[Samba] PKI Certificate on samba-gpupdate

Christian Johansson christ64 at gmail.com
Mon Dec 18 19:37:27 UTC 2023 

Hi,



Our RHEL8/9 – servers have been joined to Active Directory using SSSD
successfully for a few years, only using it as a means to login.

We’re now trying to do a minimal samba client (4.18.6) installation just to
try and see if we can get autoenrollment from our AD CS PKI to work.



Following https://wiki.samba.org/index.php/Certificate_Auto_Enrollment
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FCertificate_Auto_Enrollment&data=05%7C02%7Cchristian.johansson%40delecsys.se%7Cdc32518aafda454efb4b08dbffda85c3%7Cabe846d4e30c4623be09686a44612006%7C0%7C0%7C638385086245069608%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BPimT0MOfJdY%2BmvQtQfy08P6ZrJ%2BYMVG9THbdYT1Hsg%3D&reserved=0>
 as long as the rhel platform allows me; when running:

  ./samba-gpupdate --rsop --username=mydomainuser

(this command is manually unpacked from
samba-gpupdate-4.18.1-0.fc38.x86_64.rpm since I couldn’t find an exact
match to my other rhel-samba parts)



I get a long list of seemingly happy messages and then:



<snip>

  CSE: gp_gnome_settings_ext


--------------------------------------------------------------------------------------------------------------


--------------------------------------------------------------------------------------------------------------

  CSE: gp_cert_auto_enroll_ext


--------------------------------------------------------------------------------------------------------------

lpcfg_load: refreshing parameters from /etc/samba/smb.conf

Traceback (most recent call last):

  File "./samba-gpupdate", line 131, in <module>

    rsop(lp, creds, store, gp_extensions, username, opts.target)

  File "/usr/lib64/python3.6/site-packages/samba/gp/gpclass.py", line 750,
in rsop

    for section, settings in ext.rsop(gpo).items():

  File
"/usr/lib64/python3.6/site-packages/samba/gp/gp_cert_auto_enroll_ext.py",
line 507, in rsop

    cas = fetch_certification_authorities(ldb)

  File
"/usr/lib64/python3.6/site-packages/samba/gp/gp_cert_auto_enroll_ext.py",
line 160, in fetch_certification_authorities

    'cACertificate': get_string(es['cACertificate'][0])

  File "/usr/lib64/python3.6/site-packages/samba/common.py", line 105, in
get_string

    print(tmp)

UnicodeDecodeError: 'utf-8' codec can't decode byte 0x82 in position 1:
invalid start byte

</snip>





The above mentioned “0x82” happens to be the first byte in our
CA-Certificate in DER format and the crash happens in

function get_string(bytesorstring) in file
"/usr/lib64/python3.6/site-packages/samba/common.py" when it tries to
convert the “byte code representation” of the DER certificate into utf-8.



Now, going upwards in the named files in the traceback, one can see that
function fetch_certification_authorities(ldb) in file
gp_cert_auto_enroll_ext.py,

tries to do a:

  ldb.search(dn, SCOPE_SUBTREE, expr, attrs) digging out 'cn', 'hostname'
and 'cACertificate'



If this would be translated to an ldapsearch command like this:

   ldapsearch -H ldap://ad.ourdomain.net -Y GSS-SPNEGO -b "CN=Enrollment
Services,CN=Public Key
Services,CN=Services,CN=Configuration,DC=ourdomain,DC=net" SCOPE_SUBTREE
"(objectClass=pKIEnrollmentService)" 'cACertificate' 'cn' 'dNSHostName'



it renders the output for cACertificate in nice looking PEM format.

(cn & hostname also looks ok)



I am at a loss … what goes wrong here? And how can I fix it?


Thanks.

More information about the samba mailing list