I think I have been able to solve the problem myself:
In old documentation there was in krb5.conf extra entries for CRL, like:
#?????? pkinit_revoke = FILE:/var/lib/samba/private/tls/inter.crl
#?????? pkinit_require_crl_checking = yes
Newer docs has nothing in this way. Furthermore is also not needeed to
install the root certs in the Sub Domain to resolve the chain. Only in
win clients per GPO it is a prerequisite. In the smb.conf, are only the
intermediate certs and crls are needed. But funny is, that the docs
(Samba Wiki) say that CRL Distributions Point Entries are needed, but
they never query the webserver.
Am I missing something?
Over certutil on win client i can qery the CRL and verify Certs against
it. But when i revoke an client cert and use an SmartCard with it, the
login is granted. But in the crl is that cert revoked and loaded in
samba-ad-dc. Strange.
Is there another Problem?
Am 14.07.2023 um 16:52 schrieb Hans Schulze via samba:> Hello,
>
> has anyone tried Samba 4 AD with SmartCard-Authentication and trust of
> chain certificates. So with root ca and intermediate ca?
>
> I followed the HowTo from the Samba Wiki, but there is only explained
> how you use with only a root ca. Then i tried it myself. I created a
> intermediate ca and some certs for the dc and user. But, i always ran
> into:
>
> NT_STATUS_PKINIT_FAILURE
>
> Yes, i have paid attention to the CRL Distribution Points and that
> also the clients have connection to them. But the authentication fails.
>
> With log level = 9 i found this...
>
> |../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: PKINIT request but PKINIT not enabled |
>
>
> Is there another Trigger to enable pkinit under Samba AD? Thats my
> krb5.conf:
>
> |[libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm =
> false dns_lookup_kdc = true pkinit_anchors =
> FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors =
> FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE = {
> default_domain = test.example.de pkinit_require_eku = true }
> [domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
> pkinit_identity =
>
FILE:/var/lib/samba/private/tls/dc0-cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
> pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem pkinit_revoke
> =
>
FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tls/root.crl
> pkinit_principal_in_certificate = yes pkinit_win2k = no
> pkinit_win2k_require_binding = yes |
>
> My smb.conf:
>
> ||
>
> |||# Global parameters [global] dns forwarder = 10.0.0.2 netbios name
> = DC0 realm = TEST.EXAMPLE.DE server role = active directory domain
> controller dns forwarder = 10.0.0.1 workgroup = TEST idmap_ldb:use
> rfc2307 = yes log level = 9 # log level = 1 auth_audit:3
> auth_json_audit:3 tls enabled = yes tls certfile =
> /var/lib/samba/private/tls/dc0-cert.pem tls keyfile =
> /var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile =
> /var/lib/samba/private/tls/cacert.pem tls cafile =
> /var/lib/samba/private/tls/interca.pem tls crlfile =
> /var/lib/samba/private/tls/rootca.crl tls crlfile =
> /var/lib/samba/private/tls/interca.crl tls dhparams file =
> /var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path =
> /var/lib/samba/sysvol read only = No [netlogon] path =
> /var/lib/samba/sysvol/test.example.de/scripts read only = No |
>
> Is that an Kerberos related Issue or Samba 4?
>
>
> Regards||
>
> ||||
>
> ||
>
> ||
>
> ||