thr3ads.net - samba - [Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA) [Apr 2025]

If this information is useful, please help other people find it:
Share via:

Michał Węgrzynek

2025-Apr-22 13:38 UTC

[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)

Hello,

I'm trying to set-up smart card login for a Samba 4 domain. I prepared 
root and intermediate CAs using Step CA 
(https://smallstep.com/docs/step-ca/index.html). I was able to generate 
and set certificates for all DCs, but when I'm attempting a smartcard 
login through Windows I get

[2025/04/22 15:15:04.998951,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Probing for AS-REQ
[2025/04/22 15:15:04.999512,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: heim_audit_vaddkv(): kv pair[0] 
armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM
[2025/04/22 15:15:04.999596,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Client selected FAST
[2025/04/22 15:15:05.001663,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: AS-REQ mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM 
from ipv4:172.20.7.48:53196 for 
krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
[2025/04/22 15:15:05.011057,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=11
[2025/04/22 15:15:05.011406,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Client sent patypes: PK-INIT(ietf), OCSP, 128, 167
[2025/04/22 15:15:05.011429,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: heim_audit_vaddkv(): kv pair[0] 
client-pa=PK-INIT(ietf),OCSP,128,167
[2025/04/22 15:15:05.011446,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Looking for PK-INIT(ietf) pa-data -- 
mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
[2025/04/22 15:15:05.011463,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: heim_audit_vaddkv(): kv pair[0] pa=PK-INIT(ietf)
[2025/04/22 15:15:05.011663,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: PKINIT: failed to verify signature: Failed to verify 
signature of certificate: 569861
[2025/04/22 15:15:05.011684,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: PKINIT: Signature algorithm not supported
[2025/04/22 15:15:05.011701,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Failed to decode PKINIT PA-DATA -- 
mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
[2025/04/22 15:15:05.011841,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: as-req: sending error: -1765328353 to client
[2025/04/22 15:15:05.011858,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Adding dummy FAST cookie for KRB-ERROR
[2025/04/22 15:15:05.011874,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: Making FAST inner KRB-ERROR
[2025/04/22 15:15:05.012164,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.013223
[2025/04/22 15:15:05.012185,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: AS-REQ KRB5KRB_AP_ERR_BAD_INTEGRITY ipv4:172.20.7.48:53196 
mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM 
krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM pa=PK-INIT(ietf) 
client-pa=PK-INIT(ietf),OCSP,128
,167 elapsed=0.013223 
armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM

in the Samba DC's logs.

The user certificate is issued from an intermediate CA looks like this:

Certificate:
 ??? Data:
 ??????? Version: 3 (0x2)
 ??????? Serial Number:
 ??????????? c2:5b:22:4c:a1:5e:2e:c0:b0:df:53:7d:66:35:39:0e
 ??????? Signature Algorithm: rsassaPss
 ??????? Hash Algorithm: sha256
 ??????? Mask Algorithm: mgf1 with sha256
 ???????? Salt Length: 0x20
 ??????? Trailer Field: 0x01 (default)
 ??????? Issuer: CN=REDACTED Intermediate CA
 ??????? Validity
 ??????????? Not Before: Apr 22 11:38:20 2025 GMT
 ??????????? Not After : Apr 22 17:39:20 2026 GMT
 ??????? Subject: CN=Micha? W?grzynek
 ??????? Subject Public Key Info:
 ??????????? Public Key Algorithm: rsaEncryption
 ??????????????? Public-Key: (2048 bit)
 ??????????????? Modulus:
 ??????????????????? 00:a6:72:3a:86:89:fd:ad:8b:d7:a8:11:ab:f5:01:
 ??????????????????? 9f:5f:c1:11:33:18:06:bc:dc:36:4b:82:62:e3:8b:
 ??????????????????? 90:1c:97:83:d7:17:91:4d:2b:01:dd:78:94:ab:08:
 ??????????????????? 1f:97:9c:cc:de:9b:e5:24:b6:d4:97:ac:57:4f:43:
 ??????????????????? de:c7:b4:16:15:d1:b9:b1:da:67:4b:4d:e8:31:8d:
 ??????????????????? d6:c5:0b:df:29:6d:f6:13:8d:4f:58:41:9c:8b:f7:
 ??????????????????? 6e:83:af:95:15:bd:17:e8:50:26:fa:22:72:45:97:
 ??????????????????? 13:38:aa:64:b7:ae:eb:84:07:46:04:ce:cd:4f:4b:
 ??????????????????? 87:80:f7:60:1c:7c:17:81:9b:e6:bc:95:1c:e8:5d:
 ??????????????????? 41:15:09:e5:d6:50:2b:4f:d2:d6:08:3c:c8:fd:25:
 ??????????????????? 46:77:c4:e5:13:70:1a:c3:13:04:77:fc:ef:6c:f4:
 ??????????????????? a8:5e:88:df:56:22:56:86:93:c0:7b:ad:d3:db:bb:
 ??????????????????? ad:9a:df:9b:1e:9e:40:99:11:a1:04:6b:50:bc:4a:
 ??????????????????? 07:5c:5a:7a:2f:2f:5c:3b:75:5a:d2:63:9a:ab:6d:
 ??????????????????? 42:f4:b3:c0:f5:6f:f3:30:93:37:bc:c6:fd:b4:8d:
 ??????????????????? be:53:f3:c8:5f:fb:ef:f3:ff:91:04:9c:e1:54:c2:
 ??????????????????? a3:fc:77:bf:d9:86:68:90:d6:48:b5:f5:21:d9:1f:
 ??????????????????? e7:83
 ??????????????? Exponent: 65537 (0x10001)
 ??????? X509v3 extensions:
 ??????????? X509v3 Key Usage: critical
 ??????????????? Digital Signature, Key Encipherment
 ??????????? X509v3 Extended Key Usage:
 ??????????????? TLS Web Client Authentication, Microsoft Smartcard Login
 ??????????? X509v3 Subject Key Identifier:
A1:22:3F:42:9F:2A:6C:DA:7A:D2:B6:EC:A9:93:96:4B:01:8B:E0:3F
 ??????????? X509v3 Authority Key Identifier:
4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA
 ??????????? X509v3 CRL Distribution Points:
 ??????????????? Full Name:
 ????????????????? URI:http://ca.redacted.com/1.0/crl

 ??????????? X509v3 Subject Alternative Name:
 ??????????????? email:mwegrzynek at litexservice.pl, othername: 
UPN:mwegrzynek at ad.redacted.com
 ??? Signature Algorithm: rsassaPss
 ??? Signature Value:
 ??????? Hash Algorithm: sha256
 ??????? Mask Algorithm: mgf1 with sha256
 ???????? Salt Length: 0x20
 ??????? Trailer Field: 0x01 (default)
 ??????? 35:2e:81:e8:72:ac:68:75:b5:87:ac:db:5b:f5:74:c5:05:26:
 ??????? 74:5c:58:e0:c9:19:f4:bf:34:69:75:76:ed:48:ea:fd:20:05:
 ??????? 8e:3e:42:e8:c8:c9:ca:67:53:42:8c:c8:0a:5d:42:b0:e8:ef:
 ??????? ea:87:b5:52:d8:72:96:77:95:5b:ba:e6:c7:e1:0b:64:d2:da:
 ??????? b3:f7:a3:cc:bc:f0:92:4e:74:7f:7a:62:b5:72:a2:54:99:81:
 ??????? fb:16:1c:2e:60:e6:a0:8a:4f:16:1d:24:c3:c4:d2:d4:24:1f:
 ??????? f1:c7:62:72:5f:2e:1c:96:cc:15:a9:dc:c6:1d:cf:e0:78:8b:
 ??????? d3:c5:e7:7b:a4:36:40:f0:14:21:0c:1f:07:5d:0c:90:63:c1:
 ??????? 2c:de:64:5d:01:75:24:d4:2f:44:a1:7c:8c:01:a9:33:e3:23:
 ??????? 26:b7:25:f8:3d:bd:5e:4b:8b:91:e9:dd:65:5a:a4:c2:93:0e:
 ??????? 89:c9:e3:86:71:24:b0:68:30:f5:a0:4e:c0:3d:3b:4c:e6:ea:
 ??????? e5:ef:5d:77:f6:ad:7f:f1:87:3e:7c:47:fd:97:f8:59:74:51:
 ??????? 40:53:d8:7c:4a:b0:1c:a5:b1:01:be:be:88:fc:e9:aa:85:78:
 ??????? 18:a3:15:91:e4:d5:b7:07:6e:87:9b:8e:a0:52:71:59:23:5f:
 ??????? 9f:db:da:73:ce:4a:81:4d:15:50:2d:81:42:6f:ee:4c:bf:7d:
 ??????? 1d:69:87:22:49:08:7c:3b:fc:10:6a:51:84:4a:7e:83:3b:54:
 ??????? 72:fb:54:71:b8:85:ae:a7:78:5b:d5:d9:ea:6f:7d:c1:b2:d2:
 ??????? cd:72:27:31:cc:e0:7f:7e:0b:0d:dd:ae:e5:52:50:23:bb:50:
 ??????? ba:87:77:f7:b9:d4:2a:08:e1:02:6d:08:cd:af:9a:ce:7b:e4:
 ??????? 50:e9:be:f8:c8:06:96:4d:ea:3f:f1:2f:d1:28:a6:a9:9d:ed:
 ??????? 84:a6:34:c4:29:b1:f7:c6:a0:ae:6c:7a:a6:c4:c0:42:d3:fa:

Below are root and intermediate certs:

Certificate:
 ??? Data:
 ??????? Version: 3 (0x2)
 ??????? Serial Number:
 ??????????? ef:dd:02:19:d8:88:f3:fd:3b:86:d0:af:af:d5:53:5b
 ??????? Signature Algorithm: rsassaPss
 ??????? Hash Algorithm: sha256
 ??????? Mask Algorithm: mgf1 with sha256
 ???????? Salt Length: 0x20
 ??????? Trailer Field: 0x01 (default)
 ??????? Issuer: CN = REDACTED Root CA
 ??????? Validity
 ??????????? Not Before: Apr 15 09:11:39 2025 GMT
 ??????????? Not After : Apr 15 21:11:39 2035 GMT
 ??????? Subject: CN = REDACTED Root CA
 ??????? Subject Public Key Info:
 ??????????? Public Key Algorithm: rsaEncryption
 ??????????????? Public-Key: (3072 bit)
 ??????????????? Modulus:
 ??????????????????? 00:df:0b:aa:ed:97:2a:44:e0:34:b6:42:6b:0f:07:
 ??????????????????? b8:08:dd:25:fb:55:0b:85:d4:06:76:cd:1b:0f:5c:
 ??????????????????? 61:ec:c5:73:2d:91:12:b6:f9:6c:d2:33:66:f2:ec:
 ??????????????????? c6:4d:83:20:39:dd:2b:61:ae:9e:9c:af:07:fe:b9:
 ??????????????????? 4d:f0:4d:c7:8c:b8:af:bc:a0:4f:a5:26:da:dd:f5:
 ??????????????????? 5a:91:a8:54:12:4f:06:e2:6d:2c:7a:fb:c6:13:2a:
 ??????????????????? db:4a:34:89:4f:67:f0:da:1d:e5:58:48:5c:d9:91:
 ??????????????????? 61:33:f3:d2:a6:0d:d4:c7:d0:b0:f0:9f:2c:53:10:
 ??????????????????? 95:72:1e:34:39:28:82:f7:e4:96:e3:1a:25:bd:47:
 ??????????????????? c8:3b:ec:1d:05:ce:51:7c:75:bd:cf:41:83:42:1f:
 ??????????????????? 8a:0e:45:cd:55:cd:3b:91:3b:19:1b:f3:ec:3a:99:
 ??????????????????? 27:87:23:c8:84:68:6c:0a:ec:4f:f8:c5:9e:59:07:
 ??????????????????? 75:2d:05:02:f2:aa:ca:ce:23:6f:5b:31:a0:f0:89:
 ??????????????????? 00:13:26:eb:dd:6b:3d:22:f5:8b:24:8f:01:64:a1:
 ??????????????????? dd:7b:24:9a:c3:7a:58:65:96:cf:a8:0c:80:5e:36:
 ??????????????????? 2e:7b:f0:9e:33:3d:53:18:8d:3b:90:11:e5:6b:df:
 ??????????????????? c1:27:74:0c:f0:cf:da:c4:e1:18:07:f0:f7:1f:ff:
 ??????????????????? e8:08:fb:34:3d:5f:ac:29:0d:4d:16:71:f5:18:51:
 ??????????????????? f8:57:01:d0:20:8a:16:61:7f:42:56:a0:66:aa:fa:
 ??????????????????? 9e:d1:50:20:da:d6:52:63:fd:88:7c:ae:47:b0:eb:
 ??????????????????? f7:ba:25:ac:af:33:f5:ec:b2:40:37:c8:2c:d4:c3:
 ??????????????????? eb:9a:53:24:ff:8f:9a:47:7c:bf:60:a3:01:49:ff:
 ??????????????????? 67:71:ed:6b:4f:7c:b2:5e:e3:31:9f:b3:df:3b:32:
 ??????????????????? ea:e3:6e:93:eb:da:34:3b:c3:f9:7c:14:94:73:da:
 ??????????????????? a8:df:0e:32:f8:52:5a:28:6e:1d:1d:76:88:4e:66:
 ??????????????????? a0:79:fb:74:f5:4b:dd:e5:dc:7b
 ??????????????? Exponent: 65537 (0x10001)
 ??????? X509v3 extensions:
 ??????????? X509v3 Key Usage: critical
 ??????????????? Certificate Sign, CRL Sign
 ??????????? X509v3 Basic Constraints: critical
 ??????????????? CA:TRUE, pathlen:1
 ??????????? X509v3 Subject Key Identifier:
74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC
 ??? Signature Algorithm: rsassaPss
 ??? Signature Value:
 ??????? Hash Algorithm: sha256
 ??????? Mask Algorithm: mgf1 with sha256
 ???????? Salt Length: 0x20
 ??????? Trailer Field: 0x01 (default)
 ??????? 11:70:8a:fc:17:a4:1f:93:9a:a4:30:8f:71:41:02:77:57:5e:
 ??????? 02:12:b8:45:45:19:e4:e2:d6:2a:df:5c:ba:f5:7c:ad:ae:a9:
 ??????? 2e:f3:ab:6b:3c:02:1c:86:42:53:12:29:53:f9:50:01:77:03:
 ??????? b3:16:ca:d2:ab:fb:9b:fe:92:69:39:6f:b1:1c:51:cc:60:78:
 ??????? f7:dc:c1:dd:82:5c:68:6f:a9:5a:d5:da:b8:c2:54:0e:18:d6:
 ??????? a2:a9:eb:1e:e2:97:65:2a:7b:81:74:ee:18:10:17:81:13:d3:
 ??????? f4:cb:24:24:7c:2e:1a:6a:39:84:e4:8c:45:f5:c4:f7:11:d2:
 ??????? fb:0e:3a:5f:66:8c:4c:d1:78:e6:0e:f2:42:ca:77:d5:fd:cf:
 ??????? 12:6b:f7:d2:ea:bf:89:58:89:26:a8:da:37:c5:45:16:e4:fc:
 ??????? df:59:ac:3d:44:27:e6:ab:f7:6f:a8:6b:e0:13:33:47:7c:b3:
 ??????? 9a:0b:af:20:6a:19:02:2b:84:15:77:ab:ec:f4:dc:4c:ce:e3:
 ??????? 97:72:d2:1c:53:86:8e:aa:da:96:04:6f:3a:a5:5a:6b:78:22:
 ??????? 73:e6:07:6d:e4:35:f0:ef:13:dc:e6:05:58:ec:41:96:2d:d9:
 ??????? 00:de:7e:dc:b8:60:25:c8:48:65:5b:51:4c:16:0b:14:02:75:
 ??????? 11:19:86:d5:22:1d:9e:c1:80:51:b8:ed:eb:f3:1a:e6:fb:35:
 ??????? 34:8b:12:22:c8:8b:b7:6f:10:64:23:62:ad:5c:f8:99:7d:18:
 ??????? 15:e8:a3:da:3c:10:58:84:63:ce:7e:c9:ed:63:87:2d:02:53:
 ??????? 10:39:6e:b5:af:46:21:b5:d3:d0:53:c2:3d:4c:b0:ab:5c:b4:
 ??????? a1:bf:e9:5e:cf:bd:d3:cf:f6:b6:c8:d6:3c:be:58:4a:1f:16:
 ??????? 1e:4a:77:af:37:11:aa:05:79:04:fb:9e:f4:f6:80:d9:b0:9d:
 ??????? 60:c6:a2:39:2b:d9:df:17:71:8a:12:bf:2f:45:e5:22:25:17:
 ??????? 96:af:f5:30:8d:e3
Certificate:
 ??? Data:
 ??????? Version: 3 (0x2)
 ??????? Serial Number:
 ??????????? 88:77:13:53:37:88:34:95:7f:bc:29:74:e6:a1:8f:06
 ??????? Signature Algorithm: rsassaPss
 ??????? Hash Algorithm: sha256
 ??????? Mask Algorithm: mgf1 with sha256
 ???????? Salt Length: 0x20
 ??????? Trailer Field: 0x01 (default)
 ??????? Issuer: CN = REDACTED Root CA
 ??????? Validity
 ??????????? Not Before: Apr 22 07:46:23 2025 GMT
 ??????????? Not After : Apr 22 19:46:16 2035 GMT
 ??????? Subject: CN = REDACTED Intermediate CA
 ??????? Subject Public Key Info:
 ??????????? Public Key Algorithm: rsaEncryption
 ??????????????? Public-Key: (3072 bit)
 ??????????????? Modulus:
 ??????????????????? 00:e7:7e:04:c8:b2:5c:ec:ba:ed:0f:9e:fa:bd:2a:
 ??????????????????? 19:cf:9f:1b:a3:ad:38:b0:d8:56:0f:56:05:01:67:
 ??????????????????? dc:07:27:1f:c7:9c:53:9a:f1:0a:26:9f:7d:28:30:
 ??????????????????? 4b:b5:66:d1:73:b4:f7:9b:a1:cf:a6:00:5a:97:32:
 ??????????????????? 74:7c:e6:ca:99:ae:e7:30:c7:5a:8d:fb:91:6d:c8:
 ??????????????????? 51:d4:89:ef:24:8f:c9:b5:a1:84:68:52:d5:dc:4c:
 ??????????????????? 5d:05:b5:d9:47:63:27:d0:90:4d:43:2c:d6:60:8d:
 ??????????????????? 91:71:00:7f:5b:fb:23:c1:79:04:3c:45:e5:11:ec:
 ??????????????????? 8c:0d:7e:ef:2a:5f:83:19:00:da:c2:9f:64:f9:24:
 ??????????????????? c9:e3:bd:37:8e:b2:72:a6:5d:90:ca:23:f3:a9:e6:
 ??????????????????? f0:66:d6:60:06:e6:57:a9:c7:49:0f:30:90:1f:d7:
 ??????????????????? 52:07:a1:4d:c4:49:12:ce:d1:e3:43:6e:4a:c9:dc:
 ??????????????????? 7a:d2:dd:94:d4:8d:6a:df:2f:96:75:d2:c6:6f:c1:
 ??????????????????? ab:75:90:80:8e:cb:b2:5e:43:0a:a5:c8:69:8b:11:
 ??????????????????? 48:5f:ce:2c:5f:2b:93:d2:b0:9a:6f:96:e0:88:ad:
 ??????????????????? fa:4d:6b:0b:b9:f4:05:7a:1d:1c:be:20:41:df:90:
 ??????????????????? a6:2e:9a:94:4c:ff:40:81:4d:2a:df:4a:6f:ed:91:
 ??????????????????? e4:fe:bf:6f:0f:cd:4e:a6:70:a9:d8:e4:e3:72:95:
 ??????????????????? 35:37:bf:f1:62:15:ab:57:ec:5c:d6:08:a7:bb:0f:
 ??????????????????? 9f:7a:25:c5:5a:59:ce:3f:e0:dd:99:39:d4:ab:f5:
 ??????????????????? a7:94:9b:e6:7b:5e:30:47:df:4a:e1:2a:b1:84:33:
 ??????????????????? 65:f1:a5:b0:af:53:62:ef:7d:f5:59:4d:77:bf:78:
 ??????????????????? 3e:82:58:2e:91:54:b6:3c:df:ea:0b:6e:7b:69:43:
 ??????????????????? ca:0d:c0:33:c1:6d:1d:9c:99:63:0d:80:55:f9:cd:
 ??????????????????? e5:6d:9b:8f:ef:25:76:44:0f:67:7d:f9:5d:e2:32:
 ??????????????????? ba:4b:cd:ec:4e:b3:b6:50:67:2b
 ??????????????? Exponent: 65537 (0x10001)
 ??????? X509v3 extensions:
 ??????????? X509v3 Key Usage: critical
 ??????????????? Certificate Sign, CRL Sign
 ??????????? X509v3 Basic Constraints: critical
 ??????????????? CA:TRUE, pathlen:0
 ??????????? X509v3 Subject Key Identifier:
4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA
 ??????????? X509v3 Authority Key Identifier:
74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC
 ??? Signature Algorithm: rsassaPss
 ??? Signature Value:
 ??????? Hash Algorithm: sha256
 ??????? Mask Algorithm: mgf1 with sha256
 ???????? Salt Length: 0x20
 ??????? Trailer Field: 0x01 (default)
 ??????? 69:02:31:cd:98:44:3f:fd:c4:6e:93:f8:8d:e4:37:d1:0b:38:
 ??????? 8f:fb:f7:c3:7e:61:ad:2c:bf:0e:31:2a:0b:f5:c9:54:b3:0b:
 ??????? 1f:f0:89:11:66:8e:03:6b:61:a4:44:7e:09:13:55:b0:95:0e:
 ??????? 03:c0:3f:16:f2:33:fd:a4:44:17:f0:29:77:64:f6:96:36:4a:
 ??????? fa:88:73:bc:b8:36:44:fe:27:48:ec:28:b9:83:17:3b:e2:03:
 ??????? 50:33:18:d4:f4:3d:b7:e9:82:c0:19:b9:ea:79:bd:f8:d0:ea:
 ??????? d5:c5:4a:f6:41:e0:73:78:98:80:a4:3e:e5:77:9e:32:08:6d:
 ??????? 93:bc:e3:76:f5:95:1b:3d:69:36:71:65:f3:24:cb:70:ae:79:
 ??????? c3:8c:9c:87:d4:a3:62:e2:35:4a:1f:a6:3a:c3:f3:8a:f0:a5:
 ??????? 8d:22:45:1e:e6:52:56:a3:ee:88:5d:56:91:e4:f3:c0:01:6e:
 ??????? 26:a3:0f:14:80:53:70:09:fb:b0:21:9e:65:78:62:79:b2:50:
 ??????? 21:52:63:1f:21:59:8f:1f:dd:01:2d:79:c5:18:8a:bd:7b:90:
 ??????? 1b:0a:24:28:ea:68:54:ef:b3:a8:59:23:01:20:6b:00:1b:6a:
 ??????? cd:99:e5:d7:e1:fa:52:c4:ef:b9:c9:8e:29:7d:6c:17:f6:75:
 ??????? da:04:69:27:6d:0c:95:c1:f0:bd:bf:fd:81:24:53:55:ae:2b:
 ??????? 7c:9d:26:59:99:4a:56:d8:8c:ea:e9:09:fa:42:87:ca:ae:05:
 ??????? 43:37:ad:8c:64:63:d3:3a:88:8d:3d:44:cc:c0:54:c4:75:c0:
 ??????? d3:af:e5:de:79:65:9a:2f:a9:e3:fc:09:0a:79:28:d7:99:2e:
 ??????? 11:01:c4:4c:a7:91:2c:c9:df:d7:27:3a:83:cb:22:f0:10:ff:
 ??????? 1d:d3:0e:19:ce:84:31:8b:3f:cf:84:84:0d:f2:8b:e4:ff:5d:
 ??????? 92:33:26:40:2d:e1:a4:d7:07:26:6f:61:45:dd:7d:53:e7:e8:
 ??????? 68:27:b3:74:85:af

The messages

[2025/04/22 15:15:05.011663,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: PKINIT: failed to verify signature: Failed to verify 
signature of certificate: 569861
[2025/04/22 15:15:05.011684,? 3] 
source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
 ?Kerberos: PKINIT: Signature algorithm not supported

indicate, there is probably something wrong with my certs, but I wasn't 
able to deduce what exactly.

Can someone help me out?

Thanks in advance,

Micha? W?grzynek

Sami Hulkko

2025-Apr-22 15:44 UTC

head link

[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)

Hi,


SmallStep CA do not support crl (revocation list) publishing in URL 
stated in issued certificates. This is requirement from Microsoft for 
certificate chain to pass that is unachievable with SmallStep. Get some 
vendor with crl release or do your own with tool like XCA (Ubuntu store 
and MS store app. DB (Maria or sqlite etc.) remote possible. Accept in 
policy etc. new self signed root cert like with SmallStep. Opensource.

SH

On 22/04/2025 16.38, Micha? W?grzynek via samba wrote:> Hello,
>
> I'm trying to set-up smart card login for a Samba 4 domain. I prepared 
> root and intermediate CAs using Step CA 
> (https://smallstep.com/docs/step-ca/index.html). I was able to 
> generate and set certificates for all DCs, but when I'm attempting a 
> smartcard login through Windows I get
>
> [2025/04/22 15:15:04.998951,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Probing for AS-REQ
> [2025/04/22 15:15:04.999512,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: heim_audit_vaddkv(): kv pair[0] 
> armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM
> [2025/04/22 15:15:04.999596,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Client selected FAST
> [2025/04/22 15:15:05.001663,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: AS-REQ mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM 
> from ipv4:172.20.7.48:53196 for 
> krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> [2025/04/22 15:15:05.011057,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=11
> [2025/04/22 15:15:05.011406,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Client sent patypes: PK-INIT(ietf), OCSP, 128, 167
> [2025/04/22 15:15:05.011429,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: heim_audit_vaddkv(): kv pair[0] 
> client-pa=PK-INIT(ietf),OCSP,128,167
> [2025/04/22 15:15:05.011446,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Looking for PK-INIT(ietf) pa-data -- 
> mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> [2025/04/22 15:15:05.011463,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: heim_audit_vaddkv(): kv pair[0] pa=PK-INIT(ietf)
> [2025/04/22 15:15:05.011663,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: PKINIT: failed to verify signature: Failed to verify 
> signature of certificate: 569861
> [2025/04/22 15:15:05.011684,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: PKINIT: Signature algorithm not supported
> [2025/04/22 15:15:05.011701,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Failed to decode PKINIT PA-DATA -- 
> mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM
> [2025/04/22 15:15:05.011841,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: as-req: sending error: -1765328353 to client
> [2025/04/22 15:15:05.011858,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Adding dummy FAST cookie for KRB-ERROR
> [2025/04/22 15:15:05.011874,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: Making FAST inner KRB-ERROR
> [2025/04/22 15:15:05.012164,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.013223
> [2025/04/22 15:15:05.012185,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: AS-REQ KRB5KRB_AP_ERR_BAD_INTEGRITY ipv4:172.20.7.48:53196 
> mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM 
> krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM pa=PK-INIT(ietf) 
> client-pa=PK-INIT(ietf),OCSP,128
> ,167 elapsed=0.013223 
> armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM
>
> in the Samba DC's logs.
>
> The user certificate is issued from an intermediate CA looks like this:
>
> Certificate:
> ??? Data:
> ??????? Version: 3 (0x2)
> ??????? Serial Number:
> ??????????? c2:5b:22:4c:a1:5e:2e:c0:b0:df:53:7d:66:35:39:0e
> ??????? Signature Algorithm: rsassaPss
> ??????? Hash Algorithm: sha256
> ??????? Mask Algorithm: mgf1 with sha256
> ???????? Salt Length: 0x20
> ??????? Trailer Field: 0x01 (default)
> ??????? Issuer: CN=REDACTED Intermediate CA
> ??????? Validity
> ??????????? Not Before: Apr 22 11:38:20 2025 GMT
> ??????????? Not After : Apr 22 17:39:20 2026 GMT
> ??????? Subject: CN=Micha? W?grzynek
> ??????? Subject Public Key Info:
> ??????????? Public Key Algorithm: rsaEncryption
> ??????????????? Public-Key: (2048 bit)
> ??????????????? Modulus:
> ??????????????????? 00:a6:72:3a:86:89:fd:ad:8b:d7:a8:11:ab:f5:01:
> ??????????????????? 9f:5f:c1:11:33:18:06:bc:dc:36:4b:82:62:e3:8b:
> ??????????????????? 90:1c:97:83:d7:17:91:4d:2b:01:dd:78:94:ab:08:
> ??????????????????? 1f:97:9c:cc:de:9b:e5:24:b6:d4:97:ac:57:4f:43:
> ??????????????????? de:c7:b4:16:15:d1:b9:b1:da:67:4b:4d:e8:31:8d:
> ??????????????????? d6:c5:0b:df:29:6d:f6:13:8d:4f:58:41:9c:8b:f7:
> ??????????????????? 6e:83:af:95:15:bd:17:e8:50:26:fa:22:72:45:97:
> ??????????????????? 13:38:aa:64:b7:ae:eb:84:07:46:04:ce:cd:4f:4b:
> ??????????????????? 87:80:f7:60:1c:7c:17:81:9b:e6:bc:95:1c:e8:5d:
> ??????????????????? 41:15:09:e5:d6:50:2b:4f:d2:d6:08:3c:c8:fd:25:
> ??????????????????? 46:77:c4:e5:13:70:1a:c3:13:04:77:fc:ef:6c:f4:
> ??????????????????? a8:5e:88:df:56:22:56:86:93:c0:7b:ad:d3:db:bb:
> ??????????????????? ad:9a:df:9b:1e:9e:40:99:11:a1:04:6b:50:bc:4a:
> ??????????????????? 07:5c:5a:7a:2f:2f:5c:3b:75:5a:d2:63:9a:ab:6d:
> ??????????????????? 42:f4:b3:c0:f5:6f:f3:30:93:37:bc:c6:fd:b4:8d:
> ??????????????????? be:53:f3:c8:5f:fb:ef:f3:ff:91:04:9c:e1:54:c2:
> ??????????????????? a3:fc:77:bf:d9:86:68:90:d6:48:b5:f5:21:d9:1f:
> ??????????????????? e7:83
> ??????????????? Exponent: 65537 (0x10001)
> ??????? X509v3 extensions:
> ??????????? X509v3 Key Usage: critical
> ??????????????? Digital Signature, Key Encipherment
> ??????????? X509v3 Extended Key Usage:
> ??????????????? TLS Web Client Authentication, Microsoft Smartcard Login
> ??????????? X509v3 Subject Key Identifier:
> A1:22:3F:42:9F:2A:6C:DA:7A:D2:B6:EC:A9:93:96:4B:01:8B:E0:3F
> ??????????? X509v3 Authority Key Identifier:
> 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA
> ??????????? X509v3 CRL Distribution Points:
> ??????????????? Full Name:
> ????????????????? URI:http://ca.redacted.com/1.0/crl
>
> ??????????? X509v3 Subject Alternative Name:
> ??????????????? email:mwegrzynek at litexservice.pl, othername: 
> UPN:mwegrzynek at ad.redacted.com
> ??? Signature Algorithm: rsassaPss
> ??? Signature Value:
> ??????? Hash Algorithm: sha256
> ??????? Mask Algorithm: mgf1 with sha256
> ???????? Salt Length: 0x20
> ??????? Trailer Field: 0x01 (default)
> ??????? 35:2e:81:e8:72:ac:68:75:b5:87:ac:db:5b:f5:74:c5:05:26:
> ??????? 74:5c:58:e0:c9:19:f4:bf:34:69:75:76:ed:48:ea:fd:20:05:
> ??????? 8e:3e:42:e8:c8:c9:ca:67:53:42:8c:c8:0a:5d:42:b0:e8:ef:
> ??????? ea:87:b5:52:d8:72:96:77:95:5b:ba:e6:c7:e1:0b:64:d2:da:
> ??????? b3:f7:a3:cc:bc:f0:92:4e:74:7f:7a:62:b5:72:a2:54:99:81:
> ??????? fb:16:1c:2e:60:e6:a0:8a:4f:16:1d:24:c3:c4:d2:d4:24:1f:
> ??????? f1:c7:62:72:5f:2e:1c:96:cc:15:a9:dc:c6:1d:cf:e0:78:8b:
> ??????? d3:c5:e7:7b:a4:36:40:f0:14:21:0c:1f:07:5d:0c:90:63:c1:
> ??????? 2c:de:64:5d:01:75:24:d4:2f:44:a1:7c:8c:01:a9:33:e3:23:
> ??????? 26:b7:25:f8:3d:bd:5e:4b:8b:91:e9:dd:65:5a:a4:c2:93:0e:
> ??????? 89:c9:e3:86:71:24:b0:68:30:f5:a0:4e:c0:3d:3b:4c:e6:ea:
> ??????? e5:ef:5d:77:f6:ad:7f:f1:87:3e:7c:47:fd:97:f8:59:74:51:
> ??????? 40:53:d8:7c:4a:b0:1c:a5:b1:01:be:be:88:fc:e9:aa:85:78:
> ??????? 18:a3:15:91:e4:d5:b7:07:6e:87:9b:8e:a0:52:71:59:23:5f:
> ??????? 9f:db:da:73:ce:4a:81:4d:15:50:2d:81:42:6f:ee:4c:bf:7d:
> ??????? 1d:69:87:22:49:08:7c:3b:fc:10:6a:51:84:4a:7e:83:3b:54:
> ??????? 72:fb:54:71:b8:85:ae:a7:78:5b:d5:d9:ea:6f:7d:c1:b2:d2:
> ??????? cd:72:27:31:cc:e0:7f:7e:0b:0d:dd:ae:e5:52:50:23:bb:50:
> ??????? ba:87:77:f7:b9:d4:2a:08:e1:02:6d:08:cd:af:9a:ce:7b:e4:
> ??????? 50:e9:be:f8:c8:06:96:4d:ea:3f:f1:2f:d1:28:a6:a9:9d:ed:
> ??????? 84:a6:34:c4:29:b1:f7:c6:a0:ae:6c:7a:a6:c4:c0:42:d3:fa:
>
> Below are root and intermediate certs:
>
> Certificate:
> ??? Data:
> ??????? Version: 3 (0x2)
> ??????? Serial Number:
> ??????????? ef:dd:02:19:d8:88:f3:fd:3b:86:d0:af:af:d5:53:5b
> ??????? Signature Algorithm: rsassaPss
> ??????? Hash Algorithm: sha256
> ??????? Mask Algorithm: mgf1 with sha256
> ???????? Salt Length: 0x20
> ??????? Trailer Field: 0x01 (default)
> ??????? Issuer: CN = REDACTED Root CA
> ??????? Validity
> ??????????? Not Before: Apr 15 09:11:39 2025 GMT
> ??????????? Not After : Apr 15 21:11:39 2035 GMT
> ??????? Subject: CN = REDACTED Root CA
> ??????? Subject Public Key Info:
> ??????????? Public Key Algorithm: rsaEncryption
> ??????????????? Public-Key: (3072 bit)
> ??????????????? Modulus:
> ??????????????????? 00:df:0b:aa:ed:97:2a:44:e0:34:b6:42:6b:0f:07:
> ??????????????????? b8:08:dd:25:fb:55:0b:85:d4:06:76:cd:1b:0f:5c:
> ??????????????????? 61:ec:c5:73:2d:91:12:b6:f9:6c:d2:33:66:f2:ec:
> ??????????????????? c6:4d:83:20:39:dd:2b:61:ae:9e:9c:af:07:fe:b9:
> ??????????????????? 4d:f0:4d:c7:8c:b8:af:bc:a0:4f:a5:26:da:dd:f5:
> ??????????????????? 5a:91:a8:54:12:4f:06:e2:6d:2c:7a:fb:c6:13:2a:
> ??????????????????? db:4a:34:89:4f:67:f0:da:1d:e5:58:48:5c:d9:91:
> ??????????????????? 61:33:f3:d2:a6:0d:d4:c7:d0:b0:f0:9f:2c:53:10:
> ??????????????????? 95:72:1e:34:39:28:82:f7:e4:96:e3:1a:25:bd:47:
> ??????????????????? c8:3b:ec:1d:05:ce:51:7c:75:bd:cf:41:83:42:1f:
> ??????????????????? 8a:0e:45:cd:55:cd:3b:91:3b:19:1b:f3:ec:3a:99:
> ??????????????????? 27:87:23:c8:84:68:6c:0a:ec:4f:f8:c5:9e:59:07:
> ??????????????????? 75:2d:05:02:f2:aa:ca:ce:23:6f:5b:31:a0:f0:89:
> ??????????????????? 00:13:26:eb:dd:6b:3d:22:f5:8b:24:8f:01:64:a1:
> ??????????????????? dd:7b:24:9a:c3:7a:58:65:96:cf:a8:0c:80:5e:36:
> ??????????????????? 2e:7b:f0:9e:33:3d:53:18:8d:3b:90:11:e5:6b:df:
> ??????????????????? c1:27:74:0c:f0:cf:da:c4:e1:18:07:f0:f7:1f:ff:
> ??????????????????? e8:08:fb:34:3d:5f:ac:29:0d:4d:16:71:f5:18:51:
> ??????????????????? f8:57:01:d0:20:8a:16:61:7f:42:56:a0:66:aa:fa:
> ??????????????????? 9e:d1:50:20:da:d6:52:63:fd:88:7c:ae:47:b0:eb:
> ??????????????????? f7:ba:25:ac:af:33:f5:ec:b2:40:37:c8:2c:d4:c3:
> ??????????????????? eb:9a:53:24:ff:8f:9a:47:7c:bf:60:a3:01:49:ff:
> ??????????????????? 67:71:ed:6b:4f:7c:b2:5e:e3:31:9f:b3:df:3b:32:
> ??????????????????? ea:e3:6e:93:eb:da:34:3b:c3:f9:7c:14:94:73:da:
> ??????????????????? a8:df:0e:32:f8:52:5a:28:6e:1d:1d:76:88:4e:66:
> ??????????????????? a0:79:fb:74:f5:4b:dd:e5:dc:7b
> ??????????????? Exponent: 65537 (0x10001)
> ??????? X509v3 extensions:
> ??????????? X509v3 Key Usage: critical
> ??????????????? Certificate Sign, CRL Sign
> ??????????? X509v3 Basic Constraints: critical
> ??????????????? CA:TRUE, pathlen:1
> ??????????? X509v3 Subject Key Identifier:
> 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC
> ??? Signature Algorithm: rsassaPss
> ??? Signature Value:
> ??????? Hash Algorithm: sha256
> ??????? Mask Algorithm: mgf1 with sha256
> ???????? Salt Length: 0x20
> ??????? Trailer Field: 0x01 (default)
> ??????? 11:70:8a:fc:17:a4:1f:93:9a:a4:30:8f:71:41:02:77:57:5e:
> ??????? 02:12:b8:45:45:19:e4:e2:d6:2a:df:5c:ba:f5:7c:ad:ae:a9:
> ??????? 2e:f3:ab:6b:3c:02:1c:86:42:53:12:29:53:f9:50:01:77:03:
> ??????? b3:16:ca:d2:ab:fb:9b:fe:92:69:39:6f:b1:1c:51:cc:60:78:
> ??????? f7:dc:c1:dd:82:5c:68:6f:a9:5a:d5:da:b8:c2:54:0e:18:d6:
> ??????? a2:a9:eb:1e:e2:97:65:2a:7b:81:74:ee:18:10:17:81:13:d3:
> ??????? f4:cb:24:24:7c:2e:1a:6a:39:84:e4:8c:45:f5:c4:f7:11:d2:
> ??????? fb:0e:3a:5f:66:8c:4c:d1:78:e6:0e:f2:42:ca:77:d5:fd:cf:
> ??????? 12:6b:f7:d2:ea:bf:89:58:89:26:a8:da:37:c5:45:16:e4:fc:
> ??????? df:59:ac:3d:44:27:e6:ab:f7:6f:a8:6b:e0:13:33:47:7c:b3:
> ??????? 9a:0b:af:20:6a:19:02:2b:84:15:77:ab:ec:f4:dc:4c:ce:e3:
> ??????? 97:72:d2:1c:53:86:8e:aa:da:96:04:6f:3a:a5:5a:6b:78:22:
> ??????? 73:e6:07:6d:e4:35:f0:ef:13:dc:e6:05:58:ec:41:96:2d:d9:
> ??????? 00:de:7e:dc:b8:60:25:c8:48:65:5b:51:4c:16:0b:14:02:75:
> ??????? 11:19:86:d5:22:1d:9e:c1:80:51:b8:ed:eb:f3:1a:e6:fb:35:
> ??????? 34:8b:12:22:c8:8b:b7:6f:10:64:23:62:ad:5c:f8:99:7d:18:
> ??????? 15:e8:a3:da:3c:10:58:84:63:ce:7e:c9:ed:63:87:2d:02:53:
> ??????? 10:39:6e:b5:af:46:21:b5:d3:d0:53:c2:3d:4c:b0:ab:5c:b4:
> ??????? a1:bf:e9:5e:cf:bd:d3:cf:f6:b6:c8:d6:3c:be:58:4a:1f:16:
> ??????? 1e:4a:77:af:37:11:aa:05:79:04:fb:9e:f4:f6:80:d9:b0:9d:
> ??????? 60:c6:a2:39:2b:d9:df:17:71:8a:12:bf:2f:45:e5:22:25:17:
> ??????? 96:af:f5:30:8d:e3
> Certificate:
> ??? Data:
> ??????? Version: 3 (0x2)
> ??????? Serial Number:
> ??????????? 88:77:13:53:37:88:34:95:7f:bc:29:74:e6:a1:8f:06
> ??????? Signature Algorithm: rsassaPss
> ??????? Hash Algorithm: sha256
> ??????? Mask Algorithm: mgf1 with sha256
> ???????? Salt Length: 0x20
> ??????? Trailer Field: 0x01 (default)
> ??????? Issuer: CN = REDACTED Root CA
> ??????? Validity
> ??????????? Not Before: Apr 22 07:46:23 2025 GMT
> ??????????? Not After : Apr 22 19:46:16 2035 GMT
> ??????? Subject: CN = REDACTED Intermediate CA
> ??????? Subject Public Key Info:
> ??????????? Public Key Algorithm: rsaEncryption
> ??????????????? Public-Key: (3072 bit)
> ??????????????? Modulus:
> ??????????????????? 00:e7:7e:04:c8:b2:5c:ec:ba:ed:0f:9e:fa:bd:2a:
> ??????????????????? 19:cf:9f:1b:a3:ad:38:b0:d8:56:0f:56:05:01:67:
> ??????????????????? dc:07:27:1f:c7:9c:53:9a:f1:0a:26:9f:7d:28:30:
> ??????????????????? 4b:b5:66:d1:73:b4:f7:9b:a1:cf:a6:00:5a:97:32:
> ??????????????????? 74:7c:e6:ca:99:ae:e7:30:c7:5a:8d:fb:91:6d:c8:
> ??????????????????? 51:d4:89:ef:24:8f:c9:b5:a1:84:68:52:d5:dc:4c:
> ??????????????????? 5d:05:b5:d9:47:63:27:d0:90:4d:43:2c:d6:60:8d:
> ??????????????????? 91:71:00:7f:5b:fb:23:c1:79:04:3c:45:e5:11:ec:
> ??????????????????? 8c:0d:7e:ef:2a:5f:83:19:00:da:c2:9f:64:f9:24:
> ??????????????????? c9:e3:bd:37:8e:b2:72:a6:5d:90:ca:23:f3:a9:e6:
> ??????????????????? f0:66:d6:60:06:e6:57:a9:c7:49:0f:30:90:1f:d7:
> ??????????????????? 52:07:a1:4d:c4:49:12:ce:d1:e3:43:6e:4a:c9:dc:
> ??????????????????? 7a:d2:dd:94:d4:8d:6a:df:2f:96:75:d2:c6:6f:c1:
> ??????????????????? ab:75:90:80:8e:cb:b2:5e:43:0a:a5:c8:69:8b:11:
> ??????????????????? 48:5f:ce:2c:5f:2b:93:d2:b0:9a:6f:96:e0:88:ad:
> ??????????????????? fa:4d:6b:0b:b9:f4:05:7a:1d:1c:be:20:41:df:90:
> ??????????????????? a6:2e:9a:94:4c:ff:40:81:4d:2a:df:4a:6f:ed:91:
> ??????????????????? e4:fe:bf:6f:0f:cd:4e:a6:70:a9:d8:e4:e3:72:95:
> ??????????????????? 35:37:bf:f1:62:15:ab:57:ec:5c:d6:08:a7:bb:0f:
> ??????????????????? 9f:7a:25:c5:5a:59:ce:3f:e0:dd:99:39:d4:ab:f5:
> ??????????????????? a7:94:9b:e6:7b:5e:30:47:df:4a:e1:2a:b1:84:33:
> ??????????????????? 65:f1:a5:b0:af:53:62:ef:7d:f5:59:4d:77:bf:78:
> ??????????????????? 3e:82:58:2e:91:54:b6:3c:df:ea:0b:6e:7b:69:43:
> ??????????????????? ca:0d:c0:33:c1:6d:1d:9c:99:63:0d:80:55:f9:cd:
> ??????????????????? e5:6d:9b:8f:ef:25:76:44:0f:67:7d:f9:5d:e2:32:
> ??????????????????? ba:4b:cd:ec:4e:b3:b6:50:67:2b
> ??????????????? Exponent: 65537 (0x10001)
> ??????? X509v3 extensions:
> ??????????? X509v3 Key Usage: critical
> ??????????????? Certificate Sign, CRL Sign
> ??????????? X509v3 Basic Constraints: critical
> ??????????????? CA:TRUE, pathlen:0
> ??????????? X509v3 Subject Key Identifier:
> 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA
> ??????????? X509v3 Authority Key Identifier:
> 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC
> ??? Signature Algorithm: rsassaPss
> ??? Signature Value:
> ??????? Hash Algorithm: sha256
> ??????? Mask Algorithm: mgf1 with sha256
> ???????? Salt Length: 0x20
> ??????? Trailer Field: 0x01 (default)
> ??????? 69:02:31:cd:98:44:3f:fd:c4:6e:93:f8:8d:e4:37:d1:0b:38:
> ??????? 8f:fb:f7:c3:7e:61:ad:2c:bf:0e:31:2a:0b:f5:c9:54:b3:0b:
> ??????? 1f:f0:89:11:66:8e:03:6b:61:a4:44:7e:09:13:55:b0:95:0e:
> ??????? 03:c0:3f:16:f2:33:fd:a4:44:17:f0:29:77:64:f6:96:36:4a:
> ??????? fa:88:73:bc:b8:36:44:fe:27:48:ec:28:b9:83:17:3b:e2:03:
> ??????? 50:33:18:d4:f4:3d:b7:e9:82:c0:19:b9:ea:79:bd:f8:d0:ea:
> ??????? d5:c5:4a:f6:41:e0:73:78:98:80:a4:3e:e5:77:9e:32:08:6d:
> ??????? 93:bc:e3:76:f5:95:1b:3d:69:36:71:65:f3:24:cb:70:ae:79:
> ??????? c3:8c:9c:87:d4:a3:62:e2:35:4a:1f:a6:3a:c3:f3:8a:f0:a5:
> ??????? 8d:22:45:1e:e6:52:56:a3:ee:88:5d:56:91:e4:f3:c0:01:6e:
> ??????? 26:a3:0f:14:80:53:70:09:fb:b0:21:9e:65:78:62:79:b2:50:
> ??????? 21:52:63:1f:21:59:8f:1f:dd:01:2d:79:c5:18:8a:bd:7b:90:
> ??????? 1b:0a:24:28:ea:68:54:ef:b3:a8:59:23:01:20:6b:00:1b:6a:
> ??????? cd:99:e5:d7:e1:fa:52:c4:ef:b9:c9:8e:29:7d:6c:17:f6:75:
> ??????? da:04:69:27:6d:0c:95:c1:f0:bd:bf:fd:81:24:53:55:ae:2b:
> ??????? 7c:9d:26:59:99:4a:56:d8:8c:ea:e9:09:fa:42:87:ca:ae:05:
> ??????? 43:37:ad:8c:64:63:d3:3a:88:8d:3d:44:cc:c0:54:c4:75:c0:
> ??????? d3:af:e5:de:79:65:9a:2f:a9:e3:fc:09:0a:79:28:d7:99:2e:
> ??????? 11:01:c4:4c:a7:91:2c:c9:df:d7:27:3a:83:cb:22:f0:10:ff:
> ??????? 1d:d3:0e:19:ce:84:31:8b:3f:cf:84:84:0d:f2:8b:e4:ff:5d:
> ??????? 92:33:26:40:2d:e1:a4:d7:07:26:6f:61:45:dd:7d:53:e7:e8:
> ??????? 68:27:b3:74:85:af
>
> The messages
>
> [2025/04/22 15:15:05.011663,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: PKINIT: failed to verify signature: Failed to verify 
> signature of certificate: 569861
> [2025/04/22 15:15:05.011684,? 3] 
> source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
> ?Kerberos: PKINIT: Signature algorithm not supported
>
> indicate, there is probably something wrong with my certs, but I 
> wasn't able to deduce what exactly.
>
> Can someone help me out?
>
> Thanks in advance,
>
> Micha? W?grzynek
>
>
>-- 
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com

samba - Apr 2025 - PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)

[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)

[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)