samba - Jul 2023 - Samba 4 AD SmartCard Authentication Problem

I think I have been able to solve the problem myself:

In old documentation there was in krb5.conf extra entries for CRL, like:

#?????? pkinit_revoke = FILE:/var/lib/samba/private/tls/inter.crl
#?????? pkinit_require_crl_checking = yes

Newer docs has nothing in this way. Furthermore is also not needeed to 
install the root certs in the Sub Domain to resolve the chain. Only in 
win clients per GPO it is a prerequisite. In the smb.conf, are only the 
intermediate certs and crls are needed. But funny is, that the docs 
(Samba Wiki) say that CRL Distributions Point Entries are needed, but 
they never query the webserver.

Am I missing something?

Over certutil on win client i can qery the CRL and verify Certs against 
it. But when i revoke an client cert and use an SmartCard with it, the 
login is granted. But in the crl is that cert revoked and loaded in 
samba-ad-dc. Strange.

Is there another Problem?

Am 14.07.2023 um 16:52 schrieb Hans Schulze via samba:
> Hello,
>
> has anyone tried Samba 4 AD with SmartCard-Authentication and trust of 
> chain certificates. So with root ca and intermediate ca?
>
> I followed the HowTo from the Samba Wiki, but there is only explained 
> how you use with only a root ca. Then i tried it myself. I created a 
> intermediate ca and some certs for the dc and user. But, i always ran 
> into:
>
> NT_STATUS_PKINIT_FAILURE
>
> Yes, i have paid attention to the CRL Distribution Points and that 
> also the clients have connection to them. But the authentication fails.
>
> With log level = 9 i found this...
>
> |../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> Kerberos: PKINIT request but PKINIT not enabled |
>
>
> Is there another Trigger to enable pkinit under Samba AD? Thats my 
> krb5.conf:
>
> |[libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm = 
> false dns_lookup_kdc = true pkinit_anchors = 
> FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors = 
> FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE = { 
> default_domain = test.example.de pkinit_require_eku = true } 
> [domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes 
> pkinit_identity = 
>
FILE:/var/lib/samba/private/tls/dc0-cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
> pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem pkinit_revoke 
> = 
>
FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tls/root.crl
> pkinit_principal_in_certificate = yes pkinit_win2k = no 
> pkinit_win2k_require_binding = yes |
>
> My smb.conf:
>
> ||
>
> |||# Global parameters [global] dns forwarder = 10.0.0.2 netbios name 
> = DC0 realm = TEST.EXAMPLE.DE server role = active directory domain 
> controller dns forwarder = 10.0.0.1 workgroup = TEST idmap_ldb:use 
> rfc2307 = yes log level = 9 # log level = 1 auth_audit:3 
> auth_json_audit:3 tls enabled = yes tls certfile = 
> /var/lib/samba/private/tls/dc0-cert.pem tls keyfile = 
> /var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile = 
> /var/lib/samba/private/tls/cacert.pem tls cafile = 
> /var/lib/samba/private/tls/interca.pem tls crlfile = 
> /var/lib/samba/private/tls/rootca.crl tls crlfile = 
> /var/lib/samba/private/tls/interca.crl tls dhparams file = 
> /var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path = 
> /var/lib/samba/sysvol read only = No [netlogon] path = 
> /var/lib/samba/sysvol/test.example.de/scripts read only = No |
>
> Is that an Kerberos related Issue or Samba 4?
>
>
> Regards||
>
> ||||
>
> ||
>
> ||
>
> ||

Tested support for certificate revocation is finally coming to Samba
(previously folks used an out-of-tree Heimdal patch to have this work).
See https://gitlab.com/samba-team/samba/-/merge_requests/3163
I expect these to land soon, hopefully for 4.19.
Andrew Bartlett
On Tue, 2023-07-18 at 12:24 +0200, Hans Schulze via samba
wrote:
> I think I have been able to solve the problem myself:
> In old documentation there was in krb5.conf extra entries for CRL,
> like:
> #       pkinit_revoke > FILE:/var/lib/samba/private/tls/inter.crl#      
> pkinit_require_crl_checking = yes
> Newer docs has nothing in this way. Furthermore is also not needeed
> to install the root certs in the Sub Domain to resolve the chain.
> Only in win clients per GPO it is a prerequisite. In the smb.conf,
> are only the intermediate certs and crls are needed. But funny is,
> that the docs (Samba Wiki) say that CRL Distributions Point Entries
> are needed, but they never query the webserver.
> Am I missing something?
> Over certutil on win client i can qery the CRL and verify Certs
> against it. But when i revoke an client cert and use an SmartCard
> with it, the login is granted. But in the crl is that cert revoked
> and loaded in samba-ad-dc. Strange.
> Is there another Problem?
> Am 14.07.2023 um 16:52 schrieb Hans Schulze via samba:
> > Hello,
> > has anyone tried Samba 4 AD with SmartCard-Authentication and trust
> > of chain certificates. So with root ca and intermediate ca?
> > I followed the HowTo from the Samba Wiki, but there is only
> > explained how you use with only a root ca. Then i tried it myself.
> > I created a intermediate ca and some certs for the dc and user.
> > But, i always ran into:
> > NT_STATUS_PKINIT_FAILURE
> > Yes, i have paid attention to the CRL Distribution Points and that
> > also the clients have connection to them. But the authentication
> > fails.
> > With log level = 9 i found this...
> > > ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug
> > > _wrapper) 
> > Kerberos: PKINIT request but PKINIT not enabled |
> > 
> > Is there another Trigger to enable pkinit under Samba AD? Thats my
> > krb5.conf:
> > > [libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm = 
> > false dns_lookup_kdc = true pkinit_anchors > >
FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors
> > = FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE >
> { default_domain = test.example.de pkinit_require_eku = true }
> > [domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
> > pkinit_identity = FILE:/var/lib/samba/private/tls/dc0-
> > cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
> > pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
> > pkinit_revoke > >
FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tl
> > s/root.crl pkinit_principal_in_certificate = yes pkinit_win2k = no
> > pkinit_win2k_require_binding = yes |
> > My smb.conf:
> > > > > # Global parameters [global] dns forwarder = 10.0.0.2
netbios
> > > > > name 
> > = DC0 realm = TEST.EXAMPLE.DE server role = active directory domain
> > controller dns forwarder = 10.0.0.1 workgroup = TEST idmap_ldb:use
> > rfc2307 = yes log level = 9 # log level = 1 auth_audit:3
> > auth_json_audit:3 tls enabled = yes tls certfile > >
/var/lib/samba/private/tls/dc0-cert.pem tls keyfile > >
/var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile > >
/var/lib/samba/private/tls/cacert.pem tls cafile > >
/var/lib/samba/private/tls/interca.pem tls crlfile > >
/var/lib/samba/private/tls/rootca.crl tls crlfile > >
/var/lib/samba/private/tls/interca.crl tls dhparams file > >
/var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path > >
/var/lib/samba/sysvol read only = No [netlogon] path > >
/var/lib/samba/sysvol/test.example.de/scripts read only = No |
> > Is that an Kerberos related Issue or Samba 4?
> > 
> > Regards||
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead               
https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions