samba - Sep 2017 - Revocation with CRL doesn't work for smartcards

Hi,
I have a smartcard which is revoked in the Certificate Revocation List
(CRL) but I can still login. Seams like the CRL check is not performed. Any
known bug around this?

Server setup:
- Samba 4.4 on Debian as AD DC
- Created domain MYDOM
- smb.conf (extract):
    tls enabled = yes
    tls crlfile = tls/mycrl.pem (default is to look under private/ folder)

Client setup:
- Windows 7 machine as client
- Joined to the MYDOM domain
- Login ok with both username/password and smartcards

Smart card:
- Principal name test123 at mydom.com (extended attribute)
- Certificate with serial number 0x12ab

CRL:
- In file system: ..../private/tls/mycrl.pem
- Contains serial number 0x12ab

On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba
wrote:
> Hi,
> I have a smartcard which is revoked in the Certificate Revocation List
> (CRL) but I can still login. Seams like the CRL check is not performed. Any
> known bug around this?
> 
> Server setup:
> - Samba 4.4 on Debian as AD DC
> - Created domain MYDOM
> - smb.conf (extract):
>     tls enabled = yes
>     tls crlfile = tls/mycrl.pem (default is to look under private/ folder)
> CRL:
> - In file system:
> ..../private/tls/mycrl.pem
> > mycrl.pem
> - Contains serial number 0x12ab
The Heimdal code doing the SmartCard stuff doens't know about the
smb.conf, you need to configure this in krb5.conf.

Something like:

[kdc]
 pkinit_revoke = FILE:..../private/tls/mycrl.pem

(Sadly this isn't used in our test scripts, so please test carefully
and research the exact syntax further).

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Thanks but I've actually tried that too. Not sure I put it in [kdc] section
though, I can try again.

Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at
samba.org>:
> On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > Hi,
> > I have a smartcard which is revoked in the Certificate Revocation List
> > (CRL) but I can still login. Seams like the CRL check is not
performed.
> Any
> > known bug around this?
> >
> > Server setup:
> > - Samba 4.4 on Debian as AD DC
> > - Created domain MYDOM
> > - smb.conf (extract):
> >     tls enabled = yes
> >     tls crlfile = tls/mycrl.pem (default is to look under private/
> folder)
>
> > CRL:
> > - In file system:
> > ..../private/tls/mycrl.pem
> > > mycrl.pem
> > - Contains serial number 0x12ab
>
> The Heimdal code doing the SmartCard stuff doens't know about the
> smb.conf, you need to configure this in krb5.conf.
>
> Something like:
>
> [kdc]
>  pkinit_revoke = FILE:..../private/tls/mycrl.pem
>
> (Sadly this isn't used in our test scripts, so please test carefully
> and research the exact syntax further).
>
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>