Thanks but I've actually tried that too. Not sure I put it in [kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>:> On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams like the CRL check is not performed. > Any > > known bug around this? > > > > Server setup: > > - Samba 4.4 on Debian as AD DC > > - Created domain MYDOM > > - smb.conf (extract): > > tls enabled = yes > > tls crlfile = tls/mycrl.pem (default is to look under private/ > folder) > > > CRL: > > - In file system: > > ..../private/tls/mycrl.pem > > > mycrl.pem > > - Contains serial number 0x12ab > > The Heimdal code doing the SmartCard stuff doens't know about the > smb.conf, you need to configure this in krb5.conf. > > Something like: > > [kdc] > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > (Sadly this isn't used in our test scripts, so please test carefully > and research the exact syntax further). > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >
Rowland Penny
2017-Sep-21 20:52 UTC
[Samba] Revocation with CRL doesn't work for smartcards
On Thu, 21 Sep 2017 22:08:51 +0200 Peter L via samba <samba at lists.samba.org> wrote:> Thanks but I've actually tried that too. Not sure I put it in [kdc] > section though, I can try again. > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > Hi, > > > I have a smartcard which is revoked in the Certificate Revocation > > > List (CRL) but I can still login. Seams like the CRL check is not > > > performed. > > Any > > > known bug around this? > > > > > > Server setup: > > > - Samba 4.4 on Debian as AD DC > > > - Created domain MYDOM > > > - smb.conf (extract): > > > tls enabled = yes > > > tls crlfile = tls/mycrl.pem (default is to look under private/ > > folder) > > > > > CRL: > > > - In file system: > > > ..../private/tls/mycrl.pem > > > > mycrl.pem > > > - Contains serial number 0x12ab > > > > The Heimdal code doing the SmartCard stuff doens't know about the > > smb.conf, you need to configure this in krb5.conf. > > > > Something like: > > > > [kdc] > > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > > > (Sadly this isn't used in our test scripts, so please test carefully > > and research the exact syntax further). > > > > Sorry, > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > Samba Developer, Catalyst IT http://catalyst.net.nz/ > > services/samba > > > >This jogged something in my memory, so I went and did some digging and found this: https://bugzilla.samba.org/show_bug.cgi?id=9612 Rowland
Ah, thank you, obviously this is a bug. Last comment (Łukasz Matyja 2016-04-01) says to have a fix, but how do I know if it has been added to bitbucket/samba? And if so, in which version? Or does the problem remain since the bugzilla case is still there? (Status: New) On Thu, Sep 21, 2017 at 10:52 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 21 Sep 2017 22:08:51 +0200 > Peter L via samba <samba at lists.samba.org> wrote: > > > Thanks but I've actually tried that too. Not sure I put it in [kdc] > > section though, I can try again. > > > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > > Hi, > > > > I have a smartcard which is revoked in the Certificate Revocation > > > > List (CRL) but I can still login. Seams like the CRL check is not > > > > performed. > > > Any > > > > known bug around this? > > > > > > > > Server setup: > > > > - Samba 4.4 on Debian as AD DC > > > > - Created domain MYDOM > > > > - smb.conf (extract): > > > > tls enabled = yes > > > > tls crlfile = tls/mycrl.pem (default is to look under private/ > > > folder) > > > > > > > CRL: > > > > - In file system: > > > > ..../private/tls/mycrl.pem > > > > > mycrl.pem > > > > - Contains serial number 0x12ab > > > > > > The Heimdal code doing the SmartCard stuff doens't know about the > > > smb.conf, you need to configure this in krb5.conf. > > > > > > Something like: > > > > > > [kdc] > > > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > > > > > (Sadly this isn't used in our test scripts, so please test carefully > > > and research the exact syntax further). > > > > > > Sorry, > > > > > > Andrew Bartlett > > > > > > -- > > > Andrew Bartlett http://samba.org/~abartlet/ > > > Authentication Developer, Samba Team http://samba.org > > > Samba Developer, Catalyst IT http://catalyst.net.nz/ > > > services/samba > > > > > > > > This jogged something in my memory, so I went and did some digging and > found this: > > https://bugzilla.samba.org/show_bug.cgi?id=9612 > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Revocation with CRL doesn't work for smartcards
- Revocation with CRL doesn't work for smartcards
- Revocation with CRL doesn't work for smartcards
- [Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys
- Certificates Revocation Lists and Apache...