Николай Домуховский
2010-Oct-05 21:11 UTC
[Samba] Broken support for Smart Card Logon in Windows 2003 and XP
Hello. As I can see this post: https://jira.it.su.se/jira/browse/HEIMDAL-241, at least? Samba 4.0.0alpha5 supported Smart Card logon for Windows XP workstations. Current version (Version 4.0.0alpha14-GIT-77d959f+) does not support smart card logon on Windows XP workstation (but Windows 7 works well). I tried to compare Kerberos traffic examples from genuine domain controller and Samba's response and found at least one difference, which could be a cause of issue: Samba (in fact, Heimdal) generates PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax). RFC 3852 says: If the RecipientIdentifier is the CHOICE issuerAndSerialNumber, then the version MUST be 0. If the RecipientIdentifier is subjectKeyIdentifier, then the version MUST be 2. But Heimdal uses subjectKeyIdentifier in response and version number 0. MS uses issuerAndSerialNumber. I tried to force Heimdal use issuerAndSerialNumber in response (simply by commenting if statement in hx509_cms_create_signed function and make sigctx.cmsidflag always equal CMS_ID_NAME), but this didn't work: even after that, response from Samba contains subjectKeyIdentifier and version number 0. So I think, that maybe this is a Heimdal bug and there are some workaround - if you know it, please tell me. In addition - here parsing results of Krb5 AS-REP packet fragments (I used Netmon 3.4 - it somewhere better then Wireshark in parsing Kerberos packets).
Michael Wood
2010-Oct-06 09:49 UTC
[Samba] Broken support for Smart Card Logon in Windows 2003 and XP
This seems like a question for the samba-technical list. I have added it to the Cc list. The Heimdal mailing list might also be able to help. 2010/10/5 ??????? ??????????? <nick2005a.d at gmail.com>:> Hello. > As I can see this post: https://jira.it.su.se/jira/browse/HEIMDAL-241, > at least? Samba 4.0.0alpha5 supported Smart Card logon for Windows XP > workstations. > Current version (Version 4.0.0alpha14-GIT-77d959f+) does not support > smart card logon on Windows XP workstation (but Windows 7 works well). > I tried to compare Kerberos traffic examples from genuine domain > controller and Samba's response and found at least one difference, > which could be a cause of issue: Samba (in fact, Heimdal) generates > PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax). > RFC 3852 says: > > ?If the RecipientIdentifier > ?is the CHOICE issuerAndSerialNumber, then the version MUST be 0. > ?If the RecipientIdentifier is subjectKeyIdentifier, then the > ?version MUST be 2. > > > But Heimdal uses subjectKeyIdentifier in response and version number > 0. MS uses issuerAndSerialNumber. > I tried to force Heimdal use issuerAndSerialNumber in response (simply > by commenting if statement in hx509_cms_create_signed function and > make sigctx.cmsidflag always equal CMS_ID_NAME), but this didn't work: > even after that, response from Samba contains subjectKeyIdentifier and > version number 0. So I think, that maybe this is a Heimdal bug and > there are some workaround - if you know it, please tell me. > > In addition - here parsing results of Krb5 AS-REP packet fragments (I > used Netmon 3.4 - it somewhere better then Wireshark in parsing > Kerberos packets). > > > From Windows DC: > > - Kerberos: AS Response > ?+ Length: Length = 2890 > ?- AsRep: Kerberos AS Response > ? + ApplicationTag: > ? - KdcRep: KRB_AS_REP (11) > ? ?+ SequenceHeader: > ? ?+ Tag0: > ? ?+ PvNo: 5 > ? ?+ Tag1: > ? ?+ MsgType: KRB_AS_REP (11) > ? ?+ Tag2: > ? ?- Padata: > ? ? + SequenceOfHeader: > ? ? - PaData: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > ? ? ?+ SequenceHeader: > ? ? ?+ Tag1: > ? ? ?+ PaDataType: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > ? ? ?+ Tag2: > ? ? ?+ OctetStringHeader: > ? ? ?- PkAsRepOld: > ? ? ? + Tag1: > ? ? ? - EncKeyPack: > ? ? ? ?+ SequenceHeader: > ? ? ? ?+ ContentType: IdEnvelopedData (1.2.840.113549.1.7.3) > ? ? ? ?+ Tag0: > ? ? ? ?- Content: 0x1 > ? ? ? ? - IdEnvelopedData: 0x1 > ? ? ? ? ?+ SequenceHeader: > ? ? ? ? ?+ Version: v0 (0) > ? ? ? ? ?- RecipientInfos: > ? ? ? ? ? + SetOfHeader: > ? ? ? ? ? - Info: > ? ? ? ? ? ?- Ktri: > ? ? ? ? ? ? + SequenceHeader: > ? ? ? ? ? ? + Version: v0 (0) > ? ? ? ? ? ? - RId: > ? ? ? ? ? ? ?- IssuerAndSerialNumber: > ? ? ? ? ? ? ? + SequenceHeader: > ? ? ? ? ? ? ? + Issuer: ru,neyvabank,CA > ? ? ? ? ? ? ? + SerialNumber: 1077249724 > ? ? ? ? ? ? + KeyEncryptionAlgorithm: RsaEncryption (1.2.840.113549.1.1.1) > > From Samba: > > - Kerberos: AS Response > ?+ Length: Length = 2960 > ?- AsRep: Kerberos AS Response > ? + ApplicationTag: > ? - KdcRep: KRB_AS_REP (11) > ? ?+ SequenceHeader: > ? ?+ Tag0: > ? ?+ PvNo: 5 > ? ?+ Tag1: > ? ?+ MsgType: KRB_AS_REP (11) > ? ?+ Tag2: > ? ?- Padata: > ? ? + SequenceOfHeader: > ? ? - PaData: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > ? ? ?+ SequenceHeader: > ? ? ?+ Tag1: > ? ? ?+ PaDataType: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > ? ? ?+ Tag2: > ? ? ?+ OctetStringHeader: > ? ? ?- PkAsRepOld: > ? ? ? + Tag1: > ? ? ? - EncKeyPack: > ? ? ? ?+ SequenceHeader: > ? ? ? ?+ ContentType: IdEnvelopedData (1.2.840.113549.1.7.3) > ? ? ? ?+ Tag0: > ? ? ? ?- Content: 0x1 > ? ? ? ? - IdEnvelopedData: 0x1 > ? ? ? ? ?+ SequenceHeader: > ? ? ? ? ?+ Version: v0 (0) > ? ? ? ? ?- RecipientInfos: > ? ? ? ? ? + SetOfHeader: > ? ? ? ? ? - Info: > ? ? ? ? ? ?- Ktri: > ? ? ? ? ? ? + SequenceHeader: > ? ? ? ? ? ? + Version: v0 (0) > ? ? ? ? ? ? - RId: > ? ? ? ? ? ? ?+ SubjectKeyIdentifier: > ? ? ? ? ? ? + KeyEncryptionAlgorithm: RsaEncryption (1.2.840.113549.1.1.1)-- Michael Wood <esiotrot at gmail.com>