[Samba] Samba 4 AD SmartCard Authentication Problem

Hans Schulze h.schulze at labor-ostsachsen.de
Wed Jul 19 10:03:25 UTC 2023 

Thanky you, for the Info.

After some research, here is some further information:

The current stable kerberos implementation make no crl verify. At this 
time only the domain member like win10 clients make these. After joining 
the domain and first login with smartcard, they try to resolve the CRL 
Distribution Points for all certs of the chain. Only one url that cannot 
be reached and the authentication fails. The funny thing is, they are 
retrieved and cached only once, as long as the validity of the crl is 
given. Should a new crl be issued, the clients would still have the old 
crl cached. Thats a problem.

This mechanics was implemented to reduce the traffic to the distribution 
point.

You can check the cache with certutil on windows client, like:

certutil –urlcache CRL

These are my thoughts on this and I hope someone else can use them to 
better understand similar problems. I think this mechanic is a little 
security issue. But we hope that the new version will be released soon 
and will fix this problem.


Am 18.07.2023 um 21:43 schrieb Andrew Bartlett via samba:
> Tested support for certificate revocation is finally coming to Samba
> (previously folks used an out-of-tree Heimdal patch to have this work).
> Seehttps://gitlab.com/samba-team/samba/-/merge_requests/3163
> I expect these to land soon, hopefully for 4.19.
> Andrew Bartlett
> On Tue, 2023-07-18 at 12:24 +0200, Hans Schulze via samba wrote:
>> I think I have been able to solve the problem myself:
>> In old documentation there was in krb5.conf extra entries for CRL,
>> like:
>> #       pkinit_revoke =
>> FILE:/var/lib/samba/private/tls/inter.crl#       
>> pkinit_require_crl_checking = yes
>> Newer docs has nothing in this way. Furthermore is also not needeed
>> to install the root certs in the Sub Domain to resolve the chain.
>> Only in win clients per GPO it is a prerequisite. In the smb.conf,
>> are only the intermediate certs and crls are needed. But funny is,
>> that the docs (Samba Wiki) say that CRL Distributions Point Entries
>> are needed, but they never query the webserver.
>> Am I missing something?
>> Over certutil on win client i can qery the CRL and verify Certs
>> against it. But when i revoke an client cert and use an SmartCard
>> with it, the login is granted. But in the crl is that cert revoked
>> and loaded in samba-ad-dc. Strange.
>> Is there another Problem?
>> Am 14.07.2023 um 16:52 schrieb Hans Schulze via samba:
>>> Hello,
>>> has anyone tried Samba 4 AD with SmartCard-Authentication and trust
>>> of chain certificates. So with root ca and intermediate ca?
>>> I followed the HowTo from the Samba Wiki, but there is only
>>> explained how you use with only a root ca. Then i tried it myself.
>>> I created a intermediate ca and some certs for the dc and user.
>>> But, i always ran into:
>>> NT_STATUS_PKINIT_FAILURE
>>> Yes, i have paid attention to the CRL Distribution Points and that
>>> also the clients have connection to them. But the authentication
>>> fails.
>>> With log level = 9 i found this...
>>>> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug
>>>> _wrapper)
>>> Kerberos: PKINIT request but PKINIT not enabled |
>>>
>>> Is there another Trigger to enable pkinit under Samba AD? Thats my
>>> krb5.conf:
>>>> [libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm =
>>> false dns_lookup_kdc = true pkinit_anchors =
>>> FILE:/var/lib/samba/private/tls/ca.pem  [appdefaults] pkinit_anchors
>>> =FILE:/var/lib/samba/private/tls/ca.pem  [realms] TEST.EXAMPLE.DE =
>>> { default_domain = test.example.de pkinit_require_eku = true }
>>> [domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
>>> pkinit_identity =FILE:/var/lib/samba/private/tls/dc0-
>>> cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
>>> pkinit_anchors =FILE:/var/lib/samba/private/tls/ca.pem
>>> pkinit_revoke =
>>> FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tl
>>> s/root.crl pkinit_principal_in_certificate = yes pkinit_win2k = no
>>> pkinit_win2k_require_binding = yes |
>>> My smb.conf:
>>>>>> # Global parameters [global] dns forwarder = 10.0.0.2 netbios
>>>>>> name
>>> = DC0 realm = TEST.EXAMPLE.DE server role = active directory domain
>>> controller dns forwarder = 10.0.0.1 workgroup = TEST idmap_ldb:use
>>> rfc2307 = yes log level = 9 # log level = 1 auth_audit:3
>>> auth_json_audit:3 tls enabled = yes tls certfile =
>>> /var/lib/samba/private/tls/dc0-cert.pem tls keyfile =
>>> /var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile =
>>> /var/lib/samba/private/tls/cacert.pem tls cafile =
>>> /var/lib/samba/private/tls/interca.pem tls crlfile =
>>> /var/lib/samba/private/tls/rootca.crl tls crlfile =
>>> /var/lib/samba/private/tls/interca.crl tls dhparams file =
>>> /var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path =
>>> /var/lib/samba/sysvol read only = No [netlogon] path =
>>> /var/lib/samba/sysvol/test.example.de/scripts read only = No |
>>> Is that an Kerberos related Issue or Samba 4?
>>>
>>> Regards||

More information about the samba mailing list