Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) Client setup: - Windows 7 machine as client - Joined to the MYDOM domain - Login ok with both username/password and smartcards Smart card: - Principal name test123 at mydom.com (extended attribute) - Certificate with serial number 0x12ab CRL: - In file system: ..../private/tls/mycrl.pem - Contains serial number 0x12ab
Andrew Bartlett
2017-Sep-21 18:54 UTC
[Samba] Revocation with CRL doesn't work for smartcards
On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:> Hi, > I have a smartcard which is revoked in the Certificate Revocation List > (CRL) but I can still login. Seams like the CRL check is not performed. Any > known bug around this? > > Server setup: > - Samba 4.4 on Debian as AD DC > - Created domain MYDOM > - smb.conf (extract): > tls enabled = yes > tls crlfile = tls/mycrl.pem (default is to look under private/ folder)> CRL: > - In file system: > ..../private/tls/mycrl.pem > > mycrl.pem > - Contains serial number 0x12abThe Heimdal code doing the SmartCard stuff doens't know about the smb.conf, you need to configure this in krb5.conf. Something like: [kdc] pkinit_revoke = FILE:..../private/tls/mycrl.pem (Sadly this isn't used in our test scripts, so please test carefully and research the exact syntax further). Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Thanks but I've actually tried that too. Not sure I put it in [kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>:> On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams like the CRL check is not performed. > Any > > known bug around this? > > > > Server setup: > > - Samba 4.4 on Debian as AD DC > > - Created domain MYDOM > > - smb.conf (extract): > > tls enabled = yes > > tls crlfile = tls/mycrl.pem (default is to look under private/ > folder) > > > CRL: > > - In file system: > > ..../private/tls/mycrl.pem > > > mycrl.pem > > - Contains serial number 0x12ab > > The Heimdal code doing the SmartCard stuff doens't know about the > smb.conf, you need to configure this in krb5.conf. > > Something like: > > [kdc] > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > (Sadly this isn't used in our test scripts, so please test carefully > and research the exact syntax further). > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >
Apparently Analagous Threads
- Revocation with CRL doesn't work for smartcards
- Revocation with CRL doesn't work for smartcards
- Revocation with CRL doesn't work for smartcards
- Samba 4 AD SmartCard Authentication Problem
- [Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys