samba - Aug 2016 - Samba4 ADDC /w Windows SC login

I'm setting up a small dental office with smartcard authentication for their
computers for convenience, security, and meet HIPAA requirements for
tracking logins.  I'm using a samba Active Directory setup because at this
point, spending $1000 on a copy of the latest Windows Server isn't an
option.  I'm am currently on my 4th attempt at it.  Previously, I was
compiling it from source on Ubuntu, but for this next attempt I'm going with
a Univention VMware image instead to hopefully make it go a little faster.  
 
So, basically, every time, the Active Directory system seems to work fine. 
The domain exists, I can log into it, and can access it through RSAT... at
least for those functions that exist in a Samba setup, anyway.  Where I'm
running into a roadblock is with the certificates.  I've set up my own CA,
been slogging through this
(https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) verbatim (other
than changing the necessary stuff to make it for my domain, obviously)...
and when I go to login, it doesn't work.  The best I can tell, it recognizes
the certificate I've put on the card, it recognizes the root CA certificate,
but it can't find the DC certificate.  That is what certutil -dcinfo kicks
back anyway: "KDC Certificate not found".  I've tried publishing
the DC
certificate.  I've tried manually putting it into the enterprise stores. 
I've tried putting it into the group policy system.  I've tried fiddling
with the auto-enrollment system (turning it on... turning it off).  Nothing
works.  I am completely out of ideas here.
 
Any thoughts?



--
View this message in context:
http://samba.2283325.n4.nabble.com/Samba4-ADDC-w-Windows-SC-login-tp4706730.html
Sent from the Samba - General mailing list archive at Nabble.com.

So, nothing, huh?

Can't help?

Need more information?

Go pound sand?



--
View this message in context:
http://samba.2283325.n4.nabble.com/Samba4-ADDC-w-Windows-SC-login-tp4706730p4706886.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Wed, 2016-08-17 at 08:27 -0700, Restemayer via samba
wrote:
> I'm setting up a small dental office with smartcard authentication
> for their
> computers for convenience, security, and meet HIPAA requirements for
> tracking logins.  I'm using a samba Active Directory setup because at
> this
> point, spending $1000 on a copy of the latest Windows Server isn't an
> option.  I'm am currently on my 4th attempt at it.  Previously, I was
> compiling it from source on Ubuntu, but for this next attempt I'm
> going with
> a Univention VMware image instead to hopefully make it go a little
> faster.  
>  
>  I am completely out of ideas here.
>  
> Any thoughts?
Samba 4.5 may help, as metze (CC'ed) did a pile of work on smart card
logins for this release. 

Smart card login is a fairly unusual use of the AD DC, but while few
folks use it, it is expected to work.

Are you sure the certificates and keys are correctly set in the
krb5.conf?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

As far as I know, yes.  Granted, active directory structure and making my own
certificate authority hierarchy is new territory for me, so I could be
missing or misinterpreting a step in the setup.  I'm actually going to
rebuild it today from scratch.  Compile from source on a fresh Fedora
install.  I'll log everything I do so if (when) it fails again, I'll
start
posting my process on here to see if you guys can tell me where I'm dropping
the ball on this.  Thanks.



--
View this message in context:
http://samba.2283325.n4.nabble.com/Samba4-ADDC-w-Windows-SC-login-tp4706730p4706950.html
Sent from the Samba - General mailing list archive at Nabble.com.