[Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?)
Olivier MARTIN
olivier at labapart.com
Mon Aug 7 13:05:03 UTC 2023
Actually, I realised after I forgot to add debug output from kinit.
Here are the log for kinit: $ KRB5_TRACE=/dev/stdout kinit -V
userresttest -X
"X509_user_identity=FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key"
Using default cache: /tmp/krb5cc_1000
Using principal: userresttest at SAMDOM.VM-TEST-SERVER
[33961] 1691148868.491458: Error loading plugin module pkinit: 2/unable
to load plugin
[/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]:
/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so: cannot open
shared object file: No such file or directory
PA Option X509_user_identity =
FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key
[33961] 1691148868.491459: Getting initial credentials for
userresttest at SAMDOM.VM-TEST-SERVER
[33961] 1691148868.491461: Sending unauthenticated request
[33961] 1691148868.491462: Sending request (210 bytes) to
SAMDOM.VM-TEST-SERVER
[33961] 1691148868.491463: Sending DNS URI query for
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491464: No URI records found
[33961] 1691148868.491465: Sending DNS SRV query for
_kerberos._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491466: SRV answer: 0 100 88 "dc1.samdom.vm-test-server."
[33961] 1691148868.491467: Sending DNS SRV query for
_kerberos._tcp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491468: SRV answer: 0 100 88 "dc1.samdom.vm-test-server."
[33961] 1691148868.491469: Resolving hostname dc1.samdom.vm-test-server.
[33961] 1691148868.491470: Sending initial UDP request to dgram
192.168.56.10:88
[33961] 1691148868.491471: Received answer (318 bytes) from dgram
192.168.56.10:88
[33961] 1691148868.491472: Sending DNS URI query for
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491473: No URI records found
[33961] 1691148868.491474: Sending DNS SRV query for
_kerberos-master._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491475: No SRV records found
[33961] 1691148868.491476: Response was not from primary KDC
[33961] 1691148868.491477: Received error from KDC:
-1765328359/Additional pre-authentication required
[33961] 1691148868.491480: Preauthenticating using KDC method data
[33961] 1691148868.491481: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19)
[33961] 1691148868.491482: Selected etype info: etype aes256-cts, salt
"", params "\x00\x00\x10\x00"
Password for userresttest at SAMDOM.VM-TEST-SERVER:
[33961] 1691148871.932342: AS key obtained for encrypted timestamp:
aes256-cts/88FE
[33961] 1691148871.932344: Encrypted timestamp (for 1691148871.975233):
plain 301AA011180F32303233303830343131333433315AA10502030EE181,
encrypted
AE5B4AFFF4578A51900DCB3E1DED18ED333D669764A5B4A7CC888472D8D6C95E9DF71A6FA8B47F6EC5D9CE22B92ECD02AB6D6D217AC6693E
[33961] 1691148871.932345: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[33961] 1691148871.932346: Produced preauth for next request:
PA-ENC-TIMESTAMP (2)
[33961] 1691148871.932347: Sending request (290 bytes) to
SAMDOM.VM-TEST-SERVER
[33961] 1691148871.932348: Sending DNS URI query for
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932349: No URI records found
[33961] 1691148871.932350: Sending DNS SRV query for
_kerberos._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932351: SRV answer: 0 100 88 "dc1.samdom.vm-test-server."
[33961] 1691148871.932352: Sending DNS SRV query for
_kerberos._tcp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932353: SRV answer: 0 100 88 "dc1.samdom.vm-test-server."
[33961] 1691148871.932354: Resolving hostname dc1.samdom.vm-test-server.
[33961] 1691148871.932355: Sending initial UDP request to dgram
192.168.56.10:88
[33961] 1691148871.932356: Received answer (202 bytes) from dgram
192.168.56.10:88
[33961] 1691148871.932357: Sending DNS URI query for
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932358: No URI records found
[33961] 1691148871.932359: Sending DNS SRV query for
_kerberos-master._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932360: No SRV records found
[33961] 1691148871.932361: Response was not from primary KDC
[33961] 1691148871.932362: Received error from KDC:
-1765328360/Preauthentication failed
[33961] 1691148871.932365: Retrying AS request with primary KDC
[33961] 1691148871.932366: Getting initial credentials for
userresttest at SAMDOM.VM-TEST-SERVER
[33961] 1691148871.932368: Sending unauthenticated request
[33961] 1691148871.932369: Sending request (210 bytes) to
SAMDOM.VM-TEST-SERVER (primary)
[33961] 1691148871.932370: Sending DNS URI query for
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932371: No URI records found
[33961] 1691148871.932372: Sending DNS SRV query for
_kerberos-master._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932373: Sending DNS SRV query for
_kerberos-master._tcp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932374: No SRV records found
kinit: Password incorrect while getting initial credentials
And for the same command, here are the journalctl logs:
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.524925, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Probing for AS-REQ
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.525797, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Not a FAST request
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.525902, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: AS-REQ
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:46075 for
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.533839, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Client sent patypes: 150,
REQ-ENC-PA-REP
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534055, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] client-pa=150,REQ-ENC-PA-REP
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534094, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Looking for PK-INIT(ietf)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534129, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Looking for PK-INIT(win2k)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534162, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Looking for ENC-TS pa-data
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534194, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Looking for GSS pa-data --
userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534250, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Need to use
PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534297, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: as-req: sending error:
-1765328359 to client
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534330, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: Making non-FAST KRB-ERROR
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534471, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] elapsed=0.009597
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534514, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534554, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]: Kerberos: AS-REQ
ERR_PREAUTH_REQUIRED ipv4:192.168.56.10:46075
userresttest at SAMDOM.VM-TEST-SERVER
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
client-pa=150,REQ-ENC-PA-REP
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.009597
(...logs after entering an empty password...)
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.939374, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Probing for AS-REQ
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.939575, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Not a FAST request
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.939618, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: AS-REQ
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:44724 for
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944366, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Client sent patypes:
ENC-TS, 150, REQ-ENC-PA-REP
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944496, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] client-pa=ENC-TS,150,REQ-ENC-PA-REP
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944549, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Looking for PK-INIT(ietf)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944573, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Looking for PK-INIT(win2k)
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944598, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Looking for ENC-TS pa-data
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944627, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] pa=ENC-TS
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944762, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Failed to decrypt PA-DATA
-- userresttest at SAMDOM.VM-TEST-SERVER (enctype aes256-cts-hmac-sha1-96)
error Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944818, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: heim_audit_setkv_number():
setting kv pair pa-etype=18
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944846, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: heim_audit_setkv_number():
setting kv pair #auth_event=5
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948008, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]: descriptor_prepare_commit: changes:
num_registrations=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948085, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]: descriptor_prepare_commit: changes:
num_registered=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948110, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]: descriptor_prepare_commit: changes:
num_toplevel=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948132, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]: descriptor_prepare_commit: changes:
num_processed=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948153, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]: descriptor_prepare_commit: objects:
num_processed=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948173, 3]
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]: descriptor_prepare_commit: objects:
num_skipped=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948402, 2]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Aug 04 11:34:31 dc1 samba[32834]: Auth: [Kerberos KDC,ENC-TS
Pre-authentication] user [(null)]\[userresttest at SAMDOM.VM-TEST-SERVER]
at [Fri, 04 Aug 2023 11:34:31.948374 UTC] with [aes256-cts-hmac-sha1-96]
status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host
[ipv4:192.168.56.10:44724] mapped to [SAMDOM]\[userresttest]. local host
[NULL]
Aug 04 11:34:31 dc1 samba[32834]: {"timestamp":
"2023-08-04T11:34:31.948553+0000", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625,
"logonId": "fff977d25e6fdd30", "logonType": 3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": null, "remoteAddress":
"ipv4:192.168.56.10:44724", "serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "userresttest at SAMDOM.VM-TEST-SERVER", "workstation":
null, "becameAccount": "userresttest", "becameDomain": "SAMDOM",
"becameSid": "S-1-5-21-1683713074-1702463723-3046006096-1109",
"mappedAccount": "userresttest", "mappedDomain": "SAMDOM",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 9215}}
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948660, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: as-req: sending error:
-1765328360 to client
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948688, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: Making non-FAST KRB-ERROR
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948801, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
pair[0] elapsed=0.009441
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948832, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]: Kerberos: AS-REQ ERR_PREAUTH_FAILED
ipv4:192.168.56.10:44724 userresttest at SAMDOM.VM-TEST-SERVER
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER pa=ENC-TS pa-etype=18
client-pa=ENC-TS,150,REQ-ENC-PA-REP elapsed=0.009441
... Because I call kinit on the server, the timestamp should be same
between kinit debug logs and journalctl logs.
On 04.08.23 19:05, Olivier MARTIN wrote:
> Hello all,
>
> I am really well aware of
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login I have read
> many times. I have tried to follow the instructions and adapt them to
> my simple setup.
>
> To start, my server runs "Debian GNU/Linux 12" and I use the Samba
> Debian package "Samba: 2:4.17.9+dfsg-0+deb12u3"
>
> My issue is when I tried to authenticate myself with `kinit my-user -X
> "X509_user_identity=FILE:my-user.crt,my-user.key"` it asked for a
> password and it does not seem to do a PKINIT authentication.
> Before playing with Samba AD DC, I had a MIT Kerberos + LDAP setup and
> managed to do a similar working setup.
>
>
> Here are the instructions to duplicate my issue
>
>
>
> 1. Create user with smartcard
> sudo samba-tool user add userresttest --smartcard-required --no-pass
>
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.015861, 3]
> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> Aug 04 08:53:10 dc1 winbindd[16500]: winbindd_interface_version:
> [nss_winbind (31725)]: request interface version (version = 32)
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.017896, 3]
> ../../source3/winbindd/winbindd.c:496(process_request_send)
> Aug 04 08:53:10 dc1 winbindd[16500]: process_request_send:
> [nss_winbind (31725)] Handling async request: GETGROUPS
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.018123, 3]
> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
> Aug 04 08:53:10 dc1 winbindd[16500]: [nss_winbind (31725)] Winbind
> external command GETGROUPS start.
> Aug 04 08:53:10 dc1 winbindd[16500]: Searching groups for username
> 'root'.
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.018622, 4]
> ../../source3/winbindd/winbindd_dual.c:1633(child_handler)
> Aug 04 08:53:10 dc1 winbindd[16562]: child daemon request 55
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019223, 3]
> ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
> Aug 04 08:53:10 dc1 winbindd[16562]: string_to_sid: SID is not in a
> valid format
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019338, 3]
> ../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
> Aug 04 08:53:10 dc1 winbindd[16562]: sam_name_to_sid: SAMDOM\ROOT
> Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.023290, 4]
> ../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
> Aug 04 08:53:10 dc1 samba[16460]: Successful AuthZ:
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04
> Aug 2023 08:53:10.023253 UTC] Remote host [ipv6::::0] local host
> [ipv6::::0]
> Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.033887, 4]
> ../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
> Aug 04 08:53:10 dc1 samba[16460]: Successful AuthZ:
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04
> Aug 2023 08:53:10.033863 UTC] Remote host [ipv6::::0] local host
> [ipv6::::0]
> Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.038783, 3]
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
> Aug 04 08:53:10 dc1 samba[16460]: ldb_wrap open of privilege.ldb
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.041817, 4]
> ../../source3/winbindd/winbindd_dual.c:1641(child_handler)
> Aug 04 08:53:10 dc1 winbindd[16562]: Finished processing child
> request 55
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042068, 1]
> ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
> Aug 04 08:53:10 dc1 winbindd[16500]: Could not convert sid S-0-0:
> NT_STATUS_NONE_MAPPED
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042124, 3]
> ../../source3/winbindd/winbindd.c:563(process_request_done)
> Aug 04 08:53:10 dc1 winbindd[16500]: process_request_done:
> [nss_winbind(31725):GETGROUPS]: NT_STATUS_NONE_MAPPED
> Aug 04 08:53:10 dc1 sudo[31725]: vagrant : TTY=pts/2 ;
> PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/samba-tool user add
> userresttest --smartcard-required --no-pass
> Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session
> opened for user root(uid=0) by vagrant(uid=1000)
> Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session
> closed for user root
>
>
> 2. Test login for my new user on the server. A password is requested.
>
> $ kinit userresttest -X
> "X509_user_identity=FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key"
> Password for userresttest at SAMDOM.VM-TEST-SERVER:
> kinit: Password incorrect while getting initial credentials
>
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.443651, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Probing for AS-REQ
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444331, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Not a FAST request
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444487, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: AS-REQ
> userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:57017 for
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455560, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Client sent patypes:
> 150, REQ-ENC-PA-REP
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455772, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
> pair[0] client-pa=150,REQ-ENC-PA-REP
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455835, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for
> PK-INIT(ietf) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455910, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for
> PK-INIT(win2k) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456016, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for ENC-TS
> pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456108, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Looking for GSS pa-data
> -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456216, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Need to use
> PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456302, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: as-req: sending error:
> -1765328359 to client
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456360, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: Making non-FAST KRB-ERROR
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456700, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
> pair[0] elapsed=0.013076
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456783, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: heim_audit_vaddkv(): kv
> pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456845, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:45 dc1 samba[32834]: Kerberos: AS-REQ
> ERR_PREAUTH_REQUIRED ipv4:192.168.56.10:57017
> userresttest at SAMDOM.VM-TEST-SERVER
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
> client-pa=150,REQ-ENC-PA-REP
> e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.013076
>
> (...logs after entering an empty password...)
>
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911607, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Probing for AS-REQ
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911876, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Not a FAST request
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911924, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: AS-REQ
> userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:33525 for
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916859, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Client sent patypes:
> ENC-TS, 150, REQ-ENC-PA-REP
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916968, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_vaddkv(): kv
> pair[0] client-pa=ENC-TS,150,REQ-ENC-PA-REP
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917013, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Looking for
> PK-INIT(ietf) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917077, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Looking for
> PK-INIT(win2k) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917136, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Looking for ENC-TS
> pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917179, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_vaddkv(): kv
> pair[0] pa=ENC-TS
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917283, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Failed to decrypt
> PA-DATA -- userresttest at SAMDOM.VM-TEST-SERVER (enctype
> aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for
> checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917333, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos:
> heim_audit_setkv_number(): setting kv pair pa-etype=18
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917373, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos:
> heim_audit_setkv_number(): setting kv pair #auth_event=5
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921154, 3]
> ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit:
> changes: num_registrations=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921242, 3]
> ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit:
> changes: num_registered=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921280, 3]
> ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit:
> changes: num_toplevel=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921314, 3]
> ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit:
> changes: num_processed=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921347, 3]
> ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit:
> objects: num_processed=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921380, 3]
> ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]: descriptor_prepare_commit:
> objects: num_skipped=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921654, 2]
> ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Aug 04 10:00:48 dc1 samba[32824]: Auth: [Kerberos KDC,ENC-TS
> Pre-authentication] user [(null)]\[userresttest at SAMDOM.VM-TEST-SERVER]
> at [Fri, 04 Aug 2023 10:00:48.921630 UTC] with
> [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD]
> workstation [(null)] remote host [ipv4:192.168.56.10:33525] mapped to
> [SAMDOM]\[userresttest]. local host [NULL]
> Aug 04 10:00:48 dc1 samba[32824]: {"timestamp":
> "2023-08-04T10:00:48.921744+0000", "type": "Authentication",
> "Authentication": {"version": {"major": 1, "minor": 2}, "eventId":
> 4625, "logonId": "e0c3e6c4b452b699", "logonType": 3, "status":
> "NT_STATUS_WRONG_PASSWORD", "localAddress": null, "remoteAddress":
> "ipv4:192.168.56.10:33525", "serviceDescription": "Kerberos KDC",
> "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
> "clientAccount": "userresttest at SAMDOM.VM-TEST-SERVER", "workstation":
> null, "becameAccount": "userresttest", "becameDomain": "SAMDOM",
> "becameSid": "S-1-5-21-1683713074-1702463723-3046006096-1109",
> "mappedAccount": "userresttest", "mappedDomain": "SAMDOM",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType":
> 0, "netlogonTrustAccountSid": null, "passwordType":
> "aes256-cts-hmac-sha1-96", "duration": 10173}}
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921900, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: as-req: sending error:
> -1765328360 to client
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921943, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: Making non-FAST KRB-ERROR
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922108, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: heim_audit_vaddkv(): kv
> pair[0] elapsed=0.010505
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922160, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
>
> Aug 04 10:00:48 dc1 samba[32824]: Kerberos: AS-REQ
> ERR_PREAUTH_FAILED ipv4:192.168.56.10:33525
> userresttest at SAMDOM.VM-TEST-SERVER
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER pa=ENC-TS
> pa-etype=18 client-pa=ENC-TS,150,REQ-ENC-PA-REP elapsed=0.010505
>
>
> 3. Verify certificate. I am using an intermediate certificate:
> root-ca.crt > user-signing-ca.crt > userresttest.crt
>
> $ openssl verify -CAfile /etc/pki/vm-test-server/ca/root-ca.crt
> -untrusted /etc/pki/vm-test-server/ca/user-signing-ca-chain.crt
> /tmp/vm-test-server-pki/certs/userresttest.crt
> /tmp/vm-test-server-pki/certs/userresttest.crt: OK
>
> 4. krb5.conf
>
> $ sudo cat /etc/krb5.conf
> [libdefaults]
> default_realm = SAMDOM.VM-TEST-SERVER
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
>
> [appdefaults]
> pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
>
> [realms]
> SAMDOM.VM-TEST-SERVER = {
> default_domain = samdom.vm-test-server
>
> pkinit_require_eku = true
> }
>
> [kdc]
> enable-pkinit = yes
> pkinit_identity =
> FILE:/etc/pki/vm-test-server/ca/service-ca/ad_dc.crt,/etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
> pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
> pkinit_principal_in_certificate = yes
> pkinit_win2k = no
> pkinit_win2k_require_binding = yes
>
> [domain_realm]
> dc1 = SAMDOM.VM-TEST-SERVER
>
> [logging]
> kdc = SYSLOG:NOTICE
> admin_server = SYSLOG:NOTICE
> default = SYSLOG:NOTICE
>
> 5. Samba configuration:
>
> $ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8
> netbios name = DC1
> realm = SAMDOM.VM-TEST-SERVER
> server role = active directory domain controller
> workgroup = SAMDOM
> idmap_ldb:use rfc2307 = yes
>
> disable netbios = yes
> log level = 4 auth_json_audit:3@/var/log/samba/samba_audit.log
> logging = syslog at 4
> restrict anonymous = 2
> load printers = no
> cups options = raw
> printcap name = /dev/null
> ldap debug level = 1
> tls enabled = yes
> tls keyfile = /etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
> tls certfile = /etc/pki/vm-test-server/ca/service-ca/ad_dc.crt
> tls cafile = /etc/pki/vm-test-server/ca/root-ca.crt
> tls crlfile = /etc/pki/vm-test-server/ca/service-ca/services.crl
> tls dhparams file = /etc/pki/vm-test-server/ad_dc_dhparams.pem
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.vm-test-server/scripts
> read only = No
>
>
> 6. User certificate Dump
>
> $ cat /tmp/vm-test-server-pki/certs/userresttest.crt
> -----BEGIN CERTIFICATE-----
> MIIDuTCCAqGgAwIBAgIUa4JmnGUhfgqzcpmDhS6zg4E93ucwDQYJKoZIhvcNAQEL
> BQAwRTEeMBwGCgmSJomT8ixkARkWDnZtLXRlc3Qtc2VydmVyMREwDwYDVQQLDAhE
> ZW1vIEx0ZDEQMA4GA1UEAwwHVXNlciBDQTAeFw0yMzA4MDQwODE3MjdaFw0yNDA4
> MDMwODE3MjdaMGAxFjAUBgoJkiaJk/IsZAEZFgZzYW1kb20xHjAcBgoJkiaJk/Is
> ZAEZFg52bS10ZXN0LXNlcnZlcjEPMA0GA1UEAwwGcGVvcGxlMRUwEwYDVQQDDAx1
> c2VycmVzdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCek1JL
> RqTzRkjQdaowRsiiBTHJstIz9RhsOx9esgqzOFaAmaMi4vbDWjN8VB4IIUKWe6YR
> 5Miv9JWkjne6bNjuMauedf8iv0/wxdVBvDcUm2y2qkqcmj75BPBjrlWjanw+hhQD
> w+9OJjfZP5uncRv1kil3r1M4gjntkOP5iKa8ttupzpzVEgWcsdJUy84qTfxYmGS/
> obzP0QbftAQanjfzR/ex+JtVyjqHYS7Z1pEBH0bkhVfzkSutEoC272SUDmjMGoZW
> +lgJI7AfH0XS/Y0D1dhYcX05deQFwljx1KxqXWHz0L3cXxjjH0xNG0YUQcK7OvdF
> aKXXx/kP00e2hZ2/AgMBAAGjgYUwgYIwCwYDVR0PBAQDAgOoMCYGA1UdJQQfMB0G
> BysGAQUCAwQGCCsGAQUFBwMEBggrBgEFBQcDAjBLBgNVHREERDBCoEAGBisGAQUC
> AqA2MDSgFxsVU0FNRE9NLlZNLVRFU1QtU0VSVkVSoRkwF6ADAgEBoRAwDhsMdXNl
> cnJlc3R0ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQAlOokZ7uVmQ8A84Kcn/zMaIA/S
> EFx8UNXjqTQNyPeYVDYiAj9Y1DLI9K3HJzCADPzfIi0gfDZKob3bqK+CtcBLKOfm
> 6p0mEQcABgPq+uAbcW3yps9nUpCMKq+96SLughdePRjJ2OTuKfzwq58g8SBKWqKi
> vjKbTvfmMsyu+O4ca5Srh4FuzhXLiD92XL8uYu19iRGSZ0FGrsSzuxvF/gwjLNHD
> G7fo0lR705s4Yjaa+JTgBNOg8Ar1bZfKWZA9t5JtGdop0zBkpfzgt28sn9uTxkqn
> LOsoQe5cRmh5lcbnWokPGg7qNsN458WmptOXK1p2ZGHtZ0ZPp0SemeCPMy8g
> -----END CERTIFICATE-----
>
>
> 7. User's Samba entries:
>
> $ sudo samba-tool user show userresttest
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> pm_process() returned Yes
> ldb_wrap open of secrets.ldb
> dn: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: userresttest
> instanceType: 4
> whenCreated: 20230804085310.0Z
> whenChanged: 20230804085310.0Z
> uSNCreated: 4112
> uSNChanged: 4112
> name: userresttest
> objectGUID: cda01bf5-fdee-4137-9474-538f266ed65f
> userAccountControl: 262656
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1683713074-1702463723-3046006096-1109
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: userresttest
> sAMAccountType: 805306368
> userPrincipalName: userresttest at samdom.vm-test-server
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=vm-test-server
> distinguishedName: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
>
>
>
> I tried with 'pkinit_anchors =
> FILE:/etc/pki/vm-test-server/ca/root-ca.crt' as specified by the Samba
> wiki page:
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Edit_the_Samba_KDC_Configuration_File_to_Enable_PKINIT_Authentication
> I also tried with the CA bundle user-signing-ca-chain.crt : `cat
> ca/user-signing-ca.crt ca/root-ca.crt > ca/user-signing-ca-chain.crt`
> ... but same issue.
>
> I also read the recent Samba mailing list thread "Samba 4 AD SmartCard
> Authentication Problem":
> https://www.spinics.net/lists/samba/msg179822.html but Hans got
> luckier he got the error 'NT_STATUS_PKINIT_FAILURE' while my issue
> seems to be different. Could it be related to my user creation.
>
> I have no entries for pkinit in my logs: `sudo journalctl -u
> samba-ad-dc.service | grep -i pkinit` is empty.
>
>
> Thanks in advance,
> Olivier
>
More information about the samba
mailing list