM
> Found matching MS UPN SAM in certificate
> PK-INIT pre-authentication succeeded
> AS-REQ authtime : ...
> TGS-REQ authtime: ...
>

But Windows then restarts by tiself. It says "lsass.exe has crashed", and
more specifically "A Kerberos security package specific error occured.
Exception info in the data". (where are the details ?)

I can authenticate using passwords, I can use RSAT (ACDU, Computer
Management), I can use shared folders, I can use Roaming Profile. But for
some reason, there's a problem when I log in using my smart card. I know it
can work, because I already did it with a Windows 7 machine.

Thanks for you help

A.


Result of testparm -s :

# Global parameters
> [global]
>     workgroup = SMBDOMAIN
>     realm = SMBDOMAIN.MYDOMAIN.LAN
>     interfaces = lo enp0s3
>     bind interfaces only = Yes
>     server role = active directory domain controller
>     passdb backend = samba_dsdb
>     template homedir = /home/%U
>     template shell = /bin/bash
>     dns forwarder = 172.16.1.254
>     tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
>     tls certfile = /var/lib/samba/private/tls/dc-cert.pem
>     tls cafile = /var/lib/samba/private/tls/cacert.pem
>     tls crlfile = /var/lib/samba/private/tls/authserver.crl
>     tls dh params file = /var/lib/samba/private/tls/dcdhparams.pem
>     rpc_server:tcpip = no
>     rpc_daemon:spoolssd = embedded
>     rpc_server:spoolss = embedded
>     rpc_server:winreg = embedded
>     rpc_server:ntsvcs = embedded
>     rpc_server:eventlog = embedded
>     rpc_server:srvsvc = embedded
>     rpc_server:svcctl = embedded
>     rpc_server:default = external
>     winbindd:use external pipes = true
>     idmap_ldb:use rfc2307 = yes
>     idmap config * : backend = tdb
>     smb encrypt = if_required
>     map archive = No
>     map readonly = no
>     store dos attributes = Yes
>     vfs objects = dfs_samba4 acl_xattr
> [netlogon]
>     path = /var/lib/samba/sysvol/smbdomain.mydomain.lan/scripts
>     read only = No
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> [Data]
>     path = /srv/samba/Data
>     read only = No
> [profiles]
>     path = /var/lib/samba/profiles
>     read only = No
>

(Testing my configuration, DNS and Kerberos are ok)

More information about the samba mailing list