[Samba] Smartcard logon

Thu Nov 19 18:30:24 UTC 2020

>
> Hi friends,
> I need your help.
>
> I implemented
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
>
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities
> enabling smart card logon on a Windows Server 2016 as a domain member of
> Samba DC.
>
> Currently I still have no smart card logon successful.
> I'm trying to connect to W2016 with Hyper-V Console Session. In result I
> have "A null reference pointer was passed to the stub" on my screen.
> Samba log with auth:10 and kerberos:10 shows the following:
>
> Kerberos: AS-REQ administrator\@svitla3.room at SVITLA3.ROOM from ipv4:
> 10.0.0.2:63245 for krbtgt/SVITLA3.ROOM at SVITLA3.ROOM
> Kerberos: Client sent patypes: 150, 128
> Kerberos: Looking for PKINIT pa-data --
> administrator\@svitla3.room at SVITLA3.ROOM
> Kerberos: Looking for ENC-TS pa-data --
> administrator\@svitla3.room at SVITLA3.ROOM
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> administrator\@svitla3.room at SVITLA3.ROOM
> Kerberos: AS-REQ administrator\@svitla3.room at SVITLA3.ROOM from ipv4:
> 10.0.0.2:63246 for krbtgt/SVITLA3.ROOM at SVITLA3.ROOM
> Kerberos: Client sent patypes: PK-INIT(ietf), OCSP, 128
> Kerberos: Looking for PKINIT pa-data --
> administrator\@svitla3.room at SVITLA3.ROOM
> Kerberos: PK-INIT request of type PK-INIT-IETF
> Kerberos: Trying to authorize PK-INIT subject DN
> CN=Administrator,CN=Users,DC=svitla3,DC=room
> Kerberos: found MS UPN SAN: administrator at svitla3.room
> Kerberos: Found matching MS UPN SAN in certificate
> Kerberos: PKINIT pre-authentication succeeded --
> administrator\@svitla3.room at SVITLA3.ROOM using
> CN=Administrator,CN=Users,DC=svitla3,DC=room
> authsam_account_ok: Checking SMB password for user
> administrator\@svitla3.room at SVITLA3.ROOM
> logon_hours_ok: No hours restrictions for user
> administrator\@svitla3.room at SVITLA3.ROOM
> lastLogonTimestamp is 132502676716079710
> sync interval is 14
> randomised sync interval is 9 (-5)
> old timestamp is 132502676716079710, threshold 132495020852973370, diff
> 7655863106340
> Kerberos: PK-INIT using dh rfc3526-MODP-group14
> Kerberos: AS-REQ authtime: 2020-11-19T17:14:45 starttime: unset endtime:
> 2020-11-20T03:14:45 renew till: 2020-11-26T17:14:45
> Kerberos: Client supported enctypes: 12, 15, aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
> forwardable
> Successful login with password shows two lines more:
>
> Kerberos: TGS-REQ Administrator at SVITLA3.ROOM from ipv4:10.0.0.2:63279 for
> cifs/us-smdc3.svitla3.room/svitla3.room at SVITLA3.ROOM [renewable,
> forwardable]
> Kerberos: TGS-REQ authtime: 2020-11-19T17:16:53 starttime:
> 2020-11-19T17:16:55 endtime: 2020-11-20T03:16:53 renew till:
> 2020-11-26T17:16:53
> I use CA based on OpenSSL, I have root, intermediate CAs, DC certificate
> and user certificate issued by the intermediate one. DC certificate enables
> LDAPS successfully.
> Windows security event:
>
> An account failed to log on.
>
> Subject:
> Security ID: SYSTEM
> Account Name: WCLIENT1$
> Account Domain: SVITLA3
> Logon ID: 0x3E7
>
> Logon Type: 10
>
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name: administrator at svitla3.room
> Account Domain:
>
> Failure Information:
> Failure Reason: An Error occured during Logon.
> Status: 0xC0030009
> Sub Status: 0x0
>
> Process Information:
> Caller Process ID: 0x508
> Caller Process Name: C:\Windows\System32\svchost.exe
>
> Network Information:
> Workstation Name: WCLIENT1
> Source Network Address: 0.0.0.0
> Source Port: 0
>
> Detailed Authentication Information:
> Logon Process: User32
> Authentication Package: Negotiate
> Transited Services: -
> Package Name (NTLM only): -
> Key Length: 0
>
> smb.conf
>
> # Global parameters
> [global]
>         netbios name = US-SMDC3
>         realm = SVITLA3.ROOM
>         server role = active directory domain controller
>         workgroup = SVITLA3
>         idmap_ldb:use rfc2307 = yes
>
> ldap server require strong auth = no
>
> tls enabled  = yes
> tls keyfile  = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile   = tls/ca.pem
> tls crlfile  = tls/room.crl.pem
> tls dh params file = tls/dcdhparams.pem
>
> log level = 1 auth:10 kerberos:10
> timestamp logs = no
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> [netlogon]
>         path = /var/lib/samba/sysvol/svitla3.room/scripts
>         read only = No
> krb5.conf
>
> [libdefaults]
>         default_realm = SVITLA3.ROOM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
>
> [appdefaults]
>         pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
>
> [realms]
>         SVITLA3.ROOM = {
>                 pkinit_require_eku = true
>         }
>
> [kdc]
>         enable-pkinit = yes
>         pkinit_identity =
> FILE:/var/lib/samba/private/tls/cert.pem,/var/lib/samba/private/tls/key.pem
>         pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
>         pkinit_principal_in_certificate = yes
>         pkinit_win2k = no
>         pkinit_win2k_require_binding = yes
>
> Could you advise me how to make a step forward?
>
> J
>