[Samba] Samba 4 AD SmartCard Authentication Problem
Andrey Repin
arepin at hostkey.com
Wed Jul 19 12:08:41 UTC 2023
Hello Hans Schulze,
Wednesday, July 19, 2023, 1:03:25 PM, you wrote:
> Thanky you, for the Info.
> After some research, here is some further information:
> The current stable kerberos implementation make no crl verify. At this time
> only the domain member like win10 clients make these. After joining the
> domain and first login with smartcard, they try to resolve the CRL
> Distribution Points for all certs of the chain. Only one url that cannot be
> reached and the authentication fails.
> The funny thing is, they are retrieved
> and cached only once, as long as the validity of the crl is given. Should a
> new crl be issued, the clients would still have the old crl cached. Thats a problem.
You should not issue CRL with very long validity period.
Give it a few days over your routine CRL update cycle and it should work.
> This mechanics was implemented to reduce the traffic to the distribution point.
> You can check the cache with certutil on windows client, like:
> certutil –urlcache CRL
> These are my thoughts on this and I hope someone else can use them to
> better understand similar problems. I think this mechanic is a little
> security issue. But we hope that the new version will be released soon and will fix this problem.
--
Best regards,
Andrey Repin
More information about the samba
mailing list