[Samba] Samba 4 AD SmartCard Authentication Problem
Hans Schulze
h.schulze at labor-ostsachsen.de
Fri Jul 14 14:52:43 UTC 2023
Hello,
has anyone tried Samba 4 AD with SmartCard-Authentication and trust of
chain certificates. So with root ca and intermediate ca?
I followed the HowTo from the Samba Wiki, but there is only explained
how you use with only a root ca. Then i tried it myself. I created a
intermediate ca and some certs for the dc and user. But, i always ran into:
NT_STATUS_PKINIT_FAILURE
Yes, i have paid attention to the CRL Distribution Points and that also
the clients have connection to them. But the authentication fails.
With log level = 9 i found this...
|../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: PKINIT request but PKINIT not enabled |
Is there another Trigger to enable pkinit under Samba AD? Thats my
krb5.conf:
|[libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm = false
dns_lookup_kdc = true pkinit_anchors =
FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors =
FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE = {
default_domain = test.example.de pkinit_require_eku = true }
[domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
pkinit_identity =
FILE:/var/lib/samba/private/tls/dc0-cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem pkinit_revoke =
FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tls/root.crl
pkinit_principal_in_certificate = yes pkinit_win2k = no
pkinit_win2k_require_binding = yes |
My smb.conf:
||
|||# Global parameters [global] dns forwarder = 10.0.0.2 netbios name =
DC0 realm = TEST.EXAMPLE.DE server role = active directory domain
controller dns forwarder = 10.0.0.1 workgroup = TEST idmap_ldb:use
rfc2307 = yes log level = 9 # log level = 1 auth_audit:3
auth_json_audit:3 tls enabled = yes tls certfile =
/var/lib/samba/private/tls/dc0-cert.pem tls keyfile =
/var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile =
/var/lib/samba/private/tls/cacert.pem tls cafile =
/var/lib/samba/private/tls/interca.pem tls crlfile =
/var/lib/samba/private/tls/rootca.crl tls crlfile =
/var/lib/samba/private/tls/interca.crl tls dhparams file =
/var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path =
/var/lib/samba/sysvol read only = No [netlogon] path =
/var/lib/samba/sysvol/test.example.de/scripts read only = No |
Is that an Kerberos related Issue or Samba 4?
Regards||
||||
||
||
||
More information about the samba
mailing list