[Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?)
Olivier MARTIN
olivier at labapart.com
Fri Aug 4 17:05:41 UTC 2023
Hello all,
I am really well aware of
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login I have read
many times. I have tried to follow the instructions and adapt them to my
simple setup.
To start, my server runs "Debian GNU/Linux 12" and I use the Samba
Debian package "Samba: 2:4.17.9+dfsg-0+deb12u3"
My issue is when I tried to authenticate myself with `kinit my-user -X
"X509_user_identity=FILE:my-user.crt,my-user.key"` it asked for a
password and it does not seem to do a PKINIT authentication.
Before playing with Samba AD DC, I had a MIT Kerberos + LDAP setup and
managed to do a similar working setup.
Here are the instructions to duplicate my issue
1. Create user with smartcard
sudo samba-tool user add userresttest --smartcard-required --no-pass
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.015861, 3]
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
Aug 04 08:53:10 dc1 winbindd[16500]: winbindd_interface_version:
[nss_winbind (31725)]: request interface version (version = 32)
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.017896, 3]
../../source3/winbindd/winbindd.c:496(process_request_send)
Aug 04 08:53:10 dc1 winbindd[16500]: process_request_send:
[nss_winbind (31725)] Handling async request: GETGROUPS
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.018123, 3]
../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
Aug 04 08:53:10 dc1 winbindd[16500]: [nss_winbind (31725)] Winbind
external command GETGROUPS start.
Aug 04 08:53:10 dc1 winbindd[16500]: Searching groups for username 'root'.
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.018622, 4]
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
Aug 04 08:53:10 dc1 winbindd[16562]: child daemon request 55
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019223, 3]
../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
Aug 04 08:53:10 dc1 winbindd[16562]: string_to_sid: SID is not in a
valid format
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019338, 3]
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
Aug 04 08:53:10 dc1 winbindd[16562]: sam_name_to_sid: SAMDOM\ROOT
Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.023290, 4]
../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
Aug 04 08:53:10 dc1 samba[16460]: Successful AuthZ: [DCE/RPC,ncacn_np]
user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04 Aug 2023
08:53:10.023253 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.033887, 4]
../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
Aug 04 08:53:10 dc1 samba[16460]: Successful AuthZ: [DCE/RPC,ncacn_np]
user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04 Aug 2023
08:53:10.033863 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.038783, 3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
Aug 04 08:53:10 dc1 samba[16460]: ldb_wrap open of privilege.ldb
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.041817, 4]
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
Aug 04 08:53:10 dc1 winbindd[16562]: Finished processing child request 55
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042068, 1]
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
Aug 04 08:53:10 dc1 winbindd[16500]: Could not convert sid S-0-0:
NT_STATUS_NONE_MAPPED
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042124, 3]
../../source3/winbindd/winbindd.c:563(process_request_done)
Aug 04 08:53:10 dc1 winbindd[16500]: process_request_done:
[nss_winbind(31725):GETGROUPS]: NT_STATUS_NONE_MAPPED
Aug 04 08:53:10 dc1 sudo[31725]: vagrant : TTY=pts/2 ;
PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/samba-tool user add
userresttest --smartcard-required --no-pass
Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session opened
for user root(uid=0) by vagrant(uid=1000)
Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session closed
for user root
2. Test login for my new user on the server. A password is requested.
$ kinit userresttest -X
"X509_user_identity=FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key"
Password for userresttest at SAMDOM.VM-TEST-SERVER:
kinit: Password incorrect while getting initial credentials
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.443651, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Probing for AS-REQ
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444331, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Not a FAST request
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444487, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: AS-REQ
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:57017 for
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455560, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Client sent patypes: 150,
REQ-ENC-PA-REP
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455772, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] client-pa=150,REQ-ENC-PA-REP
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455835, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for PK-INIT(ietf)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455910, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for PK-INIT(win2k)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456016, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for ENC-TS pa-data
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456108, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for GSS pa-data --
userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456216, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Need to use
PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456302, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: as-req: sending error:
-1765328359 to client
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456360, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Making non-FAST KRB-ERROR
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456700, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] elapsed=0.013076
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456783, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456845, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]: Kerberos: AS-REQ
ERR_PREAUTH_REQUIRED ipv4:192.168.56.10:57017
userresttest at SAMDOM.VM-TEST-SERVER
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
client-pa=150,REQ-ENC-PA-REP
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.013076
(...logs after entering an empty password...)
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911607, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Probing for AS-REQ
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911876, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Not a FAST request
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911924, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: AS-REQ
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:33525 for
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916859, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Client sent patypes:
ENC-TS, 150, REQ-ENC-PA-REP
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916968, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_vaddkv(): kv
pair[0] client-pa=ENC-TS,150,REQ-ENC-PA-REP
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917013, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Looking for PK-INIT(ietf)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917077, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Looking for PK-INIT(win2k)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917136, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Looking for ENC-TS pa-data
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917179, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_vaddkv(): kv
pair[0] pa=ENC-TS
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917283, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Failed to decrypt PA-DATA
-- userresttest at SAMDOM.VM-TEST-SERVER (enctype aes256-cts-hmac-sha1-96)
error Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917333, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_setkv_number():
setting kv pair pa-etype=18
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917373, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_setkv_number():
setting kv pair #auth_event=5
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921154, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit: changes:
num_registrations=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921242, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit: changes:
num_registered=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921280, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit: changes:
num_toplevel=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921314, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit: changes:
num_processed=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921347, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit: objects:
num_processed=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921380, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit: objects:
num_skipped=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921654, 2]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Aug 04 10:00:48 dc1 samba[32824]: Auth: [Kerberos KDC,ENC-TS
Pre-authentication] user [(null)]\[userresttest at SAMDOM.VM-TEST-SERVER]
at [Fri, 04 Aug 2023 10:00:48.921630 UTC] with [aes256-cts-hmac-sha1-96]
status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host
[ipv4:192.168.56.10:33525] mapped to [SAMDOM]\[userresttest]. local host
[NULL]
Aug 04 10:00:48 dc1 samba[32824]: {"timestamp":
"2023-08-04T10:00:48.921744+0000", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625,
"logonId": "e0c3e6c4b452b699", "logonType": 3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": null, "remoteAddress":
"ipv4:192.168.56.10:33525", "serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "userresttest at SAMDOM.VM-TEST-SERVER", "workstation":
null, "becameAccount": "userresttest", "becameDomain": "SAMDOM",
"becameSid": "S-1-5-21-1683713074-1702463723-3046006096-1109",
"mappedAccount": "userresttest", "mappedDomain": "SAMDOM",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 10173}}
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921900, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: as-req: sending error:
-1765328360 to client
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921943, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Making non-FAST KRB-ERROR
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922108, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_vaddkv(): kv
pair[0] elapsed=0.010505
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922160, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]: Kerberos: AS-REQ ERR_PREAUTH_FAILED
ipv4:192.168.56.10:33525 userresttest at SAMDOM.VM-TEST-SERVER
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER pa=ENC-TS pa-etype=18
client-pa=ENC-TS,150,REQ-ENC-PA-REP elapsed=0.010505
3. Verify certificate. I am using an intermediate certificate:
root-ca.crt > user-signing-ca.crt > userresttest.crt
$ openssl verify -CAfile /etc/pki/vm-test-server/ca/root-ca.crt
-untrusted /etc/pki/vm-test-server/ca/user-signing-ca-chain.crt
/tmp/vm-test-server-pki/certs/userresttest.crt
/tmp/vm-test-server-pki/certs/userresttest.crt: OK
4. krb5.conf
$ sudo cat /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.VM-TEST-SERVER
dns_lookup_realm = false
dns_lookup_kdc = true
pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
[appdefaults]
pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
[realms]
SAMDOM.VM-TEST-SERVER = {
default_domain = samdom.vm-test-server
pkinit_require_eku = true
}
[kdc]
enable-pkinit = yes
pkinit_identity =
FILE:/etc/pki/vm-test-server/ca/service-ca/ad_dc.crt,/etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
pkinit_principal_in_certificate = yes
pkinit_win2k = no
pkinit_win2k_require_binding = yes
[domain_realm]
dc1 = SAMDOM.VM-TEST-SERVER
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
5. Samba configuration:
$ cat /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = SAMDOM.VM-TEST-SERVER
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
disable netbios = yes
log level = 4 auth_json_audit:3@/var/log/samba/samba_audit.log
logging = syslog at 4
restrict anonymous = 2
load printers = no
cups options = raw
printcap name = /dev/null
ldap debug level = 1
tls enabled = yes
tls keyfile = /etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
tls certfile = /etc/pki/vm-test-server/ca/service-ca/ad_dc.crt
tls cafile = /etc/pki/vm-test-server/ca/root-ca.crt
tls crlfile = /etc/pki/vm-test-server/ca/service-ca/services.crl
tls dhparams file = /etc/pki/vm-test-server/ad_dc_dhparams.pem
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/samdom.vm-test-server/scripts
read only = No
6. User certificate Dump
$ cat /tmp/vm-test-server-pki/certs/userresttest.crt
-----BEGIN CERTIFICATE-----
MIIDuTCCAqGgAwIBAgIUa4JmnGUhfgqzcpmDhS6zg4E93ucwDQYJKoZIhvcNAQEL
BQAwRTEeMBwGCgmSJomT8ixkARkWDnZtLXRlc3Qtc2VydmVyMREwDwYDVQQLDAhE
ZW1vIEx0ZDEQMA4GA1UEAwwHVXNlciBDQTAeFw0yMzA4MDQwODE3MjdaFw0yNDA4
MDMwODE3MjdaMGAxFjAUBgoJkiaJk/IsZAEZFgZzYW1kb20xHjAcBgoJkiaJk/Is
ZAEZFg52bS10ZXN0LXNlcnZlcjEPMA0GA1UEAwwGcGVvcGxlMRUwEwYDVQQDDAx1
c2VycmVzdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCek1JL
RqTzRkjQdaowRsiiBTHJstIz9RhsOx9esgqzOFaAmaMi4vbDWjN8VB4IIUKWe6YR
5Miv9JWkjne6bNjuMauedf8iv0/wxdVBvDcUm2y2qkqcmj75BPBjrlWjanw+hhQD
w+9OJjfZP5uncRv1kil3r1M4gjntkOP5iKa8ttupzpzVEgWcsdJUy84qTfxYmGS/
obzP0QbftAQanjfzR/ex+JtVyjqHYS7Z1pEBH0bkhVfzkSutEoC272SUDmjMGoZW
+lgJI7AfH0XS/Y0D1dhYcX05deQFwljx1KxqXWHz0L3cXxjjH0xNG0YUQcK7OvdF
aKXXx/kP00e2hZ2/AgMBAAGjgYUwgYIwCwYDVR0PBAQDAgOoMCYGA1UdJQQfMB0G
BysGAQUCAwQGCCsGAQUFBwMEBggrBgEFBQcDAjBLBgNVHREERDBCoEAGBisGAQUC
AqA2MDSgFxsVU0FNRE9NLlZNLVRFU1QtU0VSVkVSoRkwF6ADAgEBoRAwDhsMdXNl
cnJlc3R0ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQAlOokZ7uVmQ8A84Kcn/zMaIA/S
EFx8UNXjqTQNyPeYVDYiAj9Y1DLI9K3HJzCADPzfIi0gfDZKob3bqK+CtcBLKOfm
6p0mEQcABgPq+uAbcW3yps9nUpCMKq+96SLughdePRjJ2OTuKfzwq58g8SBKWqKi
vjKbTvfmMsyu+O4ca5Srh4FuzhXLiD92XL8uYu19iRGSZ0FGrsSzuxvF/gwjLNHD
G7fo0lR705s4Yjaa+JTgBNOg8Ar1bZfKWZA9t5JtGdop0zBkpfzgt28sn9uTxkqn
LOsoQe5cRmh5lcbnWokPGg7qNsN458WmptOXK1p2ZGHtZ0ZPp0SemeCPMy8g
-----END CERTIFICATE-----
7. User's Samba entries:
$ sudo samba-tool user show userresttest
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
dn: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: userresttest
instanceType: 4
whenCreated: 20230804085310.0Z
whenChanged: 20230804085310.0Z
uSNCreated: 4112
uSNChanged: 4112
name: userresttest
objectGUID: cda01bf5-fdee-4137-9474-538f266ed65f
userAccountControl: 262656
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1683713074-1702463723-3046006096-1109
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: userresttest
sAMAccountType: 805306368
userPrincipalName: userresttest at samdom.vm-test-server
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=vm-test-server
distinguishedName: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
I tried with 'pkinit_anchors =
FILE:/etc/pki/vm-test-server/ca/root-ca.crt' as specified by the Samba
wiki page:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Edit_the_Samba_KDC_Configuration_File_to_Enable_PKINIT_Authentication
I also tried with the CA bundle user-signing-ca-chain.crt : `cat
ca/user-signing-ca.crt ca/root-ca.crt > ca/user-signing-ca-chain.crt`
... but same issue.
I also read the recent Samba mailing list thread "Samba 4 AD SmartCard
Authentication Problem":
https://www.spinics.net/lists/samba/msg179822.html but Hans got luckier
he got the error 'NT_STATUS_PKINIT_FAILURE' while my issue seems to be
different. Could it be related to my user creation.
I have no entries for pkinit in my logs: `sudo journalctl -u
samba-ad-dc.service | grep -i pkinit` is empty.
Thanks in advance,
Olivier
More information about the samba
mailing list