samba - Dec 2020 - Samrtcard CDP check

Hi,
I have Samba DC having bidirectional trust with ADDC.
I can authenticate an AD domain user to a Samba domain Windows member with
his password.
I've set up smartcard logon for Samba domain users as well as I've
provided
all necessary, by my opinion, to enable smartcard logon for an AD domain
user.
When authentication for a trusted AD domain user happens I have the
following error message:"The revocation status of the domain controller
certificate used for the smart card authentication could not be
determined".

AD user certificate has ldap based CDP URL. When I run "certutil -verify
-urlfetch" for the ADDC certificate on ADDC side 118I have:

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (0d)" Time: 0
    [0.0]
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (0d)" Time: 0
    [0.0.0]
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex
,DC=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (0d)" Time: 0
    [0.0]
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,D
C=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint
If I run the same check for the same certificate on Samba domain Windows
member I have errors:

  ----------------  Certificate CDP  ----------------

  Failed "CDP" Time: 0 (null)

    Error retrieving URL: The system cannot find the file specified.
0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

   
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint

. . .

ERROR: Verifying leaf certificate revocation status returned The revocation
function was unable to check revocation because the revocation server was
offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

CertUtil: The revocation function was unable to check revocation because
the revocation server was offline.
>From this Samba domain Windows member I can connect to trusted domain LDAP
and fetch appropriate cRLDistributionPoint data using domain name.

So that,
- trusted authentication works with password
- correct DNS is in place
- trusted LDAP and CDP object are available

Could someone explain to me this kind of CDP request is supported? How to
resolve that CDP check?

Thanks,

Also, when I run certutil or try to authenticate a trusted smartcard user
Samba log shows the following:

[2020/12/08 20:50:43.222192,  5]
../../source4/ldap_server/ldap_backend.c:782(ldapsrv_SearchRequest)

  ldb_request BASE dn=CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=apex,DC=corp
filter=(objectClass=cRLDistributionPoint)

[2020/12/08 20:50:43.225723,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)

  stream_terminate_connection: Terminating connection -
'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'


On Tue, 8 Dec 2020 at 22:47, Yakov Revyakin <yrevyakin at gmail.com>
wrote:
> Hi,
> I have Samba DC having bidirectional trust with ADDC.
> I can authenticate an AD domain user to a Samba domain Windows member with
> his password.
> I've set up smartcard logon for Samba domain users as well as I've
> provided all necessary, by my opinion, to enable smartcard logon for an AD
> domain user.
> When authentication for a trusted AD domain user happens I have the
> following error message:"The revocation status of the domain
controller
> certificate used for the smart card authentication could not be
determined".
>
> AD user certificate has ldap based CDP URL. When I run "certutil
-verify
> -urlfetch" for the ADDC certificate on ADDC side 118I have:
>
>   ----------------  Certificate CDP  ----------------
>   Verified "Base CRL (0d)" Time: 0
>     [0.0]
>
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
>   Verified "Delta CRL (0d)" Time: 0
>     [0.0.0]
>
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex
> ,DC=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint
>
>   ----------------  Base CRL CDP  ----------------
>   OK "Delta CRL (0d)" Time: 0
>     [0.0]
>
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,D
> C=corp?deltaRevocationList?base?objectClass=cRLDistributionPoint
> If I run the same check for the same certificate on Samba domain Windows
> member I have errors:
>
>   ----------------  Certificate CDP  ----------------
>
>   Failed "CDP" Time: 0 (null)
>
>     Error retrieving URL: The system cannot find the file specified.
> 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
>
>
>    
ldap:///CN=apex-WS-ADDC-CA,CN=ws-addc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=apex,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
> . . .
>
> ERROR: Verifying leaf certificate revocation status returned The
> revocation function was unable to check revocation because the revocation
> server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
>
> CertUtil: The revocation function was unable to check revocation because
> the revocation server was offline.
>
> From this Samba domain Windows member I can connect to trusted domain LDAP
> and fetch appropriate cRLDistributionPoint data using domain name.
>
> So that,
> - trusted authentication works with password
> - correct DNS is in place
> - trusted LDAP and CDP object are available
>
> Could someone explain to me this kind of CDP request is supported? How to
> resolve that CDP check?
>
> Thanks,
>
>
>
>
>
>
>
>
>