[Samba] Revocation with CRL doesn't work for smartcards
Rowland Penny
rpenny at samba.org
Thu Sep 21 20:52:26 UTC 2017
On Thu, 21 Sep 2017 22:08:51 +0200
Peter L via samba <samba at lists.samba.org> wrote:
> Thanks but I've actually tried that too. Not sure I put it in [kdc]
> section though, I can try again.
>
> Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>:
>
> > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > > Hi,
> > > I have a smartcard which is revoked in the Certificate Revocation
> > > List (CRL) but I can still login. Seams like the CRL check is not
> > > performed.
> > Any
> > > known bug around this?
> > >
> > > Server setup:
> > > - Samba 4.4 on Debian as AD DC
> > > - Created domain MYDOM
> > > - smb.conf (extract):
> > > tls enabled = yes
> > > tls crlfile = tls/mycrl.pem (default is to look under private/
> > folder)
> >
> > > CRL:
> > > - In file system:
> > > ..../private/tls/mycrl.pem
> > > > mycrl.pem
> > > - Contains serial number 0x12ab
> >
> > The Heimdal code doing the SmartCard stuff doens't know about the
> > smb.conf, you need to configure this in krb5.conf.
> >
> > Something like:
> >
> > [kdc]
> > pkinit_revoke = FILE:..../private/tls/mycrl.pem
> >
> > (Sadly this isn't used in our test scripts, so please test carefully
> > and research the exact syntax further).
> >
> > Sorry,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett http://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
> > Samba Developer, Catalyst IT http://catalyst.net.nz/
> > services/samba
> >
> >
This jogged something in my memory, so I went and did some digging and
found this:
https://bugzilla.samba.org/show_bug.cgi?id=9612
Rowland
More information about the samba
mailing list