Hey folks!
I'm working on putting together a SAMBA 4 DC for smartcard login on our
workstations. Followed guidelines on
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login and obviously
everything works out fine!
So, after that, I went the next step: one of our requisites is to use
'real' officially provided certificates on our usb tokens.
With one of our official CAs, everything works fine, I can login normally
and I get this on log.samba from samba's Kerberos daemon:
*...*
* Kerberos: AS-REQ username\@domain at DOMAIN from ipv4:192.168.1.69:53053
<http://192.168.1.69:53053> for krbtgt/DOMAIN at DOMAIN*
* Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128*
* Kerberos: Looking for PKINIT pa-data -- username\@domain at DOMAIN*
* Kerberos: PK-INIT request of type PK-INIT-Win2k*
* Kerberos: Trying to authorize PK-INIT subject DN CN=USER FULL
NAME,OU=Enterprise2,OU=Enterprise 1,OU=AC,O=Entity,C=CO*
*...*
* Kerberos: found MS UPN SAN: username at domain*
*...*
* Kerberos: PKINIT pre-authentication succeeded -- username\@domain at DOMAIN
using CN=USER FULL NAME,**OU=Enterprise2,OU=Enterprise
1,OU=AC,O=Entity,C=CO*
*...*
For this first type of certificate, the UPN field is username at domain.
Unfortunately, certificates that were generated with the other CA can't
login. Kerberos logs give me this:
*...*
* Kerberos: AS-REQ userid\@domain at DOMAIN from ipv4:192.168.1.69:51088
<http://192.168.1.69:51088> for krbtgt/DOMAIN at DOMAIN*
* Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128*
* Kerberos: PK-INIT request of type PK-INIT-Win2k*
* Kerberos: Trying to authorize PK-INIT subject DN CN=FULL USER
NAME:userid,OU=EnterpriseB,OU=Enterprise A,OU=AC-client,O=Entity,C=CO*
*...*
* Kerberos: Decode of MS-UPN-SAN failed*
*...*
* Kerberos: PKINIT no matching principals for CN=FULL USER
NAME:userid,OU=EnterpriseB,OU=Enterprise A,OU=AC-client,O=Entity,C=CO*
So, this one is a bit different:
- the UPN is coded to be userid at domain instead of username at domain.
- the certificate name is set to 'FULL USER NAME:userid' instead of just
plain 'FULL USER NAME'.
Which isnt a problem, because I set the userPrincipalName accordinly, as
well as set the DN to 'FULL USER NAME:userid' for those using the second
type of token.
Unfotunately, for some reason I'm getting 'no matching principals'
for the
other user.
When I got this exact error before, it was caused by a mismatch of the
certificate's name when compared with the user entry's DN. But they
match
('FULL USER NAME:userid').
Only difference in logs is the 'Decode of MS-UPN-SAN failed'. I'm
trying to
extract more info from SAMBA, but log level 10 will give me nothing else
from kerberos.
Is there a way to extract more depuration info from the kerberos internals
to understand what is going on? Or any tips of places I should be looking
for?
