[Samba] Samrtcard CDP check

Yakov Revyakin yrevyakin at gmail.com
Tue Dec 8 20:47:22 UTC 2020 

Hi,
I have Samba DC having bidirectional trust with ADDC.
I can authenticate an AD domain user to a Samba domain Windows member with
his password.
I've set up smartcard logon for Samba domain users as well as I've provided
all necessary, by my opinion, to enable smartcard logon for an AD domain
user.
When authentication for a trusted AD domain user happens I have the
following error message:"The revocation status of the domain controller
certificate used for the smart card authentication could not be determined".

AD user certificate has ldap based CDP URL. When I run "certutil -verify
-urlfetch" for the ADDC certificate on ADDC side 118I have:

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (0d)" Time: 0
    [0.0]
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (0d)" Time: 0
    [0.0.0]
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex
,DC=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (0d)" Time: 0
    [0.0]
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,D
C=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint
If I run the same check for the same certificate on Samba domain Windows
member I have errors:

  ----------------  Certificate CDP  ----------------

  Failed "CDP" Time: 0 (null)

    Error retrieving URL: The system cannot find the file specified.
0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

    ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint

. . .

ERROR: Verifying leaf certificate revocation status returned The revocation
function was unable to check revocation because the revocation server was
offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

CertUtil: The revocation function was unable to check revocation because
the revocation server was offline.

>From this Samba domain Windows member I can connect to trusted domain LDAP
and fetch appropriate cRLDistributionPoint data using domain name.

So that,
- trusted authentication works with password
- correct DNS is in place
- trusted LDAP and CDP object are available

Could someone explain to me this kind of CDP request is supported? How to
resolve that CDP check?

Thanks,

More information about the samba mailing list