Hi,
Our RHEL8/9 ? servers have been joined to Active Directory using SSSD
successfully for a few years, only using it as a means to login.
We?re now trying to do a minimal samba client (4.18.6) installation just to
try and see if we can get autoenrollment from our AD CS PKI to work.
Following https://wiki.samba.org/index.php/Certificate_Auto_Enrollment
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FCertificate_Auto_Enrollment&data=05%7C02%7Cchristian.johansson%40delecsys.se%7Cdc32518aafda454efb4b08dbffda85c3%7Cabe846d4e30c4623be09686a44612006%7C0%7C0%7C638385086245069608%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BPimT0MOfJdY%2BmvQtQfy08P6ZrJ%2BYMVG9THbdYT1Hsg%3D&reserved=0>
as long as the rhel platform allows me; when running:
./samba-gpupdate --rsop --username=mydomainuser
(this command is manually unpacked from
samba-gpupdate-4.18.1-0.fc38.x86_64.rpm since I couldn?t find an exact
match to my other rhel-samba parts)
I get a long list of seemingly happy messages and then:
<snip>
CSE: gp_gnome_settings_ext
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
CSE: gp_cert_auto_enroll_ext
--------------------------------------------------------------------------------------------------------------
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Traceback (most recent call last):
File "./samba-gpupdate", line 131, in <module>
rsop(lp, creds, store, gp_extensions, username, opts.target)
File "/usr/lib64/python3.6/site-packages/samba/gp/gpclass.py", line
750,
in rsop
for section, settings in ext.rsop(gpo).items():
File
"/usr/lib64/python3.6/site-packages/samba/gp/gp_cert_auto_enroll_ext.py",
line 507, in rsop
cas = fetch_certification_authorities(ldb)
File
"/usr/lib64/python3.6/site-packages/samba/gp/gp_cert_auto_enroll_ext.py",
line 160, in fetch_certification_authorities
'cACertificate': get_string(es['cACertificate'][0])
File "/usr/lib64/python3.6/site-packages/samba/common.py", line 105,
in
get_string
print(tmp)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x82 in position
1:
invalid start byte
</snip>
The above mentioned ?0x82? happens to be the first byte in our
CA-Certificate in DER format and the crash happens in
function get_string(bytesorstring) in file
"/usr/lib64/python3.6/site-packages/samba/common.py" when it tries to
convert the ?byte code representation? of the DER certificate into utf-8.
Now, going upwards in the named files in the traceback, one can see that
function fetch_certification_authorities(ldb) in file
gp_cert_auto_enroll_ext.py,
tries to do a:
ldb.search(dn, SCOPE_SUBTREE, expr, attrs) digging out 'cn',
'hostname'
and 'cACertificate'
If this would be translated to an ldapsearch command like this:
ldapsearch -H ldap://ad.ourdomain.net -Y GSS-SPNEGO -b "CN=Enrollment
Services,CN=Public Key
Services,CN=Services,CN=Configuration,DC=ourdomain,DC=net" SCOPE_SUBTREE
"(objectClass=pKIEnrollmentService)" 'cACertificate'
'cn' 'dNSHostName'
it renders the output for cACertificate in nice looking PEM format.
(cn & hostname also looks ok)
I am at a loss ? what goes wrong here? And how can I fix it?
Thanks.