[Samba] Samba 4 AD SmartCard Authentication Problem

Andrew Bartlett abartlet at samba.org
Tue Jul 18 19:43:19 UTC 2023 

Tested support for certificate revocation is finally coming to Samba
(previously folks used an out-of-tree Heimdal patch to have this work).
See https://gitlab.com/samba-team/samba/-/merge_requests/3163
I expect these to land soon, hopefully for 4.19.
Andrew Bartlett
On Tue, 2023-07-18 at 12:24 +0200, Hans Schulze via samba wrote:
> I think I have been able to solve the problem myself:
> In old documentation there was in krb5.conf extra entries for CRL,
> like:
> #       pkinit_revoke =
> FILE:/var/lib/samba/private/tls/inter.crl#      
> pkinit_require_crl_checking = yes
> Newer docs has nothing in this way. Furthermore is also not needeed
> to install the root certs in the Sub Domain to resolve the chain.
> Only in win clients per GPO it is a prerequisite. In the smb.conf,
> are only the intermediate certs and crls are needed. But funny is,
> that the docs (Samba Wiki) say that CRL Distributions Point Entries
> are needed, but they never query the webserver.
> Am I missing something?
> Over certutil on win client i can qery the CRL and verify Certs
> against it. But when i revoke an client cert and use an SmartCard
> with it, the login is granted. But in the crl is that cert revoked
> and loaded in samba-ad-dc. Strange.
> Is there another Problem?
> Am 14.07.2023 um 16:52 schrieb Hans Schulze via samba:
> > Hello,
> > has anyone tried Samba 4 AD with SmartCard-Authentication and trust
> > of chain certificates. So with root ca and intermediate ca?
> > I followed the HowTo from the Samba Wiki, but there is only
> > explained how you use with only a root ca. Then i tried it myself.
> > I created a intermediate ca and some certs for the dc and user.
> > But, i always ran into:
> > NT_STATUS_PKINIT_FAILURE
> > Yes, i have paid attention to the CRL Distribution Points and that
> > also the clients have connection to them. But the authentication
> > fails.
> > With log level = 9 i found this...
> > > ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug
> > > _wrapper) 
> > Kerberos: PKINIT request but PKINIT not enabled |
> > 
> > Is there another Trigger to enable pkinit under Samba AD? Thats my
> > krb5.conf:
> > > [libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm = 
> > false dns_lookup_kdc = true pkinit_anchors =
> > FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors
> > = FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE =
> > { default_domain = test.example.de pkinit_require_eku = true }
> > [domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
> > pkinit_identity = FILE:/var/lib/samba/private/tls/dc0-
> > cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
> > pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
> > pkinit_revoke =
> > FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tl
> > s/root.crl pkinit_principal_in_certificate = yes pkinit_win2k = no
> > pkinit_win2k_require_binding = yes |
> > My smb.conf:
> > > > > # Global parameters [global] dns forwarder = 10.0.0.2 netbios
> > > > > name 
> > = DC0 realm = TEST.EXAMPLE.DE server role = active directory domain
> > controller dns forwarder = 10.0.0.1 workgroup = TEST idmap_ldb:use
> > rfc2307 = yes log level = 9 # log level = 1 auth_audit:3
> > auth_json_audit:3 tls enabled = yes tls certfile =
> > /var/lib/samba/private/tls/dc0-cert.pem tls keyfile =
> > /var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile =
> > /var/lib/samba/private/tls/cacert.pem tls cafile =
> > /var/lib/samba/private/tls/interca.pem tls crlfile =
> > /var/lib/samba/private/tls/rootca.crl tls crlfile =
> > /var/lib/samba/private/tls/interca.crl tls dhparams file =
> > /var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path =
> > /var/lib/samba/sysvol read only = No [netlogon] path =
> > /var/lib/samba/sysvol/test.example.de/scripts read only = No |
> > Is that an Kerberos related Issue or Samba 4?
> > 
> > Regards||
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list