[Samba] Smartcard logon

Yakov Revyakin yrevyakin at gmail.com
Thu Nov 26 13:29:23 UTC 2020


Hi again,
I have some progress. Currently my setup allows Smartcard login. It is
completely based on the guide Samba wiki provides.
I can authenticate smart card users to real computers. Also it is
possible for VMs, BUT only via console session.
If I try to use a smartcard via RDP I have Kerberos error and
authentication is failed.
I use MS Hyper-V with Enhanced Session Mode enabled, Windows 2016 domain
member works as VM Generation 2. I connect from the host machine via RDP to
that VM. All inside of my laptop.

If I authenticate user via console session I have success and the following
ending of the flow:

[2020/11/26 12:36:03.105937,  3, pid=8317, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ test04 at SVITLA3.ROOM from ipv4:192.168.0.113:50342 for
host/wclient0.svitla3.room at SVITLA3.ROOM [*canonicalize, renewable,
forwardable*]
[2020/11/26 12:36:03.111562,  3, pid=8317, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2020-11-26T12:36:02 starttime:
2020-11-26T12:36:03 endtime: 2020-11-26T22:36:02 renew till:
2020-12-03T12:36:02

In case of RDP I have the following instead:
[2020/11/26 12:33:03.201703,  3, pid=8305, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ test04 at SVITLA3.ROOM from ipv4:192.168.0.112:54261 for
test04 at SVITLA3.ROOM [*enc-tkt-in-skey*, canonicalize, renewable,
forwardable]
[2020/11/26 12:33:03.201703,  3, pid=8305, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: samba_kdc_fetch: message2entry failed
[2020/11/26 12:33:03.201737,  3, pid=8305, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database: test04 at SVITLA3.ROOM: no such
entry found in hdb
[2020/11/26 12:33:03.201762,  3, pid=8305, effective(0, 0), real(0, 0),
class=kerberos]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:192.168.0.112:54261

In the second case we can see one more TGS-REQ option: enc-tkt-in-skey.
The RFC provides some hints on that, see
https://www.rfc-editor.org/rfc/rfc4120.html#section-2.9.2

Could someone help me to interpret this option in my case?
Why have I different behavior for terminal and console sessions?

Thanks

On Thu, 19 Nov 2020 at 20:43, Rowland penny via samba <samba at lists.samba.org>
wrote:

> On 19/11/2020 18:30, Yakov Revyakin via samba wrote:
> >> Hi friends,
> >> I need your help.
> >>
> >> I implemented
> >> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
> >>
> >>
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities
> >> enabling smart card logon on a Windows Server 2016 as a domain member of
> >> Samba DC.
> >>
> >> Currently I still have no smart card logon successful.
>
> Not an expert on this, but I don't think 'ldap server require strong
> auth = no' is a good idea.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list