[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)
Sami Hulkko
sahulkko at gmail.com
Tue Apr 22 15:44:54 UTC 2025
Hi,
SmallStep CA do not support crl (revocation list) publishing in URL
stated in issued certificates. This is requirement from Microsoft for
certificate chain to pass that is unachievable with SmallStep. Get some
vendor with crl release or do your own with tool like XCA (Ubuntu store
and MS store app. DB (Maria or sqlite etc.) remote possible. Accept in
policy etc. new self signed root cert like with SmallStep. Opensource.
SH
On 22/04/2025 16.38, Michał Węgrzynek via samba wrote:
> Hello,
>
> I'm trying to set-up smart card login for a Samba 4 domain. I prepared
> root and intermediate CAs using Step CA
> (https://smallstep.com/docs/step-ca/index.html). I was able to
> generate and set certificates for all DCs, but when I'm attempting a
> smartcard login through Windows I get
>
> [2025/04/22 15:15:04.998951, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Probing for AS-REQ
> [2025/04/22 15:15:04.999512, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: heim_audit_vaddkv(): kv pair[0]
> armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM
> [2025/04/22 15:15:04.999596, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Client selected FAST
> [2025/04/22 15:15:05.001663, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> from ipv4:172.20.7.48:53196 for
> krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> [2025/04/22 15:15:05.011057, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=11
> [2025/04/22 15:15:05.011406, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: PK-INIT(ietf), OCSP, 128, 167
> [2025/04/22 15:15:05.011429, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: heim_audit_vaddkv(): kv pair[0]
> client-pa=PK-INIT(ietf),OCSP,128,167
> [2025/04/22 15:15:05.011446, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Looking for PK-INIT(ietf) pa-data --
> mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> [2025/04/22 15:15:05.011463, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: heim_audit_vaddkv(): kv pair[0] pa=PK-INIT(ietf)
> [2025/04/22 15:15:05.011663, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: PKINIT: failed to verify signature: Failed to verify
> signature of certificate: 569861
> [2025/04/22 15:15:05.011684, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: PKINIT: Signature algorithm not supported
> [2025/04/22 15:15:05.011701, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Failed to decode PKINIT PA-DATA --
> mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> [2025/04/22 15:15:05.011841, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: as-req: sending error: -1765328353 to client
> [2025/04/22 15:15:05.011858, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Adding dummy FAST cookie for KRB-ERROR
> [2025/04/22 15:15:05.011874, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: Making FAST inner KRB-ERROR
> [2025/04/22 15:15:05.012164, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.013223
> [2025/04/22 15:15:05.012185, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ KRB5KRB_AP_ERR_BAD_INTEGRITY ipv4:172.20.7.48:53196
> mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM pa=PK-INIT(ietf)
> client-pa=PK-INIT(ietf),OCSP,128
> ,167 elapsed=0.013223
> armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM
>
> in the Samba DC's logs.
>
> The user certificate is issued from an intermediate CA looks like this:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> c2:5b:22:4c:a1:5e:2e:c0:b0:df:53:7d:66:35:39:0e
> Signature Algorithm: rsassaPss
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0x01 (default)
> Issuer: CN=REDACTED Intermediate CA
> Validity
> Not Before: Apr 22 11:38:20 2025 GMT
> Not After : Apr 22 17:39:20 2026 GMT
> Subject: CN=Michał Węgrzynek
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:a6:72:3a:86:89:fd:ad:8b:d7:a8:11:ab:f5:01:
> 9f:5f:c1:11:33:18:06:bc:dc:36:4b:82:62:e3:8b:
> 90:1c:97:83:d7:17:91:4d:2b:01:dd:78:94:ab:08:
> 1f:97:9c:cc:de:9b:e5:24:b6:d4:97:ac:57:4f:43:
> de:c7:b4:16:15:d1:b9:b1:da:67:4b:4d:e8:31:8d:
> d6:c5:0b:df:29:6d:f6:13:8d:4f:58:41:9c:8b:f7:
> 6e:83:af:95:15:bd:17:e8:50:26:fa:22:72:45:97:
> 13:38:aa:64:b7:ae:eb:84:07:46:04:ce:cd:4f:4b:
> 87:80:f7:60:1c:7c:17:81:9b:e6:bc:95:1c:e8:5d:
> 41:15:09:e5:d6:50:2b:4f:d2:d6:08:3c:c8:fd:25:
> 46:77:c4:e5:13:70:1a:c3:13:04:77:fc:ef:6c:f4:
> a8:5e:88:df:56:22:56:86:93:c0:7b:ad:d3:db:bb:
> ad:9a:df:9b:1e:9e:40:99:11:a1:04:6b:50:bc:4a:
> 07:5c:5a:7a:2f:2f:5c:3b:75:5a:d2:63:9a:ab:6d:
> 42:f4:b3:c0:f5:6f:f3:30:93:37:bc:c6:fd:b4:8d:
> be:53:f3:c8:5f:fb:ef:f3:ff:91:04:9c:e1:54:c2:
> a3:fc:77:bf:d9:86:68:90:d6:48:b5:f5:21:d9:1f:
> e7:83
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, Microsoft Smartcard Login
> X509v3 Subject Key Identifier:
> A1:22:3F:42:9F:2A:6C:DA:7A:D2:B6:EC:A9:93:96:4B:01:8B:E0:3F
> X509v3 Authority Key Identifier:
> 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA
> X509v3 CRL Distribution Points:
> Full Name:
> URI:http://ca.redacted.com/1.0/crl
>
> X509v3 Subject Alternative Name:
> email:mwegrzynek at litexservice.pl, othername:
> UPN:mwegrzynek at ad.redacted.com
> Signature Algorithm: rsassaPss
> Signature Value:
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0x01 (default)
> 35:2e:81:e8:72:ac:68:75:b5:87:ac:db:5b:f5:74:c5:05:26:
> 74:5c:58:e0:c9:19:f4:bf:34:69:75:76:ed:48:ea:fd:20:05:
> 8e:3e:42:e8:c8:c9:ca:67:53:42:8c:c8:0a:5d:42:b0:e8:ef:
> ea:87:b5:52:d8:72:96:77:95:5b:ba:e6:c7:e1:0b:64:d2:da:
> b3:f7:a3:cc:bc:f0:92:4e:74:7f:7a:62:b5:72:a2:54:99:81:
> fb:16:1c:2e:60:e6:a0:8a:4f:16:1d:24:c3:c4:d2:d4:24:1f:
> f1:c7:62:72:5f:2e:1c:96:cc:15:a9:dc:c6:1d:cf:e0:78:8b:
> d3:c5:e7:7b:a4:36:40:f0:14:21:0c:1f:07:5d:0c:90:63:c1:
> 2c:de:64:5d:01:75:24:d4:2f:44:a1:7c:8c:01:a9:33:e3:23:
> 26:b7:25:f8:3d:bd:5e:4b:8b:91:e9:dd:65:5a:a4:c2:93:0e:
> 89:c9:e3:86:71:24:b0:68:30:f5:a0:4e:c0:3d:3b:4c:e6:ea:
> e5:ef:5d:77:f6:ad:7f:f1:87:3e:7c:47:fd:97:f8:59:74:51:
> 40:53:d8:7c:4a:b0:1c:a5:b1:01:be:be:88:fc:e9:aa:85:78:
> 18:a3:15:91:e4:d5:b7:07:6e:87:9b:8e:a0:52:71:59:23:5f:
> 9f:db:da:73:ce:4a:81:4d:15:50:2d:81:42:6f:ee:4c:bf:7d:
> 1d:69:87:22:49:08:7c:3b:fc:10:6a:51:84:4a:7e:83:3b:54:
> 72:fb:54:71:b8:85:ae:a7:78:5b:d5:d9:ea:6f:7d:c1:b2:d2:
> cd:72:27:31:cc:e0:7f:7e:0b:0d:dd:ae:e5:52:50:23:bb:50:
> ba:87:77:f7:b9:d4:2a:08:e1:02:6d:08:cd:af:9a:ce:7b:e4:
> 50:e9:be:f8:c8:06:96:4d:ea:3f:f1:2f:d1:28:a6:a9:9d:ed:
> 84:a6:34:c4:29:b1:f7:c6:a0:ae:6c:7a:a6:c4:c0:42:d3:fa:
>
> Below are root and intermediate certs:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ef:dd:02:19:d8:88:f3:fd:3b:86:d0:af:af:d5:53:5b
> Signature Algorithm: rsassaPss
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0x01 (default)
> Issuer: CN = REDACTED Root CA
> Validity
> Not Before: Apr 15 09:11:39 2025 GMT
> Not After : Apr 15 21:11:39 2035 GMT
> Subject: CN = REDACTED Root CA
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (3072 bit)
> Modulus:
> 00:df:0b:aa:ed:97:2a:44:e0:34:b6:42:6b:0f:07:
> b8:08:dd:25:fb:55:0b:85:d4:06:76:cd:1b:0f:5c:
> 61:ec:c5:73:2d:91:12:b6:f9:6c:d2:33:66:f2:ec:
> c6:4d:83:20:39:dd:2b:61:ae:9e:9c:af:07:fe:b9:
> 4d:f0:4d:c7:8c:b8:af:bc:a0:4f:a5:26:da:dd:f5:
> 5a:91:a8:54:12:4f:06:e2:6d:2c:7a:fb:c6:13:2a:
> db:4a:34:89:4f:67:f0:da:1d:e5:58:48:5c:d9:91:
> 61:33:f3:d2:a6:0d:d4:c7:d0:b0:f0:9f:2c:53:10:
> 95:72:1e:34:39:28:82:f7:e4:96:e3:1a:25:bd:47:
> c8:3b:ec:1d:05:ce:51:7c:75:bd:cf:41:83:42:1f:
> 8a:0e:45:cd:55:cd:3b:91:3b:19:1b:f3:ec:3a:99:
> 27:87:23:c8:84:68:6c:0a:ec:4f:f8:c5:9e:59:07:
> 75:2d:05:02:f2:aa:ca:ce:23:6f:5b:31:a0:f0:89:
> 00:13:26:eb:dd:6b:3d:22:f5:8b:24:8f:01:64:a1:
> dd:7b:24:9a:c3:7a:58:65:96:cf:a8:0c:80:5e:36:
> 2e:7b:f0:9e:33:3d:53:18:8d:3b:90:11:e5:6b:df:
> c1:27:74:0c:f0:cf:da:c4:e1:18:07:f0:f7:1f:ff:
> e8:08:fb:34:3d:5f:ac:29:0d:4d:16:71:f5:18:51:
> f8:57:01:d0:20:8a:16:61:7f:42:56:a0:66:aa:fa:
> 9e:d1:50:20:da:d6:52:63:fd:88:7c:ae:47:b0:eb:
> f7:ba:25:ac:af:33:f5:ec:b2:40:37:c8:2c:d4:c3:
> eb:9a:53:24:ff:8f:9a:47:7c:bf:60:a3:01:49:ff:
> 67:71:ed:6b:4f:7c:b2:5e:e3:31:9f:b3:df:3b:32:
> ea:e3:6e:93:eb:da:34:3b:c3:f9:7c:14:94:73:da:
> a8:df:0e:32:f8:52:5a:28:6e:1d:1d:76:88:4e:66:
> a0:79:fb:74:f5:4b:dd:e5:dc:7b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE, pathlen:1
> X509v3 Subject Key Identifier:
> 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC
> Signature Algorithm: rsassaPss
> Signature Value:
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0x01 (default)
> 11:70:8a:fc:17:a4:1f:93:9a:a4:30:8f:71:41:02:77:57:5e:
> 02:12:b8:45:45:19:e4:e2:d6:2a:df:5c:ba:f5:7c:ad:ae:a9:
> 2e:f3:ab:6b:3c:02:1c:86:42:53:12:29:53:f9:50:01:77:03:
> b3:16:ca:d2:ab:fb:9b:fe:92:69:39:6f:b1:1c:51:cc:60:78:
> f7:dc:c1:dd:82:5c:68:6f:a9:5a:d5:da:b8:c2:54:0e:18:d6:
> a2:a9:eb:1e:e2:97:65:2a:7b:81:74:ee:18:10:17:81:13:d3:
> f4:cb:24:24:7c:2e:1a:6a:39:84:e4:8c:45:f5:c4:f7:11:d2:
> fb:0e:3a:5f:66:8c:4c:d1:78:e6:0e:f2:42:ca:77:d5:fd:cf:
> 12:6b:f7:d2:ea:bf:89:58:89:26:a8:da:37:c5:45:16:e4:fc:
> df:59:ac:3d:44:27:e6:ab:f7:6f:a8:6b:e0:13:33:47:7c:b3:
> 9a:0b:af:20:6a:19:02:2b:84:15:77:ab:ec:f4:dc:4c:ce:e3:
> 97:72:d2:1c:53:86:8e:aa:da:96:04:6f:3a:a5:5a:6b:78:22:
> 73:e6:07:6d:e4:35:f0:ef:13:dc:e6:05:58:ec:41:96:2d:d9:
> 00:de:7e:dc:b8:60:25:c8:48:65:5b:51:4c:16:0b:14:02:75:
> 11:19:86:d5:22:1d:9e:c1:80:51:b8:ed:eb:f3:1a:e6:fb:35:
> 34:8b:12:22:c8:8b:b7:6f:10:64:23:62:ad:5c:f8:99:7d:18:
> 15:e8:a3:da:3c:10:58:84:63:ce:7e:c9:ed:63:87:2d:02:53:
> 10:39:6e:b5:af:46:21:b5:d3:d0:53:c2:3d:4c:b0:ab:5c:b4:
> a1:bf:e9:5e:cf:bd:d3:cf:f6:b6:c8:d6:3c:be:58:4a:1f:16:
> 1e:4a:77:af:37:11:aa:05:79:04:fb:9e:f4:f6:80:d9:b0:9d:
> 60:c6:a2:39:2b:d9:df:17:71:8a:12:bf:2f:45:e5:22:25:17:
> 96:af:f5:30:8d:e3
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 88:77:13:53:37:88:34:95:7f:bc:29:74:e6:a1:8f:06
> Signature Algorithm: rsassaPss
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0x01 (default)
> Issuer: CN = REDACTED Root CA
> Validity
> Not Before: Apr 22 07:46:23 2025 GMT
> Not After : Apr 22 19:46:16 2035 GMT
> Subject: CN = REDACTED Intermediate CA
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (3072 bit)
> Modulus:
> 00:e7:7e:04:c8:b2:5c:ec:ba:ed:0f:9e:fa:bd:2a:
> 19:cf:9f:1b:a3:ad:38:b0:d8:56:0f:56:05:01:67:
> dc:07:27:1f:c7:9c:53:9a:f1:0a:26:9f:7d:28:30:
> 4b:b5:66:d1:73:b4:f7:9b:a1:cf:a6:00:5a:97:32:
> 74:7c:e6:ca:99:ae:e7:30:c7:5a:8d:fb:91:6d:c8:
> 51:d4:89:ef:24:8f:c9:b5:a1:84:68:52:d5:dc:4c:
> 5d:05:b5:d9:47:63:27:d0:90:4d:43:2c:d6:60:8d:
> 91:71:00:7f:5b:fb:23:c1:79:04:3c:45:e5:11:ec:
> 8c:0d:7e:ef:2a:5f:83:19:00:da:c2:9f:64:f9:24:
> c9:e3:bd:37:8e:b2:72:a6:5d:90:ca:23:f3:a9:e6:
> f0:66:d6:60:06:e6:57:a9:c7:49:0f:30:90:1f:d7:
> 52:07:a1:4d:c4:49:12:ce:d1:e3:43:6e:4a:c9:dc:
> 7a:d2:dd:94:d4:8d:6a:df:2f:96:75:d2:c6:6f:c1:
> ab:75:90:80:8e:cb:b2:5e:43:0a:a5:c8:69:8b:11:
> 48:5f:ce:2c:5f:2b:93:d2:b0:9a:6f:96:e0:88:ad:
> fa:4d:6b:0b:b9:f4:05:7a:1d:1c:be:20:41:df:90:
> a6:2e:9a:94:4c:ff:40:81:4d:2a:df:4a:6f:ed:91:
> e4:fe:bf:6f:0f:cd:4e:a6:70:a9:d8:e4:e3:72:95:
> 35:37:bf:f1:62:15:ab:57:ec:5c:d6:08:a7:bb:0f:
> 9f:7a:25:c5:5a:59:ce:3f:e0:dd:99:39:d4:ab:f5:
> a7:94:9b:e6:7b:5e:30:47:df:4a:e1:2a:b1:84:33:
> 65:f1:a5:b0:af:53:62:ef:7d:f5:59:4d:77:bf:78:
> 3e:82:58:2e:91:54:b6:3c:df:ea:0b:6e:7b:69:43:
> ca:0d:c0:33:c1:6d:1d:9c:99:63:0d:80:55:f9:cd:
> e5:6d:9b:8f:ef:25:76:44:0f:67:7d:f9:5d:e2:32:
> ba:4b:cd:ec:4e:b3:b6:50:67:2b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE, pathlen:0
> X509v3 Subject Key Identifier:
> 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA
> X509v3 Authority Key Identifier:
> 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC
> Signature Algorithm: rsassaPss
> Signature Value:
> Hash Algorithm: sha256
> Mask Algorithm: mgf1 with sha256
> Salt Length: 0x20
> Trailer Field: 0x01 (default)
> 69:02:31:cd:98:44:3f:fd:c4:6e:93:f8:8d:e4:37:d1:0b:38:
> 8f:fb:f7:c3:7e:61:ad:2c:bf:0e:31:2a:0b:f5:c9:54:b3:0b:
> 1f:f0:89:11:66:8e:03:6b:61:a4:44:7e:09:13:55:b0:95:0e:
> 03:c0:3f:16:f2:33:fd:a4:44:17:f0:29:77:64:f6:96:36:4a:
> fa:88:73:bc:b8:36:44:fe:27:48:ec:28:b9:83:17:3b:e2:03:
> 50:33:18:d4:f4:3d:b7:e9:82:c0:19:b9:ea:79:bd:f8:d0:ea:
> d5:c5:4a:f6:41:e0:73:78:98:80:a4:3e:e5:77:9e:32:08:6d:
> 93:bc:e3:76:f5:95:1b:3d:69:36:71:65:f3:24:cb:70:ae:79:
> c3:8c:9c:87:d4:a3:62:e2:35:4a:1f:a6:3a:c3:f3:8a:f0:a5:
> 8d:22:45:1e:e6:52:56:a3:ee:88:5d:56:91:e4:f3:c0:01:6e:
> 26:a3:0f:14:80:53:70:09:fb:b0:21:9e:65:78:62:79:b2:50:
> 21:52:63:1f:21:59:8f:1f:dd:01:2d:79:c5:18:8a:bd:7b:90:
> 1b:0a:24:28:ea:68:54:ef:b3:a8:59:23:01:20:6b:00:1b:6a:
> cd:99:e5:d7:e1:fa:52:c4:ef:b9:c9:8e:29:7d:6c:17:f6:75:
> da:04:69:27:6d:0c:95:c1:f0:bd:bf:fd:81:24:53:55:ae:2b:
> 7c:9d:26:59:99:4a:56:d8:8c:ea:e9:09:fa:42:87:ca:ae:05:
> 43:37:ad:8c:64:63:d3:3a:88:8d:3d:44:cc:c0:54:c4:75:c0:
> d3:af:e5:de:79:65:9a:2f:a9:e3:fc:09:0a:79:28:d7:99:2e:
> 11:01:c4:4c:a7:91:2c:c9:df:d7:27:3a:83:cb:22:f0:10:ff:
> 1d:d3:0e:19:ce:84:31:8b:3f:cf:84:84:0d:f2:8b:e4:ff:5d:
> 92:33:26:40:2d:e1:a4:d7:07:26:6f:61:45:dd:7d:53:e7:e8:
> 68:27:b3:74:85:af
>
> The messages
>
> [2025/04/22 15:15:05.011663, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: PKINIT: failed to verify signature: Failed to verify
> signature of certificate: 569861
> [2025/04/22 15:15:05.011684, 3]
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: PKINIT: Signature algorithm not supported
>
> indicate, there is probably something wrong with my certs, but I
> wasn't able to deduce what exactly.
>
> Can someone help me out?
>
> Thanks in advance,
>
> Michał Węgrzynek
>
>
>
--
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com
More information about the samba
mailing list