[Samba] Revocation with CRL doesn't work for smartcards

Peter L plings1967 at gmail.com
Thu Sep 21 11:01:12 UTC 2017

I have a smartcard which is revoked in the Certificate Revocation List
(CRL) but I can still login. Seams like the CRL check is not performed. Any
known bug around this?

Server setup:
- Samba 4.4 on Debian as AD DC
- Created domain MYDOM
- smb.conf (extract):
    tls enabled = yes
    tls crlfile = tls/mycrl.pem (default is to look under private/ folder)

Client setup:
- Windows 7 machine as client
- Joined to the MYDOM domain
- Login ok with both username/password and smartcards

Smart card:
- Principal name test123 at mydom.com (extended attribute)
- Certificate with serial number 0x12ab

- In file system: ..../private/tls/mycrl.pem
- Contains serial number 0x12ab

More information about the samba mailing list