I'm setting up a small dental office with smartcard authentication for their computers for convenience, security, and meet HIPAA requirements for tracking logins. I'm using a samba Active Directory setup because at this point, spending $1000 on a copy of the latest Windows Server isn't an option. I'm am currently on my 4th attempt at it. Previously, I was compiling it from source on Ubuntu, but for this next attempt I'm going with a Univention VMware image instead to hopefully make it go a little faster. So, basically, every time, the Active Directory system seems to work fine. The domain exists, I can log into it, and can access it through RSAT... at least for those functions that exist in a Samba setup, anyway. Where I'm running into a roadblock is with the certificates. I've set up my own CA, been slogging through this (https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) verbatim (other than changing the necessary stuff to make it for my domain, obviously)... and when I go to login, it doesn't work. The best I can tell, it recognizes the certificate I've put on the card, it recognizes the root CA certificate, but it can't find the DC certificate. That is what certutil -dcinfo kicks back anyway: "KDC Certificate not found". I've tried publishing the DC certificate. I've tried manually putting it into the enterprise stores. I've tried putting it into the group policy system. I've tried fiddling with the auto-enrollment system (turning it on... turning it off). Nothing works. I am completely out of ideas here. Any thoughts? -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-ADDC-w-Windows-SC-login-tp4706730.html Sent from the Samba - General mailing list archive at Nabble.com.
So, nothing, huh? Can't help? Need more information? Go pound sand? -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-ADDC-w-Windows-SC-login-tp4706730p4706886.html Sent from the Samba - General mailing list archive at Nabble.com.
On Wed, 2016-08-17 at 08:27 -0700, Restemayer via samba wrote:> I'm setting up a small dental office with smartcard authentication > for their > computers for convenience, security, and meet HIPAA requirements for > tracking logins. I'm using a samba Active Directory setup because at > this > point, spending $1000 on a copy of the latest Windows Server isn't an > option. I'm am currently on my 4th attempt at it. Previously, I was > compiling it from source on Ubuntu, but for this next attempt I'm > going with > a Univention VMware image instead to hopefully make it go a little > faster. >> I am completely out of ideas here. > > Any thoughts?Samba 4.5 may help, as metze (CC'ed) did a pile of work on smart card logins for this release. Smart card login is a fairly unusual use of the AD DC, but while few folks use it, it is expected to work. Are you sure the certificates and keys are correctly set in the krb5.conf? Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
As far as I know, yes. Granted, active directory structure and making my own certificate authority hierarchy is new territory for me, so I could be missing or misinterpreting a step in the setup. I'm actually going to rebuild it today from scratch. Compile from source on a fresh Fedora install. I'll log everything I do so if (when) it fails again, I'll start posting my process on here to see if you guys can tell me where I'm dropping the ball on this. Thanks. -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-ADDC-w-Windows-SC-login-tp4706730p4706950.html Sent from the Samba - General mailing list archive at Nabble.com.
Reasonably Related Threads
- Samba4 ADDC /w Windows SC login
- How to join a Linux Work Station to ADDC samba4
- Samba4 on Ubuntu 18.04 Howto setup ADDC with bind9_DLZ (extra part 4.8.1 samba)
- Samba4 on Ubuntu 18.04 Howto setup ADDC with bind9_DLZ (extra part 4.8.1 samba)
- Samba4 on Ubuntu 18.04 Howto setup ADDC with bind9_DLZ (extra part 4.8.1 samba)