[Samba] Samba 4 AD SmartCard Authentication Problem

Hans Schulze h.schulze at labor-ostsachsen.de
Fri Jul 14 14:52:43 UTC 2023


has anyone tried Samba 4 AD with SmartCard-Authentication and trust of 
chain certificates. So with root ca and intermediate ca?

I followed the HowTo from the Samba Wiki, but there is only explained 
how you use with only a root ca. Then i tried it myself. I created a 
intermediate ca and some certs for the dc and user. But, i always ran into:


Yes, i have paid attention to the CRL Distribution Points and that also 
the clients have connection to them. But the authentication fails.

With log level = 9 i found this...

Kerberos: PKINIT request but PKINIT not enabled |

Is there another Trigger to enable pkinit under Samba AD? Thats my 

|[libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm = false 
dns_lookup_kdc = true pkinit_anchors = 
FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors = 
FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE = { 
default_domain = test.example.de pkinit_require_eku = true } 
[domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes 
pkinit_identity = 
pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem pkinit_revoke = 
pkinit_principal_in_certificate = yes pkinit_win2k = no 
pkinit_win2k_require_binding = yes |

My smb.conf:


|||# Global parameters [global] dns forwarder = netbios name = 
DC0 realm = TEST.EXAMPLE.DE server role = active directory domain 
controller dns forwarder = workgroup = TEST idmap_ldb:use 
rfc2307 = yes log level = 9 # log level = 1 auth_audit:3 
auth_json_audit:3 tls enabled = yes tls certfile = 
/var/lib/samba/private/tls/dc0-cert.pem tls keyfile = 
/var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile = 
/var/lib/samba/private/tls/cacert.pem tls cafile = 
/var/lib/samba/private/tls/interca.pem tls crlfile = 
/var/lib/samba/private/tls/rootca.crl tls crlfile = 
/var/lib/samba/private/tls/interca.crl tls dhparams file = 
/var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path = 
/var/lib/samba/sysvol read only = No [netlogon] path = 
/var/lib/samba/sysvol/test.example.de/scripts read only = No |

Is that an Kerberos related Issue or Samba 4?






More information about the samba mailing list