samba - Sep 2017 - Revocation with CRL doesn't work for smartcards

Ah, thank you, obviously this is a bug. Last comment (Łukasz Matyja
2016-04-01) says to have a fix, but how do I know if it has been added to
bitbucket/samba? And if so, in which version? Or does the problem remain
since the bugzilla case is still there? (Status: New)

On Thu, Sep 21, 2017 at 10:52 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 21 Sep 2017 22:08:51 +0200
> Peter L via samba <samba at lists.samba.org> wrote:
>
> > Thanks but I've actually tried that too. Not sure I put it in
[kdc]
> > section though, I can try again.
> >
> > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet
at samba.org>:
> >
> > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > > > Hi,
> > > > I have a smartcard which is revoked in the Certificate
Revocation
> > > > List (CRL) but I can still login. Seams like the CRL check
is not
> > > > performed.
> > > Any
> > > > known bug around this?
> > > >
> > > > Server setup:
> > > > - Samba 4.4 on Debian as AD DC
> > > > - Created domain MYDOM
> > > > - smb.conf (extract):
> > > >     tls enabled = yes
> > > >     tls crlfile = tls/mycrl.pem (default is to look under
private/
> > > folder)
> > >
> > > > CRL:
> > > > - In file system:
> > > > ..../private/tls/mycrl.pem
> > > > > mycrl.pem
> > > > - Contains serial number 0x12ab
> > >
> > > The Heimdal code doing the SmartCard stuff doens't know about
the
> > > smb.conf, you need to configure this in krb5.conf.
> > >
> > > Something like:
> > >
> > > [kdc]
> > >  pkinit_revoke = FILE:..../private/tls/mycrl.pem
> > >
> > > (Sadly this isn't used in our test scripts, so please test
carefully
> > > and research the exact syntax further).
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett                       http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team  http://samba.org
> > > Samba Developer, Catalyst IT          http://catalyst.net.nz/
> > > services/samba
> > >
> > >
>
> This jogged something in my memory, so I went and did some digging and
> found this:
>
> https://bugzilla.samba.org/show_bug.cgi?id=9612
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 22 Sep 2017 08:01:33 +0200
Peter L <plings1967 at gmail.com> wrote:
> Ah, thank you, obviously this is a bug. Last comment (Łukasz Matyja
> 2016-04-01) says to have a fix, but how do I know if it has been
> added to bitbucket/samba? And if so, in which version? Or does the
> problem remain since the bugzilla case is still there? (Status: New)
> 
Normally a bug gets closed when it is fixed, so as this one is still
open, I would think it isn't fixed.

You could try upgrading Samba to 4.7.0, though this will probably mean
compiling it yourself, or you could try Louis's packages, see here:

http://apt.van-belle.nl/

Rowland

On Fri, 2017-09-22 at 08:56 +0100, Rowland Penny via samba
wrote:
> On Fri, 22 Sep 2017 08:01:33 +0200
> Peter L <plings1967 at gmail.com> wrote:
> 
> > Ah, thank you, obviously this is a bug. Last comment (Łukasz Matyja
> > 2016-04-01) says to have a fix, but how do I know if it has been
> > added to bitbucket/samba? And if so, in which version? Or does the
> > problem remain since the bugzilla case is still there? (Status: New)
> > 
> 
> Normally a bug gets closed when it is fixed, so as this one is still
> open, I would think it isn't fixed.
> 
> You could try upgrading Samba to 4.7.0, though this will probably mean
> compiling it yourself, or you could try Louis's packages, see here:
I don't expect any change here with 4.7.  However, if this is resolved
in a newer Heimdal version then the work Gary is going for a Heimdal
update might help, or at least allow a fix to be incorporated upstream
and then included.  That might fix things for 4.8.

I don't know why the commentator on the bug indicated they had a fix
but didn't post it.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba