Alexey A Nikitin
2020-Nov-20 00:13 UTC
[Samba] Smartcard logon issue with pam_winbind and Kerberos auth
Hi folks, I've ran into an interesting issue when I was trying to set up Winbind client to use smart card for authentication.>From what I was able to gather, Winbind doesn't support smart card auth. To my surprise, I was able to authenticate without pam_pkcs11 or pam_krb5 in my PAM stack, using only pam_winbind, after I've added config like this into /etc/krb5.conf:``` EXAMPLE.COM = { pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature pkinit_eku_checking = kpServerAuth pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so pkinit_kdc_hostname = example.com } [appdefaults] pam = { mappings = ^EXAMPLE\\(.*)$ $1 at EXAMPLE.COM } ```>From what I understand, that works because I have `krb5_auth = yes` in pam_winbind.conf, so the actual auth is done by libkrb5.But I had even bigger surprise when I found out that when Winbind is offline it now accepts the smart card PIN in leu of user password without bothering to even verify whether there is _any_ smart card attached at all. From what I understand, the reason that happens is Winbind simply completely offloads the authentication to libkrb5, without concerning itself at all abouth the nature of the credential (whether it is a password or a PIN), and it doesn't get back any discriminating responses from libkrb5, only whether auth has passed of failed, and then it just caches that result next to a (salted, I assume) hash of the credential. Is my understandig correct? Basically, what I would like to know is if there is a way to reap the benefits of the pam_winbind setup with proper pkinit configuration in krb5.conf but without the vulnerability I described, other than configuring PAM stack to do either password auth with pam_winbind or smartcard auth with pam_pkcs11 and pam_krb5. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20201119/eea4298e/signature.sig>
Reasonably Related Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Did you get my previous email? Not Spam.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
Wisdom of the Ancients
