[Samba] Smartcard logon issue with pam_winbind and Kerberos auth

Alexey A Nikitin nikitin at amazon.com
Fri Nov 20 00:13:44 UTC 2020

Hi folks,

I've ran into an interesting issue when I was trying to set up Winbind client to use smart card for authentication.

>From what I was able to gather, Winbind doesn't support smart card auth. To my surprise, I was able to authenticate without pam_pkcs11 or pam_krb5 in my PAM stack, using only pam_winbind, after I've added config like this into /etc/krb5.conf:

pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature
pkinit_eku_checking = kpServerAuth
pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so
pkinit_kdc_hostname = example.com

pam = {
mappings = ^EXAMPLE\\(.*)$ $1 at EXAMPLE.COM

>From what I understand, that works because I have `krb5_auth = yes` in pam_winbind.conf, so the actual auth is done by libkrb5.

But I had even bigger surprise when I found out that when Winbind is offline it now accepts the smart card PIN in leu of user password without bothering to even verify whether there is _any_ smart card attached at all. From what I understand, the reason that happens is Winbind simply completely offloads the authentication to libkrb5, without concerning itself at all abouth the nature of the credential (whether it is a password or a PIN), and it doesn't get back any discriminating responses from libkrb5, only whether auth has passed of failed, and then it just caches that result next to a (salted, I assume) hash of the credential. Is my understandig correct?

Basically, what I would like to know is if there is a way to reap the benefits of the pam_winbind setup with proper pkinit configuration in krb5.conf but without the vulnerability I described, other than configuring PAM stack to do either password auth with pam_winbind or smartcard auth with pam_pkcs11 and pam_krb5.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20201119/eea4298e/signature.sig>

More information about the samba mailing list