I want to make ADCS support better and I need some advice

David Mulder dmulder at samba.org
Mon Nov 13 13:56:17 UTC 2023 

On 11/10/23 7:09 PM, Joe Dillon via samba-technical wrote:
> I want to improve samba's support for auto-enrolling and auto-renewing certificates.  I've identified a few key issues I want to resolve:
>
> 1. Certificate Services Web Enrollment is required for discovering the PKI environment.  Web enrollment, while *probably* installed on a CA, isn't a component of auto enrollment, per MS-CAESO.  Additionally, CAWE *most likely* presents a certificate anchored by the PKI environment, which presents a chicken-egg type problem for using it to discover CA certificates.  Samba breaks this dependency cycle by retrieving the CA over HTTP, but that presents an opportunity for an attacker to potentially inject a rogue CA.
> 2. Samba's discovery of enrollment services/other PKI configuration assumes the current domain is the forest root domain.  I'm trying to work on this as a good first issue.
> 3. The GP client is currently limited to interacting with CA servers that expose WCCE and WSTEP endpoints.  These are optional roles, and as a result aren't guaranteed to exist.  Samba has MSRPC support, which is very unique on *nix platforms.  Samba could support MS-ICPR for CA servers that don't provide the web protocols.
>
> I really want to help improve the above.  My challenge is my python skills.  I've written most of an MS-CAESO client in rust.  Should I complete this rust client, would it be of any use?  Should it be wrapped up in a nice python API?  Can I submit the necessary code to add MS-ICPR support to samba - purely so I could consume it myself?  Should I scrap the whole thing, learn python, and rewrite it?

I'd additionally like to be able to contribute rust code to Samba, and 
I'm certainly glad to see someone wanting to work on certificate auto 
enrollment. I know there is some opposition to providing rust code in 
Samba, I think because of platform support.

Would you be able to contribute C code instead, perhaps? I could help 
you tie that into the existing Python code. Take a look at the bindings 
in `libgpo/pygpo.c`, for example.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com

More information about the samba-technical mailing list