[Samba] Samrtcard CDP check

Yakov Revyakin yrevyakin at gmail.com
Tue Dec 8 20:55:31 UTC 2020


Also, when I run certutil or try to authenticate a trusted smartcard user
Samba log shows the following:

[2020/12/08 20:50:43.222192,  5]
../../source4/ldap_server/ldap_backend.c:782(ldapsrv_SearchRequest)

  ldb_request BASE dn=CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=apex,DC=corp
filter=(objectClass=cRLDistributionPoint)

[2020/12/08 20:50:43.225723,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'


On Tue, 8 Dec 2020 at 22:47, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> Hi,
> I have Samba DC having bidirectional trust with ADDC.
> I can authenticate an AD domain user to a Samba domain Windows member with
> his password.
> I've set up smartcard logon for Samba domain users as well as I've
> provided all necessary, by my opinion, to enable smartcard logon for an AD
> domain user.
> When authentication for a trusted AD domain user happens I have the
> following error message:"The revocation status of the domain controller
> certificate used for the smart card authentication could not be determined".
>
> AD user certificate has ldap based CDP URL. When I run "certutil -verify
> -urlfetch" for the ADDC certificate on ADDC side 118I have:
>
>   ----------------  Certificate CDP  ----------------
>   Verified "Base CRL (0d)" Time: 0
>     [0.0]
> ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
>   Verified "Delta CRL (0d)" Time: 0
>     [0.0.0]
> ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex
> ,DC=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint
>
>   ----------------  Base CRL CDP  ----------------
>   OK "Delta CRL (0d)" Time: 0
>     [0.0]
> ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,D
> C=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint
> If I run the same check for the same certificate on Samba domain Windows
> member I have errors:
>
>   ----------------  Certificate CDP  ----------------
>
>   Failed "CDP" Time: 0 (null)
>
>     Error retrieving URL: The system cannot find the file specified.
> 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
>
>
>     ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
> . . .
>
> ERROR: Verifying leaf certificate revocation status returned The
> revocation function was unable to check revocation because the revocation
> server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
>
> CertUtil: The revocation function was unable to check revocation because
> the revocation server was offline.
>
> From this Samba domain Windows member I can connect to trusted domain LDAP
> and fetch appropriate cRLDistributionPoint data using domain name.
>
> So that,
> - trusted authentication works with password
> - correct DNS is in place
> - trusted LDAP and CDP object are available
>
> Could someone explain to me this kind of CDP request is supported? How to
> resolve that CDP check?
>
> Thanks,
>
>
>
>
>
>
>
>
>


More information about the samba mailing list