thr3ads.net - samba - [Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?) [Aug 2023]

If this information is useful, please help other people find it:
Share via:

Olivier MARTIN

2023-Aug-04 17:05 UTC

[Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?)

Hello all,

I am really well aware of 
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login I have read 
many times. I have tried to follow the instructions and adapt them to my 
simple setup.

To start, my server runs "Debian GNU/Linux 12" and I use the Samba 
Debian package "Samba: 2:4.17.9+dfsg-0+deb12u3"

My issue is when I tried to authenticate myself with `kinit my-user -X 
"X509_user_identity=FILE:my-user.crt,my-user.key"` it asked for a 
password and it does not seem to do a PKINIT authentication.
Before playing with Samba AD DC, I had a MIT Kerberos + LDAP setup and 
managed to do a similar working setup.


Here are the instructions to duplicate my issue



1. Create user with smartcard
sudo samba-tool user add userresttest --smartcard-required --no-pass

Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.015861, 3] 
../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
Aug 04 08:53:10 dc1 winbindd[16500]:?? winbindd_interface_version: 
[nss_winbind (31725)]: request interface version (version = 32)
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.017896, 3] 
../../source3/winbindd/winbindd.c:496(process_request_send)
Aug 04 08:53:10 dc1 winbindd[16500]:?? process_request_send: 
[nss_winbind (31725)] Handling async request: GETGROUPS
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.018123, 3] 
../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
Aug 04 08:53:10 dc1 winbindd[16500]:?? [nss_winbind (31725)] Winbind 
external command GETGROUPS start.
Aug 04 08:53:10 dc1 winbindd[16500]:?? Searching groups for username
'root'.
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.018622, 4] 
../../source3/winbindd/winbindd_dual.c:1633(child_handler)
Aug 04 08:53:10 dc1 winbindd[16562]:?? child daemon request 55
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019223, 3] 
../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
Aug 04 08:53:10 dc1 winbindd[16562]:?? string_to_sid: SID? is not in a 
valid format
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019338, 3] 
../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
Aug 04 08:53:10 dc1 winbindd[16562]:?? sam_name_to_sid: SAMDOM\ROOT
Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.023290,? 4] 
../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
Aug 04 08:53:10 dc1 samba[16460]:?? Successful AuthZ: [DCE/RPC,ncacn_np] 
user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04 Aug 2023 
08:53:10.023253 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.033887,? 4] 
../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
Aug 04 08:53:10 dc1 samba[16460]:?? Successful AuthZ: [DCE/RPC,ncacn_np] 
user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04 Aug 2023 
08:53:10.033863 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.038783,? 3] 
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
Aug 04 08:53:10 dc1 samba[16460]:?? ldb_wrap open of privilege.ldb
Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.041817, 4] 
../../source3/winbindd/winbindd_dual.c:1641(child_handler)
Aug 04 08:53:10 dc1 winbindd[16562]:?? Finished processing child request 55
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042068, 1] 
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
Aug 04 08:53:10 dc1 winbindd[16500]:?? Could not convert sid S-0-0: 
NT_STATUS_NONE_MAPPED
Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042124, 3] 
../../source3/winbindd/winbindd.c:563(process_request_done)
Aug 04 08:53:10 dc1 winbindd[16500]:?? process_request_done: 
[nss_winbind(31725):GETGROUPS]: NT_STATUS_NONE_MAPPED
Aug 04 08:53:10 dc1 sudo[31725]:? vagrant : TTY=pts/2 ; 
PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/samba-tool user add 
userresttest --smartcard-required --no-pass
Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session opened 
for user root(uid=0) by vagrant(uid=1000)
Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session closed 
for user root


2. Test login for my new user on the server. A password is requested.

$ kinit userresttest -X 
"X509_user_identity=FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key"
Password for userresttest at SAMDOM.VM-TEST-SERVER:
kinit: Password incorrect while getting initial credentials

Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.443651,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Probing for AS-REQ
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444331,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Not a FAST request
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444487,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: AS-REQ 
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:57017 for 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455560,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Client sent patypes: 150, 
REQ-ENC-PA-REP
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455772,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] client-pa=150,REQ-ENC-PA-REP
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455835,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for PK-INIT(ietf) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455910,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for PK-INIT(win2k) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456016,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for ENC-TS pa-data 
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456108,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for GSS pa-data -- 
userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456216,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Need to use 
PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456302,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: as-req: sending error: 
-1765328359 to client
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456360,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Making non-FAST KRB-ERROR
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456700,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] elapsed=0.013076
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456783,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456845,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: AS-REQ 
ERR_PREAUTH_REQUIRED ipv4:192.168.56.10:57017 
userresttest at SAMDOM.VM-TEST-SERVER 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER 
client-pa=150,REQ-ENC-PA-REP 
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.013076

(...logs after entering an empty password...)

Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911607,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Probing for AS-REQ
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911876,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Not a FAST request
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911924,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: AS-REQ 
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:33525 for 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916859,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Client sent patypes: 
ENC-TS, 150, REQ-ENC-PA-REP
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916968,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] client-pa=ENC-TS,150,REQ-ENC-PA-REP
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917013,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Looking for PK-INIT(ietf) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917077,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Looking for PK-INIT(win2k) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917136,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Looking for ENC-TS pa-data 
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917179,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] pa=ENC-TS
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917283,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Failed to decrypt PA-DATA 
-- userresttest at SAMDOM.VM-TEST-SERVER (enctype aes256-cts-hmac-sha1-96) 
error Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917333,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_setkv_number(): 
setting kv pair pa-etype=18
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917373,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_setkv_number(): 
setting kv pair #auth_event=5
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921154,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: changes: 
num_registrations=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921242,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: changes: 
num_registered=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921280,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: changes: 
num_toplevel=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921314,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: changes: 
num_processed=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921347,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: objects: 
num_processed=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921380,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: objects: 
num_skipped=0
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921654,? 2] 
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Aug 04 10:00:48 dc1 samba[32824]:?? Auth: [Kerberos KDC,ENC-TS 
Pre-authentication] user [(null)]\[userresttest at SAMDOM.VM-TEST-SERVER] 
at [Fri, 04 Aug 2023 10:00:48.921630 UTC] with [aes256-cts-hmac-sha1-96] 
status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host 
[ipv4:192.168.56.10:33525] mapped to [SAMDOM]\[userresttest]. local host 
[NULL]
Aug 04 10:00:48 dc1 samba[32824]:?? {"timestamp": 
"2023-08-04T10:00:48.921744+0000", "type":
"Authentication",
"Authentication": {"version": {"major": 1,
"minor": 2}, "eventId": 4625,
"logonId": "e0c3e6c4b452b699", "logonType": 3,
"status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": null,
"remoteAddress":
"ipv4:192.168.56.10:33525", "serviceDescription":
"Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccount": "userresttest at SAMDOM.VM-TEST-SERVER",
"workstation":
null, "becameAccount": "userresttest",
"becameDomain": "SAMDOM",
"becameSid":
"S-1-5-21-1683713074-1702463723-3046006096-1109",
"mappedAccount": "userresttest", "mappedDomain":
"SAMDOM",
"netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": 
"aes256-cts-hmac-sha1-96", "duration": 10173}}
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921900,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: as-req: sending error: 
-1765328360 to client
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921943,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Making non-FAST KRB-ERROR
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922108,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] elapsed=0.010505
Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922160,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: AS-REQ ERR_PREAUTH_FAILED 
ipv4:192.168.56.10:33525 userresttest at SAMDOM.VM-TEST-SERVER 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER pa=ENC-TS pa-etype=18 
client-pa=ENC-TS,150,REQ-ENC-PA-REP elapsed=0.010505


3. Verify certificate. I am using an intermediate certificate: 
root-ca.crt > user-signing-ca.crt > userresttest.crt

$ openssl verify -CAfile /etc/pki/vm-test-server/ca/root-ca.crt 
-untrusted /etc/pki/vm-test-server/ca/user-signing-ca-chain.crt 
/tmp/vm-test-server-pki/certs/userresttest.crt
/tmp/vm-test-server-pki/certs/userresttest.crt: OK

4. krb5.conf

$ sudo cat /etc/krb5.conf
[libdefaults]
 ?? ?default_realm = SAMDOM.VM-TEST-SERVER
 ?? ?dns_lookup_realm = false
 ?? ?dns_lookup_kdc = true

 ?? ?pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt

[appdefaults]
 ?? ?pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt

[realms]
 ?? ?SAMDOM.VM-TEST-SERVER = {
 ?? ???? default_domain = samdom.vm-test-server

 ?? ???? pkinit_require_eku = true
 ?? ?}

[kdc]
 ?? ?enable-pkinit = yes
 ?? ?pkinit_identity = 
FILE:/etc/pki/vm-test-server/ca/service-ca/ad_dc.crt,/etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
 ?? ?pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
 ?? ?pkinit_principal_in_certificate = yes
 ?? ?pkinit_win2k = no
 ?? ?pkinit_win2k_require_binding = yes

[domain_realm]
 ?? ?dc1 = SAMDOM.VM-TEST-SERVER

[logging]
 ??? kdc????????? = SYSLOG:NOTICE
 ??? admin_server = SYSLOG:NOTICE
 ??? default????? = SYSLOG:NOTICE

5. Samba configuration:

$ cat /etc/samba/smb.conf
# Global parameters
[global]
 ?? ?dns forwarder = 8.8.8.8
 ?? ?netbios name = DC1
 ?? ?realm = SAMDOM.VM-TEST-SERVER
 ?? ?server role = active directory domain controller
 ?? ?workgroup = SAMDOM
 ?? ?idmap_ldb:use rfc2307 = yes

 ?? ?disable netbios = yes
 ?? ?log level = 4 auth_json_audit:3@/var/log/samba/samba_audit.log
 ?? ?logging = syslog at 4
 ?? ?restrict anonymous = 2
 ?? ?load printers = no
 ?? ?cups options = raw
 ?? ?printcap name = /dev/null
 ?? ?ldap debug level = 1
 ?? ?tls enabled = yes
 ?? ?tls keyfile = /etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
 ?? ?tls certfile = /etc/pki/vm-test-server/ca/service-ca/ad_dc.crt
 ?? ?tls cafile = /etc/pki/vm-test-server/ca/root-ca.crt
 ?? ?tls crlfile = /etc/pki/vm-test-server/ca/service-ca/services.crl
 ?? ?tls dhparams file = /etc/pki/vm-test-server/ad_dc_dhparams.pem
[sysvol]
 ?? ?path = /var/lib/samba/sysvol
 ?? ?read only = No

[netlogon]
 ?? ?path = /var/lib/samba/sysvol/samdom.vm-test-server/scripts
 ?? ?read only = No


6. User certificate Dump

$ cat /tmp/vm-test-server-pki/certs/userresttest.crt
-----BEGIN CERTIFICATE-----
MIIDuTCCAqGgAwIBAgIUa4JmnGUhfgqzcpmDhS6zg4E93ucwDQYJKoZIhvcNAQEL
BQAwRTEeMBwGCgmSJomT8ixkARkWDnZtLXRlc3Qtc2VydmVyMREwDwYDVQQLDAhE
ZW1vIEx0ZDEQMA4GA1UEAwwHVXNlciBDQTAeFw0yMzA4MDQwODE3MjdaFw0yNDA4
MDMwODE3MjdaMGAxFjAUBgoJkiaJk/IsZAEZFgZzYW1kb20xHjAcBgoJkiaJk/Is
ZAEZFg52bS10ZXN0LXNlcnZlcjEPMA0GA1UEAwwGcGVvcGxlMRUwEwYDVQQDDAx1
c2VycmVzdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCek1JL
RqTzRkjQdaowRsiiBTHJstIz9RhsOx9esgqzOFaAmaMi4vbDWjN8VB4IIUKWe6YR
5Miv9JWkjne6bNjuMauedf8iv0/wxdVBvDcUm2y2qkqcmj75BPBjrlWjanw+hhQD
w+9OJjfZP5uncRv1kil3r1M4gjntkOP5iKa8ttupzpzVEgWcsdJUy84qTfxYmGS/
obzP0QbftAQanjfzR/ex+JtVyjqHYS7Z1pEBH0bkhVfzkSutEoC272SUDmjMGoZW
+lgJI7AfH0XS/Y0D1dhYcX05deQFwljx1KxqXWHz0L3cXxjjH0xNG0YUQcK7OvdF
aKXXx/kP00e2hZ2/AgMBAAGjgYUwgYIwCwYDVR0PBAQDAgOoMCYGA1UdJQQfMB0G
BysGAQUCAwQGCCsGAQUFBwMEBggrBgEFBQcDAjBLBgNVHREERDBCoEAGBisGAQUC
AqA2MDSgFxsVU0FNRE9NLlZNLVRFU1QtU0VSVkVSoRkwF6ADAgEBoRAwDhsMdXNl
cnJlc3R0ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQAlOokZ7uVmQ8A84Kcn/zMaIA/S
EFx8UNXjqTQNyPeYVDYiAj9Y1DLI9K3HJzCADPzfIi0gfDZKob3bqK+CtcBLKOfm
6p0mEQcABgPq+uAbcW3yps9nUpCMKq+96SLughdePRjJ2OTuKfzwq58g8SBKWqKi
vjKbTvfmMsyu+O4ca5Srh4FuzhXLiD92XL8uYu19iRGSZ0FGrsSzuxvF/gwjLNHD
G7fo0lR705s4Yjaa+JTgBNOg8Ar1bZfKWZA9t5JtGdop0zBkpfzgt28sn9uTxkqn
LOsoQe5cRmh5lcbnWokPGg7qNsN458WmptOXK1p2ZGHtZ0ZPp0SemeCPMy8g
-----END CERTIFICATE-----


7. User's Samba entries:

$ sudo samba-tool user show userresttest
Processing section "[sysvol]"
Processing section "[netlogon]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
dn: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: userresttest
instanceType: 4
whenCreated: 20230804085310.0Z
whenChanged: 20230804085310.0Z
uSNCreated: 4112
uSNChanged: 4112
name: userresttest
objectGUID: cda01bf5-fdee-4137-9474-538f266ed65f
userAccountControl: 262656
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1683713074-1702463723-3046006096-1109
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: userresttest
sAMAccountType: 805306368
userPrincipalName: userresttest at samdom.vm-test-server
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=vm-test-server
distinguishedName: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server



I tried with 'pkinit_anchors = 
FILE:/etc/pki/vm-test-server/ca/root-ca.crt' as specified by the Samba 
wiki page: 
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Edit_the_Samba_KDC_Configuration_File_to_Enable_PKINIT_Authentication
I also tried with the CA bundle user-signing-ca-chain.crt : `cat 
ca/user-signing-ca.crt ca/root-ca.crt > ca/user-signing-ca-chain.crt`
... but same issue.

I also read the recent Samba mailing list thread "Samba 4 AD SmartCard 
Authentication Problem": 
https://www.spinics.net/lists/samba/msg179822.html but Hans got luckier 
he got the error 'NT_STATUS_PKINIT_FAILURE' while my issue seems to be 
different. Could it be related to my user creation.

I have no entries for pkinit in my logs: `sudo journalctl -u 
samba-ad-dc.service | grep -i pkinit` is empty.


Thanks in advance,
Olivier

Olivier MARTIN

2023-Aug-07 13:05 UTC

head link

[Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?)

Actually, I realised after I forgot to add debug output from kinit.


Here are the log for kinit: $ KRB5_TRACE=/dev/stdout kinit -V 
userresttest -X 
"X509_user_identity=FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key"
Using default cache: /tmp/krb5cc_1000
Using principal: userresttest at SAMDOM.VM-TEST-SERVER
[33961] 1691148868.491458: Error loading plugin module pkinit: 2/unable 
to load plugin 
[/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]: 
/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so: cannot open 
shared object file: No such file or directory
PA Option X509_user_identity = 
FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key
[33961] 1691148868.491459: Getting initial credentials for 
userresttest at SAMDOM.VM-TEST-SERVER
[33961] 1691148868.491461: Sending unauthenticated request
[33961] 1691148868.491462: Sending request (210 bytes) to 
SAMDOM.VM-TEST-SERVER
[33961] 1691148868.491463: Sending DNS URI query for 
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491464: No URI records found
[33961] 1691148868.491465: Sending DNS SRV query for 
_kerberos._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491466: SRV answer: 0 100 88
"dc1.samdom.vm-test-server."
[33961] 1691148868.491467: Sending DNS SRV query for 
_kerberos._tcp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491468: SRV answer: 0 100 88
"dc1.samdom.vm-test-server."
[33961] 1691148868.491469: Resolving hostname dc1.samdom.vm-test-server.
[33961] 1691148868.491470: Sending initial UDP request to dgram 
192.168.56.10:88
[33961] 1691148868.491471: Received answer (318 bytes) from dgram 
192.168.56.10:88
[33961] 1691148868.491472: Sending DNS URI query for 
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491473: No URI records found
[33961] 1691148868.491474: Sending DNS SRV query for 
_kerberos-master._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148868.491475: No SRV records found
[33961] 1691148868.491476: Response was not from primary KDC
[33961] 1691148868.491477: Received error from KDC: 
-1765328359/Additional pre-authentication required
[33961] 1691148868.491480: Preauthenticating using KDC method data
[33961] 1691148868.491481: Processing preauth types: PA-PK-AS-REQ (16), 
PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), 
PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19)
[33961] 1691148868.491482: Selected etype info: etype aes256-cts, salt 
"", params "\x00\x00\x10\x00"
Password for userresttest at SAMDOM.VM-TEST-SERVER:

[33961] 1691148871.932342: AS key obtained for encrypted timestamp: 
aes256-cts/88FE
[33961] 1691148871.932344: Encrypted timestamp (for 1691148871.975233): 
plain 301AA011180F32303233303830343131333433315AA10502030EE181, 
encrypted 
AE5B4AFFF4578A51900DCB3E1DED18ED333D669764A5B4A7CC888472D8D6C95E9DF71A6FA8B47F6EC5D9CE22B92ECD02AB6D6D217AC6693E
[33961] 1691148871.932345: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success
[33961] 1691148871.932346: Produced preauth for next request: 
PA-ENC-TIMESTAMP (2)
[33961] 1691148871.932347: Sending request (290 bytes) to 
SAMDOM.VM-TEST-SERVER
[33961] 1691148871.932348: Sending DNS URI query for 
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932349: No URI records found
[33961] 1691148871.932350: Sending DNS SRV query for 
_kerberos._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932351: SRV answer: 0 100 88
"dc1.samdom.vm-test-server."
[33961] 1691148871.932352: Sending DNS SRV query for 
_kerberos._tcp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932353: SRV answer: 0 100 88
"dc1.samdom.vm-test-server."
[33961] 1691148871.932354: Resolving hostname dc1.samdom.vm-test-server.
[33961] 1691148871.932355: Sending initial UDP request to dgram 
192.168.56.10:88
[33961] 1691148871.932356: Received answer (202 bytes) from dgram 
192.168.56.10:88
[33961] 1691148871.932357: Sending DNS URI query for 
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932358: No URI records found
[33961] 1691148871.932359: Sending DNS SRV query for 
_kerberos-master._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932360: No SRV records found
[33961] 1691148871.932361: Response was not from primary KDC
[33961] 1691148871.932362: Received error from KDC: 
-1765328360/Preauthentication failed
[33961] 1691148871.932365: Retrying AS request with primary KDC
[33961] 1691148871.932366: Getting initial credentials for 
userresttest at SAMDOM.VM-TEST-SERVER
[33961] 1691148871.932368: Sending unauthenticated request
[33961] 1691148871.932369: Sending request (210 bytes) to 
SAMDOM.VM-TEST-SERVER (primary)
[33961] 1691148871.932370: Sending DNS URI query for 
_kerberos.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932371: No URI records found
[33961] 1691148871.932372: Sending DNS SRV query for 
_kerberos-master._udp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932373: Sending DNS SRV query for 
_kerberos-master._tcp.SAMDOM.VM-TEST-SERVER.
[33961] 1691148871.932374: No SRV records found
kinit: Password incorrect while getting initial credentials


And for the same command, here are the journalctl logs:


Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.524925, 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Probing for AS-REQ
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.525797,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Not a FAST request
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.525902,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: AS-REQ 
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:46075 for 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.533839,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Client sent patypes: 150, 
REQ-ENC-PA-REP
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534055,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] client-pa=150,REQ-ENC-PA-REP
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534094,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Looking for PK-INIT(ietf) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534129,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Looking for PK-INIT(win2k) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534162,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Looking for ENC-TS pa-data 
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534194,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Looking for GSS pa-data -- 
userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534250,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Need to use 
PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534297,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: as-req: sending error: 
-1765328359 to client
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534330,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: Making non-FAST KRB-ERROR
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534471,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] elapsed=0.009597
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534514,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
Aug 04 11:34:28 dc1 samba[32834]: [2023/08/04 11:34:28.534554,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:28 dc1 samba[32834]:?? Kerberos: AS-REQ 
ERR_PREAUTH_REQUIRED ipv4:192.168.56.10:46075 
userresttest at SAMDOM.VM-TEST-SERVER 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER 
client-pa=150,REQ-ENC-PA-REP 
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.009597

(...logs after entering an empty password...)

Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.939374,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Probing for AS-REQ
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.939575,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Not a FAST request
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.939618,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: AS-REQ 
userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:44724 for 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944366,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Client sent patypes: 
ENC-TS, 150, REQ-ENC-PA-REP
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944496,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] client-pa=ENC-TS,150,REQ-ENC-PA-REP
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944549,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Looking for PK-INIT(ietf) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944573,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Looking for PK-INIT(win2k) 
pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944598,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Looking for ENC-TS pa-data 
-- userresttest at SAMDOM.VM-TEST-SERVER
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944627,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] pa=ENC-TS
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944762,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Failed to decrypt PA-DATA 
-- userresttest at SAMDOM.VM-TEST-SERVER (enctype aes256-cts-hmac-sha1-96) 
error Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944818,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: heim_audit_setkv_number(): 
setting kv pair pa-etype=18
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.944846,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: heim_audit_setkv_number(): 
setting kv pair #auth_event=5
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948008,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]:?? descriptor_prepare_commit: changes: 
num_registrations=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948085,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]:?? descriptor_prepare_commit: changes: 
num_registered=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948110,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]:?? descriptor_prepare_commit: changes: 
num_toplevel=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948132,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]:?? descriptor_prepare_commit: changes: 
num_processed=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948153,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]:?? descriptor_prepare_commit: objects: 
num_processed=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948173,? 3] 
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
Aug 04 11:34:31 dc1 samba[32834]:?? descriptor_prepare_commit: objects: 
num_skipped=0
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948402,? 2] 
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Aug 04 11:34:31 dc1 samba[32834]:?? Auth: [Kerberos KDC,ENC-TS 
Pre-authentication] user [(null)]\[userresttest at SAMDOM.VM-TEST-SERVER] 
at [Fri, 04 Aug 2023 11:34:31.948374 UTC] with [aes256-cts-hmac-sha1-96] 
status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host 
[ipv4:192.168.56.10:44724] mapped to [SAMDOM]\[userresttest]. local host 
[NULL]
Aug 04 11:34:31 dc1 samba[32834]:?? {"timestamp": 
"2023-08-04T11:34:31.948553+0000", "type":
"Authentication",
"Authentication": {"version": {"major": 1,
"minor": 2}, "eventId": 4625,
"logonId": "fff977d25e6fdd30", "logonType": 3,
"status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": null,
"remoteAddress":
"ipv4:192.168.56.10:44724", "serviceDescription":
"Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccount": "userresttest at SAMDOM.VM-TEST-SERVER",
"workstation":
null, "becameAccount": "userresttest",
"becameDomain": "SAMDOM",
"becameSid":
"S-1-5-21-1683713074-1702463723-3046006096-1109",
"mappedAccount": "userresttest", "mappedDomain":
"SAMDOM",
"netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": 
"aes256-cts-hmac-sha1-96", "duration": 9215}}
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948660,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: as-req: sending error: 
-1765328360 to client
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948688,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: Making non-FAST KRB-ERROR
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948801,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
pair[0] elapsed=0.009441
Aug 04 11:34:31 dc1 samba[32834]: [2023/08/04 11:34:31.948832,? 3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Aug 04 11:34:31 dc1 samba[32834]:?? Kerberos: AS-REQ ERR_PREAUTH_FAILED 
ipv4:192.168.56.10:44724 userresttest at SAMDOM.VM-TEST-SERVER 
krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER pa=ENC-TS pa-etype=18 
client-pa=ENC-TS,150,REQ-ENC-PA-REP elapsed=0.009441


... Because I call kinit on the server, the timestamp should be same 
between kinit debug logs and journalctl logs.




On 04.08.23 19:05, Olivier MARTIN wrote:> Hello all,
>
> I am really well aware of 
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login I have read 
> many times. I have tried to follow the instructions and adapt them to 
> my simple setup.
>
> To start, my server runs "Debian GNU/Linux 12" and I use the
Samba
> Debian package "Samba: 2:4.17.9+dfsg-0+deb12u3"
>
> My issue is when I tried to authenticate myself with `kinit my-user -X 
> "X509_user_identity=FILE:my-user.crt,my-user.key"` it asked for a
> password and it does not seem to do a PKINIT authentication.
> Before playing with Samba AD DC, I had a MIT Kerberos + LDAP setup and 
> managed to do a similar working setup.
>
>
> Here are the instructions to duplicate my issue
>
>
>
> 1. Create user with smartcard
> sudo samba-tool user add userresttest --smartcard-required --no-pass
>
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.015861, 3] 
> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> Aug 04 08:53:10 dc1 winbindd[16500]:?? winbindd_interface_version: 
> [nss_winbind (31725)]: request interface version (version = 32)
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.017896, 3] 
> ../../source3/winbindd/winbindd.c:496(process_request_send)
> Aug 04 08:53:10 dc1 winbindd[16500]:?? process_request_send: 
> [nss_winbind (31725)] Handling async request: GETGROUPS
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.018123, 3] 
> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
> Aug 04 08:53:10 dc1 winbindd[16500]:?? [nss_winbind (31725)] Winbind 
> external command GETGROUPS start.
> Aug 04 08:53:10 dc1 winbindd[16500]:?? Searching groups for username 
> 'root'.
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.018622, 4] 
> ../../source3/winbindd/winbindd_dual.c:1633(child_handler)
> Aug 04 08:53:10 dc1 winbindd[16562]:?? child daemon request 55
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019223, 3] 
> ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
> Aug 04 08:53:10 dc1 winbindd[16562]:?? string_to_sid: SID? is not in a 
> valid format
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.019338, 3] 
> ../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid)
> Aug 04 08:53:10 dc1 winbindd[16562]:?? sam_name_to_sid: SAMDOM\ROOT
> Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.023290,? 4] 
> ../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
> Aug 04 08:53:10 dc1 samba[16460]:?? Successful AuthZ: 
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04 
> Aug 2023 08:53:10.023253 UTC] Remote host [ipv6::::0] local host 
> [ipv6::::0]
> Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.033887,? 4] 
> ../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
> Aug 04 08:53:10 dc1 samba[16460]:?? Successful AuthZ: 
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Fri, 04 
> Aug 2023 08:53:10.033863 UTC] Remote host [ipv6::::0] local host 
> [ipv6::::0]
> Aug 04 08:53:10 dc1 samba[16460]: [2023/08/04 08:53:10.038783,? 3] 
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
> Aug 04 08:53:10 dc1 samba[16460]:?? ldb_wrap open of privilege.ldb
> Aug 04 08:53:10 dc1 winbindd[16562]: [2023/08/04 08:53:10.041817, 4] 
> ../../source3/winbindd/winbindd_dual.c:1641(child_handler)
> Aug 04 08:53:10 dc1 winbindd[16562]:?? Finished processing child 
> request 55
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042068, 1] 
> ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
> Aug 04 08:53:10 dc1 winbindd[16500]:?? Could not convert sid S-0-0: 
> NT_STATUS_NONE_MAPPED
> Aug 04 08:53:10 dc1 winbindd[16500]: [2023/08/04 08:53:10.042124, 3] 
> ../../source3/winbindd/winbindd.c:563(process_request_done)
> Aug 04 08:53:10 dc1 winbindd[16500]:?? process_request_done: 
> [nss_winbind(31725):GETGROUPS]: NT_STATUS_NONE_MAPPED
> Aug 04 08:53:10 dc1 sudo[31725]:? vagrant : TTY=pts/2 ; 
> PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/samba-tool user add 
> userresttest --smartcard-required --no-pass
> Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session 
> opened for user root(uid=0) by vagrant(uid=1000)
> Aug 04 08:53:10 dc1 sudo[31725]: pam_unix(sudo:session): session 
> closed for user root
>
>
> 2. Test login for my new user on the server. A password is requested.
>
> $ kinit userresttest -X 
>
"X509_user_identity=FILE:/tmp/vm-test-server-pki/certs/userresttest.crt,/tmp/vm-test-server-pki/certs/private/userresttest.key"
> Password for userresttest at SAMDOM.VM-TEST-SERVER:
> kinit: Password incorrect while getting initial credentials
>
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.443651,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Probing for AS-REQ
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444331,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Not a FAST request
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.444487,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: AS-REQ 
> userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:57017 for 
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455560,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Client sent patypes: 
> 150, REQ-ENC-PA-REP
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455772,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
> pair[0] client-pa=150,REQ-ENC-PA-REP
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455835,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for 
> PK-INIT(ietf) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.455910,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for 
> PK-INIT(win2k) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456016,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for ENC-TS 
> pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456108,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Looking for GSS pa-data 
> -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456216,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Need to use 
> PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456302,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: as-req: sending error: 
> -1765328359 to client
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456360,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: Making non-FAST KRB-ERROR
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456700,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
> pair[0] elapsed=0.013076
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456783,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: heim_audit_vaddkv(): kv 
> pair[0] e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Aug 04 10:00:45 dc1 samba[32834]: [2023/08/04 10:00:45.456845,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:45 dc1 samba[32834]:?? Kerberos: AS-REQ 
> ERR_PREAUTH_REQUIRED ipv4:192.168.56.10:57017 
> userresttest at SAMDOM.VM-TEST-SERVER 
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER 
> client-pa=150,REQ-ENC-PA-REP 
> e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.013076
>
> (...logs after entering an empty password...)
>
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911607,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Probing for AS-REQ
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911876,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Not a FAST request
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.911924,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: AS-REQ 
> userresttest at SAMDOM.VM-TEST-SERVER from ipv4:192.168.56.10:33525 for 
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916859,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Client sent patypes: 
> ENC-TS, 150, REQ-ENC-PA-REP
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.916968,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_vaddkv(): kv 
> pair[0] client-pa=ENC-TS,150,REQ-ENC-PA-REP
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917013,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Looking for 
> PK-INIT(ietf) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917077,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Looking for 
> PK-INIT(win2k) pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917136,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Looking for ENC-TS 
> pa-data -- userresttest at SAMDOM.VM-TEST-SERVER
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917179,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_vaddkv(): kv 
> pair[0] pa=ENC-TS
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917283,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Failed to decrypt 
> PA-DATA -- userresttest at SAMDOM.VM-TEST-SERVER (enctype 
> aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
> checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917333,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: 
> heim_audit_setkv_number(): setting kv pair pa-etype=18
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.917373,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: 
> heim_audit_setkv_number(): setting kv pair #auth_event=5
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921154,? 3] 
>
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: 
> changes: num_registrations=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921242,? 3] 
>
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: 
> changes: num_registered=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921280,? 3] 
>
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: 
> changes: num_toplevel=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921314,? 3] 
>
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: 
> changes: num_processed=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921347,? 3] 
>
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: 
> objects: num_processed=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921380,? 3] 
>
../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
>
> Aug 04 10:00:48 dc1 samba[32824]:?? descriptor_prepare_commit: 
> objects: num_skipped=0
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921654,? 2] 
> ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Aug 04 10:00:48 dc1 samba[32824]:?? Auth: [Kerberos KDC,ENC-TS 
> Pre-authentication] user [(null)]\[userresttest at SAMDOM.VM-TEST-SERVER] 
> at [Fri, 04 Aug 2023 10:00:48.921630 UTC] with 
> [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] 
> workstation [(null)] remote host [ipv4:192.168.56.10:33525] mapped to 
> [SAMDOM]\[userresttest]. local host [NULL]
> Aug 04 10:00:48 dc1 samba[32824]:?? {"timestamp": 
> "2023-08-04T10:00:48.921744+0000", "type":
"Authentication",
> "Authentication": {"version": {"major": 1,
"minor": 2}, "eventId":
> 4625, "logonId": "e0c3e6c4b452b699",
"logonType": 3, "status":
> "NT_STATUS_WRONG_PASSWORD", "localAddress": null,
"remoteAddress":
> "ipv4:192.168.56.10:33525", "serviceDescription":
"Kerberos KDC",
> "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
> "clientAccount": "userresttest at
SAMDOM.VM-TEST-SERVER", "workstation":
> null, "becameAccount": "userresttest",
"becameDomain": "SAMDOM",
> "becameSid":
"S-1-5-21-1683713074-1702463723-3046006096-1109",
> "mappedAccount": "userresttest",
"mappedDomain": "SAMDOM",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType":
> 0, "netlogonTrustAccountSid": null, "passwordType": 
> "aes256-cts-hmac-sha1-96", "duration": 10173}}
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921900,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: as-req: sending error: 
> -1765328360 to client
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.921943,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: Making non-FAST KRB-ERROR
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922108,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: heim_audit_vaddkv(): kv 
> pair[0] elapsed=0.010505
> Aug 04 10:00:48 dc1 samba[32824]: [2023/08/04 10:00:48.922160,? 3] 
> ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
>
> Aug 04 10:00:48 dc1 samba[32824]:?? Kerberos: AS-REQ 
> ERR_PREAUTH_FAILED ipv4:192.168.56.10:33525 
> userresttest at SAMDOM.VM-TEST-SERVER 
> krbtgt/SAMDOM.VM-TEST-SERVER at SAMDOM.VM-TEST-SERVER pa=ENC-TS 
> pa-etype=18 client-pa=ENC-TS,150,REQ-ENC-PA-REP elapsed=0.010505
>
>
> 3. Verify certificate. I am using an intermediate certificate: 
> root-ca.crt > user-signing-ca.crt > userresttest.crt
>
> $ openssl verify -CAfile /etc/pki/vm-test-server/ca/root-ca.crt 
> -untrusted /etc/pki/vm-test-server/ca/user-signing-ca-chain.crt 
> /tmp/vm-test-server-pki/certs/userresttest.crt
> /tmp/vm-test-server-pki/certs/userresttest.crt: OK
>
> 4. krb5.conf
>
> $ sudo cat /etc/krb5.conf
> [libdefaults]
> ?? ?default_realm = SAMDOM.VM-TEST-SERVER
> ?? ?dns_lookup_realm = false
> ?? ?dns_lookup_kdc = true
>
> ?? ?pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
>
> [appdefaults]
> ?? ?pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
>
> [realms]
> ?? ?SAMDOM.VM-TEST-SERVER = {
> ?? ???? default_domain = samdom.vm-test-server
>
> ?? ???? pkinit_require_eku = true
> ?? ?}
>
> [kdc]
> ?? ?enable-pkinit = yes
> ?? ?pkinit_identity = 
>
FILE:/etc/pki/vm-test-server/ca/service-ca/ad_dc.crt,/etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
> ?? ?pkinit_anchors = FILE:/etc/pki/vm-test-server/ca/root-ca.crt
> ?? ?pkinit_principal_in_certificate = yes
> ?? ?pkinit_win2k = no
> ?? ?pkinit_win2k_require_binding = yes
>
> [domain_realm]
> ?? ?dc1 = SAMDOM.VM-TEST-SERVER
>
> [logging]
> ??? kdc????????? = SYSLOG:NOTICE
> ??? admin_server = SYSLOG:NOTICE
> ??? default????? = SYSLOG:NOTICE
>
> 5. Samba configuration:
>
> $ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> ?? ?dns forwarder = 8.8.8.8
> ?? ?netbios name = DC1
> ?? ?realm = SAMDOM.VM-TEST-SERVER
> ?? ?server role = active directory domain controller
> ?? ?workgroup = SAMDOM
> ?? ?idmap_ldb:use rfc2307 = yes
>
> ?? ?disable netbios = yes
> ?? ?log level = 4 auth_json_audit:3@/var/log/samba/samba_audit.log
> ?? ?logging = syslog at 4
> ?? ?restrict anonymous = 2
> ?? ?load printers = no
> ?? ?cups options = raw
> ?? ?printcap name = /dev/null
> ?? ?ldap debug level = 1
> ?? ?tls enabled = yes
> ?? ?tls keyfile = /etc/pki/vm-test-server/ca/service-ca/private/ad_dc.key
> ?? ?tls certfile = /etc/pki/vm-test-server/ca/service-ca/ad_dc.crt
> ?? ?tls cafile = /etc/pki/vm-test-server/ca/root-ca.crt
> ?? ?tls crlfile = /etc/pki/vm-test-server/ca/service-ca/services.crl
> ?? ?tls dhparams file = /etc/pki/vm-test-server/ad_dc_dhparams.pem
> [sysvol]
> ?? ?path = /var/lib/samba/sysvol
> ?? ?read only = No
>
> [netlogon]
> ?? ?path = /var/lib/samba/sysvol/samdom.vm-test-server/scripts
> ?? ?read only = No
>
>
> 6. User certificate Dump
>
> $ cat /tmp/vm-test-server-pki/certs/userresttest.crt
> -----BEGIN CERTIFICATE-----
> MIIDuTCCAqGgAwIBAgIUa4JmnGUhfgqzcpmDhS6zg4E93ucwDQYJKoZIhvcNAQEL
> BQAwRTEeMBwGCgmSJomT8ixkARkWDnZtLXRlc3Qtc2VydmVyMREwDwYDVQQLDAhE
> ZW1vIEx0ZDEQMA4GA1UEAwwHVXNlciBDQTAeFw0yMzA4MDQwODE3MjdaFw0yNDA4
> MDMwODE3MjdaMGAxFjAUBgoJkiaJk/IsZAEZFgZzYW1kb20xHjAcBgoJkiaJk/Is
> ZAEZFg52bS10ZXN0LXNlcnZlcjEPMA0GA1UEAwwGcGVvcGxlMRUwEwYDVQQDDAx1
> c2VycmVzdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCek1JL
> RqTzRkjQdaowRsiiBTHJstIz9RhsOx9esgqzOFaAmaMi4vbDWjN8VB4IIUKWe6YR
> 5Miv9JWkjne6bNjuMauedf8iv0/wxdVBvDcUm2y2qkqcmj75BPBjrlWjanw+hhQD
> w+9OJjfZP5uncRv1kil3r1M4gjntkOP5iKa8ttupzpzVEgWcsdJUy84qTfxYmGS/
> obzP0QbftAQanjfzR/ex+JtVyjqHYS7Z1pEBH0bkhVfzkSutEoC272SUDmjMGoZW
> +lgJI7AfH0XS/Y0D1dhYcX05deQFwljx1KxqXWHz0L3cXxjjH0xNG0YUQcK7OvdF
> aKXXx/kP00e2hZ2/AgMBAAGjgYUwgYIwCwYDVR0PBAQDAgOoMCYGA1UdJQQfMB0G
> BysGAQUCAwQGCCsGAQUFBwMEBggrBgEFBQcDAjBLBgNVHREERDBCoEAGBisGAQUC
> AqA2MDSgFxsVU0FNRE9NLlZNLVRFU1QtU0VSVkVSoRkwF6ADAgEBoRAwDhsMdXNl
> cnJlc3R0ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQAlOokZ7uVmQ8A84Kcn/zMaIA/S
> EFx8UNXjqTQNyPeYVDYiAj9Y1DLI9K3HJzCADPzfIi0gfDZKob3bqK+CtcBLKOfm
> 6p0mEQcABgPq+uAbcW3yps9nUpCMKq+96SLughdePRjJ2OTuKfzwq58g8SBKWqKi
> vjKbTvfmMsyu+O4ca5Srh4FuzhXLiD92XL8uYu19iRGSZ0FGrsSzuxvF/gwjLNHD
> G7fo0lR705s4Yjaa+JTgBNOg8Ar1bZfKWZA9t5JtGdop0zBkpfzgt28sn9uTxkqn
> LOsoQe5cRmh5lcbnWokPGg7qNsN458WmptOXK1p2ZGHtZ0ZPp0SemeCPMy8g
> -----END CERTIFICATE-----
>
>
> 7. User's Samba entries:
>
> $ sudo samba-tool user show userresttest
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> pm_process() returned Yes
> ldb_wrap open of secrets.ldb
> dn: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: userresttest
> instanceType: 4
> whenCreated: 20230804085310.0Z
> whenChanged: 20230804085310.0Z
> uSNCreated: 4112
> uSNChanged: 4112
> name: userresttest
> objectGUID: cda01bf5-fdee-4137-9474-538f266ed65f
> userAccountControl: 262656
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1683713074-1702463723-3046006096-1109
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: userresttest
> sAMAccountType: 805306368
> userPrincipalName: userresttest at samdom.vm-test-server
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=vm-test-server
> distinguishedName: CN=userresttest,CN=Users,DC=samdom,DC=vm-test-server
>
>
>
> I tried with 'pkinit_anchors = 
> FILE:/etc/pki/vm-test-server/ca/root-ca.crt' as specified by the Samba 
> wiki page: 
>
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Edit_the_Samba_KDC_Configuration_File_to_Enable_PKINIT_Authentication
> I also tried with the CA bundle user-signing-ca-chain.crt : `cat 
> ca/user-signing-ca.crt ca/root-ca.crt > ca/user-signing-ca-chain.crt`
> ... but same issue.
>
> I also read the recent Samba mailing list thread "Samba 4 AD SmartCard
> Authentication Problem": 
> https://www.spinics.net/lists/samba/msg179822.html but Hans got 
> luckier he got the error 'NT_STATUS_PKINIT_FAILURE' while my issue 
> seems to be different. Could it be related to my user creation.
>
> I have no entries for pkinit in my logs: `sudo journalctl -u 
> samba-ad-dc.service | grep -i pkinit` is empty.
>
>
> Thanks in advance,
> Olivier
>

samba - Aug 2023 - PKinit does not seem to be correctly setup - password requested and no pkinit(?)

[Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?)

[Samba] PKinit does not seem to be correctly setup - password requested and no pkinit(?)