Michał Węgrzynek
2025-Apr-22 13:38 UTC
[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)
Hello, I'm trying to set-up smart card login for a Samba 4 domain. I prepared root and intermediate CAs using Step CA (https://smallstep.com/docs/step-ca/index.html). I was able to generate and set certificates for all DCs, but when I'm attempting a smartcard login through Windows I get [2025/04/22 15:15:04.998951,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Probing for AS-REQ [2025/04/22 15:15:04.999512,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: heim_audit_vaddkv(): kv pair[0] armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM [2025/04/22 15:15:04.999596,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Client selected FAST [2025/04/22 15:15:05.001663,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: AS-REQ mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM from ipv4:172.20.7.48:53196 for krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM [2025/04/22 15:15:05.011057,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=11 [2025/04/22 15:15:05.011406,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Client sent patypes: PK-INIT(ietf), OCSP, 128, 167 [2025/04/22 15:15:05.011429,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=PK-INIT(ietf),OCSP,128,167 [2025/04/22 15:15:05.011446,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Looking for PK-INIT(ietf) pa-data -- mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM [2025/04/22 15:15:05.011463,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: heim_audit_vaddkv(): kv pair[0] pa=PK-INIT(ietf) [2025/04/22 15:15:05.011663,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: PKINIT: failed to verify signature: Failed to verify signature of certificate: 569861 [2025/04/22 15:15:05.011684,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: PKINIT: Signature algorithm not supported [2025/04/22 15:15:05.011701,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Failed to decode PKINIT PA-DATA -- mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM [2025/04/22 15:15:05.011841,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: as-req: sending error: -1765328353 to client [2025/04/22 15:15:05.011858,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Adding dummy FAST cookie for KRB-ERROR [2025/04/22 15:15:05.011874,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: Making FAST inner KRB-ERROR [2025/04/22 15:15:05.012164,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.013223 [2025/04/22 15:15:05.012185,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: AS-REQ KRB5KRB_AP_ERR_BAD_INTEGRITY ipv4:172.20.7.48:53196 mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM pa=PK-INIT(ietf) client-pa=PK-INIT(ietf),OCSP,128 ,167 elapsed=0.013223 armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM in the Samba DC's logs. The user certificate is issued from an intermediate CA looks like this: Certificate: ??? Data: ??????? Version: 3 (0x2) ??????? Serial Number: ??????????? c2:5b:22:4c:a1:5e:2e:c0:b0:df:53:7d:66:35:39:0e ??????? Signature Algorithm: rsassaPss ??????? Hash Algorithm: sha256 ??????? Mask Algorithm: mgf1 with sha256 ???????? Salt Length: 0x20 ??????? Trailer Field: 0x01 (default) ??????? Issuer: CN=REDACTED Intermediate CA ??????? Validity ??????????? Not Before: Apr 22 11:38:20 2025 GMT ??????????? Not After : Apr 22 17:39:20 2026 GMT ??????? Subject: CN=Micha? W?grzynek ??????? Subject Public Key Info: ??????????? Public Key Algorithm: rsaEncryption ??????????????? Public-Key: (2048 bit) ??????????????? Modulus: ??????????????????? 00:a6:72:3a:86:89:fd:ad:8b:d7:a8:11:ab:f5:01: ??????????????????? 9f:5f:c1:11:33:18:06:bc:dc:36:4b:82:62:e3:8b: ??????????????????? 90:1c:97:83:d7:17:91:4d:2b:01:dd:78:94:ab:08: ??????????????????? 1f:97:9c:cc:de:9b:e5:24:b6:d4:97:ac:57:4f:43: ??????????????????? de:c7:b4:16:15:d1:b9:b1:da:67:4b:4d:e8:31:8d: ??????????????????? d6:c5:0b:df:29:6d:f6:13:8d:4f:58:41:9c:8b:f7: ??????????????????? 6e:83:af:95:15:bd:17:e8:50:26:fa:22:72:45:97: ??????????????????? 13:38:aa:64:b7:ae:eb:84:07:46:04:ce:cd:4f:4b: ??????????????????? 87:80:f7:60:1c:7c:17:81:9b:e6:bc:95:1c:e8:5d: ??????????????????? 41:15:09:e5:d6:50:2b:4f:d2:d6:08:3c:c8:fd:25: ??????????????????? 46:77:c4:e5:13:70:1a:c3:13:04:77:fc:ef:6c:f4: ??????????????????? a8:5e:88:df:56:22:56:86:93:c0:7b:ad:d3:db:bb: ??????????????????? ad:9a:df:9b:1e:9e:40:99:11:a1:04:6b:50:bc:4a: ??????????????????? 07:5c:5a:7a:2f:2f:5c:3b:75:5a:d2:63:9a:ab:6d: ??????????????????? 42:f4:b3:c0:f5:6f:f3:30:93:37:bc:c6:fd:b4:8d: ??????????????????? be:53:f3:c8:5f:fb:ef:f3:ff:91:04:9c:e1:54:c2: ??????????????????? a3:fc:77:bf:d9:86:68:90:d6:48:b5:f5:21:d9:1f: ??????????????????? e7:83 ??????????????? Exponent: 65537 (0x10001) ??????? X509v3 extensions: ??????????? X509v3 Key Usage: critical ??????????????? Digital Signature, Key Encipherment ??????????? X509v3 Extended Key Usage: ??????????????? TLS Web Client Authentication, Microsoft Smartcard Login ??????????? X509v3 Subject Key Identifier: A1:22:3F:42:9F:2A:6C:DA:7A:D2:B6:EC:A9:93:96:4B:01:8B:E0:3F ??????????? X509v3 Authority Key Identifier: 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA ??????????? X509v3 CRL Distribution Points: ??????????????? Full Name: ????????????????? URI:http://ca.redacted.com/1.0/crl ??????????? X509v3 Subject Alternative Name: ??????????????? email:mwegrzynek at litexservice.pl, othername: UPN:mwegrzynek at ad.redacted.com ??? Signature Algorithm: rsassaPss ??? Signature Value: ??????? Hash Algorithm: sha256 ??????? Mask Algorithm: mgf1 with sha256 ???????? Salt Length: 0x20 ??????? Trailer Field: 0x01 (default) ??????? 35:2e:81:e8:72:ac:68:75:b5:87:ac:db:5b:f5:74:c5:05:26: ??????? 74:5c:58:e0:c9:19:f4:bf:34:69:75:76:ed:48:ea:fd:20:05: ??????? 8e:3e:42:e8:c8:c9:ca:67:53:42:8c:c8:0a:5d:42:b0:e8:ef: ??????? ea:87:b5:52:d8:72:96:77:95:5b:ba:e6:c7:e1:0b:64:d2:da: ??????? b3:f7:a3:cc:bc:f0:92:4e:74:7f:7a:62:b5:72:a2:54:99:81: ??????? fb:16:1c:2e:60:e6:a0:8a:4f:16:1d:24:c3:c4:d2:d4:24:1f: ??????? f1:c7:62:72:5f:2e:1c:96:cc:15:a9:dc:c6:1d:cf:e0:78:8b: ??????? d3:c5:e7:7b:a4:36:40:f0:14:21:0c:1f:07:5d:0c:90:63:c1: ??????? 2c:de:64:5d:01:75:24:d4:2f:44:a1:7c:8c:01:a9:33:e3:23: ??????? 26:b7:25:f8:3d:bd:5e:4b:8b:91:e9:dd:65:5a:a4:c2:93:0e: ??????? 89:c9:e3:86:71:24:b0:68:30:f5:a0:4e:c0:3d:3b:4c:e6:ea: ??????? e5:ef:5d:77:f6:ad:7f:f1:87:3e:7c:47:fd:97:f8:59:74:51: ??????? 40:53:d8:7c:4a:b0:1c:a5:b1:01:be:be:88:fc:e9:aa:85:78: ??????? 18:a3:15:91:e4:d5:b7:07:6e:87:9b:8e:a0:52:71:59:23:5f: ??????? 9f:db:da:73:ce:4a:81:4d:15:50:2d:81:42:6f:ee:4c:bf:7d: ??????? 1d:69:87:22:49:08:7c:3b:fc:10:6a:51:84:4a:7e:83:3b:54: ??????? 72:fb:54:71:b8:85:ae:a7:78:5b:d5:d9:ea:6f:7d:c1:b2:d2: ??????? cd:72:27:31:cc:e0:7f:7e:0b:0d:dd:ae:e5:52:50:23:bb:50: ??????? ba:87:77:f7:b9:d4:2a:08:e1:02:6d:08:cd:af:9a:ce:7b:e4: ??????? 50:e9:be:f8:c8:06:96:4d:ea:3f:f1:2f:d1:28:a6:a9:9d:ed: ??????? 84:a6:34:c4:29:b1:f7:c6:a0:ae:6c:7a:a6:c4:c0:42:d3:fa: Below are root and intermediate certs: Certificate: ??? Data: ??????? Version: 3 (0x2) ??????? Serial Number: ??????????? ef:dd:02:19:d8:88:f3:fd:3b:86:d0:af:af:d5:53:5b ??????? Signature Algorithm: rsassaPss ??????? Hash Algorithm: sha256 ??????? Mask Algorithm: mgf1 with sha256 ???????? Salt Length: 0x20 ??????? Trailer Field: 0x01 (default) ??????? Issuer: CN = REDACTED Root CA ??????? Validity ??????????? Not Before: Apr 15 09:11:39 2025 GMT ??????????? Not After : Apr 15 21:11:39 2035 GMT ??????? Subject: CN = REDACTED Root CA ??????? Subject Public Key Info: ??????????? Public Key Algorithm: rsaEncryption ??????????????? Public-Key: (3072 bit) ??????????????? Modulus: ??????????????????? 00:df:0b:aa:ed:97:2a:44:e0:34:b6:42:6b:0f:07: ??????????????????? b8:08:dd:25:fb:55:0b:85:d4:06:76:cd:1b:0f:5c: ??????????????????? 61:ec:c5:73:2d:91:12:b6:f9:6c:d2:33:66:f2:ec: ??????????????????? c6:4d:83:20:39:dd:2b:61:ae:9e:9c:af:07:fe:b9: ??????????????????? 4d:f0:4d:c7:8c:b8:af:bc:a0:4f:a5:26:da:dd:f5: ??????????????????? 5a:91:a8:54:12:4f:06:e2:6d:2c:7a:fb:c6:13:2a: ??????????????????? db:4a:34:89:4f:67:f0:da:1d:e5:58:48:5c:d9:91: ??????????????????? 61:33:f3:d2:a6:0d:d4:c7:d0:b0:f0:9f:2c:53:10: ??????????????????? 95:72:1e:34:39:28:82:f7:e4:96:e3:1a:25:bd:47: ??????????????????? c8:3b:ec:1d:05:ce:51:7c:75:bd:cf:41:83:42:1f: ??????????????????? 8a:0e:45:cd:55:cd:3b:91:3b:19:1b:f3:ec:3a:99: ??????????????????? 27:87:23:c8:84:68:6c:0a:ec:4f:f8:c5:9e:59:07: ??????????????????? 75:2d:05:02:f2:aa:ca:ce:23:6f:5b:31:a0:f0:89: ??????????????????? 00:13:26:eb:dd:6b:3d:22:f5:8b:24:8f:01:64:a1: ??????????????????? dd:7b:24:9a:c3:7a:58:65:96:cf:a8:0c:80:5e:36: ??????????????????? 2e:7b:f0:9e:33:3d:53:18:8d:3b:90:11:e5:6b:df: ??????????????????? c1:27:74:0c:f0:cf:da:c4:e1:18:07:f0:f7:1f:ff: ??????????????????? e8:08:fb:34:3d:5f:ac:29:0d:4d:16:71:f5:18:51: ??????????????????? f8:57:01:d0:20:8a:16:61:7f:42:56:a0:66:aa:fa: ??????????????????? 9e:d1:50:20:da:d6:52:63:fd:88:7c:ae:47:b0:eb: ??????????????????? f7:ba:25:ac:af:33:f5:ec:b2:40:37:c8:2c:d4:c3: ??????????????????? eb:9a:53:24:ff:8f:9a:47:7c:bf:60:a3:01:49:ff: ??????????????????? 67:71:ed:6b:4f:7c:b2:5e:e3:31:9f:b3:df:3b:32: ??????????????????? ea:e3:6e:93:eb:da:34:3b:c3:f9:7c:14:94:73:da: ??????????????????? a8:df:0e:32:f8:52:5a:28:6e:1d:1d:76:88:4e:66: ??????????????????? a0:79:fb:74:f5:4b:dd:e5:dc:7b ??????????????? Exponent: 65537 (0x10001) ??????? X509v3 extensions: ??????????? X509v3 Key Usage: critical ??????????????? Certificate Sign, CRL Sign ??????????? X509v3 Basic Constraints: critical ??????????????? CA:TRUE, pathlen:1 ??????????? X509v3 Subject Key Identifier: 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC ??? Signature Algorithm: rsassaPss ??? Signature Value: ??????? Hash Algorithm: sha256 ??????? Mask Algorithm: mgf1 with sha256 ???????? Salt Length: 0x20 ??????? Trailer Field: 0x01 (default) ??????? 11:70:8a:fc:17:a4:1f:93:9a:a4:30:8f:71:41:02:77:57:5e: ??????? 02:12:b8:45:45:19:e4:e2:d6:2a:df:5c:ba:f5:7c:ad:ae:a9: ??????? 2e:f3:ab:6b:3c:02:1c:86:42:53:12:29:53:f9:50:01:77:03: ??????? b3:16:ca:d2:ab:fb:9b:fe:92:69:39:6f:b1:1c:51:cc:60:78: ??????? f7:dc:c1:dd:82:5c:68:6f:a9:5a:d5:da:b8:c2:54:0e:18:d6: ??????? a2:a9:eb:1e:e2:97:65:2a:7b:81:74:ee:18:10:17:81:13:d3: ??????? f4:cb:24:24:7c:2e:1a:6a:39:84:e4:8c:45:f5:c4:f7:11:d2: ??????? fb:0e:3a:5f:66:8c:4c:d1:78:e6:0e:f2:42:ca:77:d5:fd:cf: ??????? 12:6b:f7:d2:ea:bf:89:58:89:26:a8:da:37:c5:45:16:e4:fc: ??????? df:59:ac:3d:44:27:e6:ab:f7:6f:a8:6b:e0:13:33:47:7c:b3: ??????? 9a:0b:af:20:6a:19:02:2b:84:15:77:ab:ec:f4:dc:4c:ce:e3: ??????? 97:72:d2:1c:53:86:8e:aa:da:96:04:6f:3a:a5:5a:6b:78:22: ??????? 73:e6:07:6d:e4:35:f0:ef:13:dc:e6:05:58:ec:41:96:2d:d9: ??????? 00:de:7e:dc:b8:60:25:c8:48:65:5b:51:4c:16:0b:14:02:75: ??????? 11:19:86:d5:22:1d:9e:c1:80:51:b8:ed:eb:f3:1a:e6:fb:35: ??????? 34:8b:12:22:c8:8b:b7:6f:10:64:23:62:ad:5c:f8:99:7d:18: ??????? 15:e8:a3:da:3c:10:58:84:63:ce:7e:c9:ed:63:87:2d:02:53: ??????? 10:39:6e:b5:af:46:21:b5:d3:d0:53:c2:3d:4c:b0:ab:5c:b4: ??????? a1:bf:e9:5e:cf:bd:d3:cf:f6:b6:c8:d6:3c:be:58:4a:1f:16: ??????? 1e:4a:77:af:37:11:aa:05:79:04:fb:9e:f4:f6:80:d9:b0:9d: ??????? 60:c6:a2:39:2b:d9:df:17:71:8a:12:bf:2f:45:e5:22:25:17: ??????? 96:af:f5:30:8d:e3 Certificate: ??? Data: ??????? Version: 3 (0x2) ??????? Serial Number: ??????????? 88:77:13:53:37:88:34:95:7f:bc:29:74:e6:a1:8f:06 ??????? Signature Algorithm: rsassaPss ??????? Hash Algorithm: sha256 ??????? Mask Algorithm: mgf1 with sha256 ???????? Salt Length: 0x20 ??????? Trailer Field: 0x01 (default) ??????? Issuer: CN = REDACTED Root CA ??????? Validity ??????????? Not Before: Apr 22 07:46:23 2025 GMT ??????????? Not After : Apr 22 19:46:16 2035 GMT ??????? Subject: CN = REDACTED Intermediate CA ??????? Subject Public Key Info: ??????????? Public Key Algorithm: rsaEncryption ??????????????? Public-Key: (3072 bit) ??????????????? Modulus: ??????????????????? 00:e7:7e:04:c8:b2:5c:ec:ba:ed:0f:9e:fa:bd:2a: ??????????????????? 19:cf:9f:1b:a3:ad:38:b0:d8:56:0f:56:05:01:67: ??????????????????? dc:07:27:1f:c7:9c:53:9a:f1:0a:26:9f:7d:28:30: ??????????????????? 4b:b5:66:d1:73:b4:f7:9b:a1:cf:a6:00:5a:97:32: ??????????????????? 74:7c:e6:ca:99:ae:e7:30:c7:5a:8d:fb:91:6d:c8: ??????????????????? 51:d4:89:ef:24:8f:c9:b5:a1:84:68:52:d5:dc:4c: ??????????????????? 5d:05:b5:d9:47:63:27:d0:90:4d:43:2c:d6:60:8d: ??????????????????? 91:71:00:7f:5b:fb:23:c1:79:04:3c:45:e5:11:ec: ??????????????????? 8c:0d:7e:ef:2a:5f:83:19:00:da:c2:9f:64:f9:24: ??????????????????? c9:e3:bd:37:8e:b2:72:a6:5d:90:ca:23:f3:a9:e6: ??????????????????? f0:66:d6:60:06:e6:57:a9:c7:49:0f:30:90:1f:d7: ??????????????????? 52:07:a1:4d:c4:49:12:ce:d1:e3:43:6e:4a:c9:dc: ??????????????????? 7a:d2:dd:94:d4:8d:6a:df:2f:96:75:d2:c6:6f:c1: ??????????????????? ab:75:90:80:8e:cb:b2:5e:43:0a:a5:c8:69:8b:11: ??????????????????? 48:5f:ce:2c:5f:2b:93:d2:b0:9a:6f:96:e0:88:ad: ??????????????????? fa:4d:6b:0b:b9:f4:05:7a:1d:1c:be:20:41:df:90: ??????????????????? a6:2e:9a:94:4c:ff:40:81:4d:2a:df:4a:6f:ed:91: ??????????????????? e4:fe:bf:6f:0f:cd:4e:a6:70:a9:d8:e4:e3:72:95: ??????????????????? 35:37:bf:f1:62:15:ab:57:ec:5c:d6:08:a7:bb:0f: ??????????????????? 9f:7a:25:c5:5a:59:ce:3f:e0:dd:99:39:d4:ab:f5: ??????????????????? a7:94:9b:e6:7b:5e:30:47:df:4a:e1:2a:b1:84:33: ??????????????????? 65:f1:a5:b0:af:53:62:ef:7d:f5:59:4d:77:bf:78: ??????????????????? 3e:82:58:2e:91:54:b6:3c:df:ea:0b:6e:7b:69:43: ??????????????????? ca:0d:c0:33:c1:6d:1d:9c:99:63:0d:80:55:f9:cd: ??????????????????? e5:6d:9b:8f:ef:25:76:44:0f:67:7d:f9:5d:e2:32: ??????????????????? ba:4b:cd:ec:4e:b3:b6:50:67:2b ??????????????? Exponent: 65537 (0x10001) ??????? X509v3 extensions: ??????????? X509v3 Key Usage: critical ??????????????? Certificate Sign, CRL Sign ??????????? X509v3 Basic Constraints: critical ??????????????? CA:TRUE, pathlen:0 ??????????? X509v3 Subject Key Identifier: 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA ??????????? X509v3 Authority Key Identifier: 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC ??? Signature Algorithm: rsassaPss ??? Signature Value: ??????? Hash Algorithm: sha256 ??????? Mask Algorithm: mgf1 with sha256 ???????? Salt Length: 0x20 ??????? Trailer Field: 0x01 (default) ??????? 69:02:31:cd:98:44:3f:fd:c4:6e:93:f8:8d:e4:37:d1:0b:38: ??????? 8f:fb:f7:c3:7e:61:ad:2c:bf:0e:31:2a:0b:f5:c9:54:b3:0b: ??????? 1f:f0:89:11:66:8e:03:6b:61:a4:44:7e:09:13:55:b0:95:0e: ??????? 03:c0:3f:16:f2:33:fd:a4:44:17:f0:29:77:64:f6:96:36:4a: ??????? fa:88:73:bc:b8:36:44:fe:27:48:ec:28:b9:83:17:3b:e2:03: ??????? 50:33:18:d4:f4:3d:b7:e9:82:c0:19:b9:ea:79:bd:f8:d0:ea: ??????? d5:c5:4a:f6:41:e0:73:78:98:80:a4:3e:e5:77:9e:32:08:6d: ??????? 93:bc:e3:76:f5:95:1b:3d:69:36:71:65:f3:24:cb:70:ae:79: ??????? c3:8c:9c:87:d4:a3:62:e2:35:4a:1f:a6:3a:c3:f3:8a:f0:a5: ??????? 8d:22:45:1e:e6:52:56:a3:ee:88:5d:56:91:e4:f3:c0:01:6e: ??????? 26:a3:0f:14:80:53:70:09:fb:b0:21:9e:65:78:62:79:b2:50: ??????? 21:52:63:1f:21:59:8f:1f:dd:01:2d:79:c5:18:8a:bd:7b:90: ??????? 1b:0a:24:28:ea:68:54:ef:b3:a8:59:23:01:20:6b:00:1b:6a: ??????? cd:99:e5:d7:e1:fa:52:c4:ef:b9:c9:8e:29:7d:6c:17:f6:75: ??????? da:04:69:27:6d:0c:95:c1:f0:bd:bf:fd:81:24:53:55:ae:2b: ??????? 7c:9d:26:59:99:4a:56:d8:8c:ea:e9:09:fa:42:87:ca:ae:05: ??????? 43:37:ad:8c:64:63:d3:3a:88:8d:3d:44:cc:c0:54:c4:75:c0: ??????? d3:af:e5:de:79:65:9a:2f:a9:e3:fc:09:0a:79:28:d7:99:2e: ??????? 11:01:c4:4c:a7:91:2c:c9:df:d7:27:3a:83:cb:22:f0:10:ff: ??????? 1d:d3:0e:19:ce:84:31:8b:3f:cf:84:84:0d:f2:8b:e4:ff:5d: ??????? 92:33:26:40:2d:e1:a4:d7:07:26:6f:61:45:dd:7d:53:e7:e8: ??????? 68:27:b3:74:85:af The messages [2025/04/22 15:15:05.011663,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: PKINIT: failed to verify signature: Failed to verify signature of certificate: 569861 [2025/04/22 15:15:05.011684,? 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) ?Kerberos: PKINIT: Signature algorithm not supported indicate, there is probably something wrong with my certs, but I wasn't able to deduce what exactly. Can someone help me out? Thanks in advance, Micha? W?grzynek
Sami Hulkko
2025-Apr-22 15:44 UTC
[Samba] PKINIT: Signature algorithm not supported during smart card authentication against Samba 4 (Smallstep CA)
Hi, SmallStep CA do not support crl (revocation list) publishing in URL stated in issued certificates. This is requirement from Microsoft for certificate chain to pass that is unachievable with SmallStep. Get some vendor with crl release or do your own with tool like XCA (Ubuntu store and MS store app. DB (Maria or sqlite etc.) remote possible. Accept in policy etc. new self signed root cert like with SmallStep. Opensource. SH On 22/04/2025 16.38, Micha? W?grzynek via samba wrote:> Hello, > > I'm trying to set-up smart card login for a Samba 4 domain. I prepared > root and intermediate CAs using Step CA > (https://smallstep.com/docs/step-ca/index.html). I was able to > generate and set certificates for all DCs, but when I'm attempting a > smartcard login through Windows I get > > [2025/04/22 15:15:04.998951,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Probing for AS-REQ > [2025/04/22 15:15:04.999512,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: heim_audit_vaddkv(): kv pair[0] > armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM > [2025/04/22 15:15:04.999596,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Client selected FAST > [2025/04/22 15:15:05.001663,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: AS-REQ mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM > from ipv4:172.20.7.48:53196 for > krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM > [2025/04/22 15:15:05.011057,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=11 > [2025/04/22 15:15:05.011406,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Client sent patypes: PK-INIT(ietf), OCSP, 128, 167 > [2025/04/22 15:15:05.011429,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: heim_audit_vaddkv(): kv pair[0] > client-pa=PK-INIT(ietf),OCSP,128,167 > [2025/04/22 15:15:05.011446,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Looking for PK-INIT(ietf) pa-data -- > mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM > [2025/04/22 15:15:05.011463,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: heim_audit_vaddkv(): kv pair[0] pa=PK-INIT(ietf) > [2025/04/22 15:15:05.011663,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: PKINIT: failed to verify signature: Failed to verify > signature of certificate: 569861 > [2025/04/22 15:15:05.011684,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: PKINIT: Signature algorithm not supported > [2025/04/22 15:15:05.011701,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Failed to decode PKINIT PA-DATA -- > mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM > [2025/04/22 15:15:05.011841,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: as-req: sending error: -1765328353 to client > [2025/04/22 15:15:05.011858,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Adding dummy FAST cookie for KRB-ERROR > [2025/04/22 15:15:05.011874,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: Making FAST inner KRB-ERROR > [2025/04/22 15:15:05.012164,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.013223 > [2025/04/22 15:15:05.012185,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: AS-REQ KRB5KRB_AP_ERR_BAD_INTEGRITY ipv4:172.20.7.48:53196 > mwegrzynek\@REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM > krbtgt/REDACTED.DOMAIN.COM at REDACTED.DOMAIN.COM pa=PK-INIT(ietf) > client-pa=PK-INIT(ietf),OCSP,128 > ,167 elapsed=0.013223 > armor_client_name=REDACTED-MACHINE$@REDACTED.DOMAIN.COM > > in the Samba DC's logs. > > The user certificate is issued from an intermediate CA looks like this: > > Certificate: > ??? Data: > ??????? Version: 3 (0x2) > ??????? Serial Number: > ??????????? c2:5b:22:4c:a1:5e:2e:c0:b0:df:53:7d:66:35:39:0e > ??????? Signature Algorithm: rsassaPss > ??????? Hash Algorithm: sha256 > ??????? Mask Algorithm: mgf1 with sha256 > ???????? Salt Length: 0x20 > ??????? Trailer Field: 0x01 (default) > ??????? Issuer: CN=REDACTED Intermediate CA > ??????? Validity > ??????????? Not Before: Apr 22 11:38:20 2025 GMT > ??????????? Not After : Apr 22 17:39:20 2026 GMT > ??????? Subject: CN=Micha? W?grzynek > ??????? Subject Public Key Info: > ??????????? Public Key Algorithm: rsaEncryption > ??????????????? Public-Key: (2048 bit) > ??????????????? Modulus: > ??????????????????? 00:a6:72:3a:86:89:fd:ad:8b:d7:a8:11:ab:f5:01: > ??????????????????? 9f:5f:c1:11:33:18:06:bc:dc:36:4b:82:62:e3:8b: > ??????????????????? 90:1c:97:83:d7:17:91:4d:2b:01:dd:78:94:ab:08: > ??????????????????? 1f:97:9c:cc:de:9b:e5:24:b6:d4:97:ac:57:4f:43: > ??????????????????? de:c7:b4:16:15:d1:b9:b1:da:67:4b:4d:e8:31:8d: > ??????????????????? d6:c5:0b:df:29:6d:f6:13:8d:4f:58:41:9c:8b:f7: > ??????????????????? 6e:83:af:95:15:bd:17:e8:50:26:fa:22:72:45:97: > ??????????????????? 13:38:aa:64:b7:ae:eb:84:07:46:04:ce:cd:4f:4b: > ??????????????????? 87:80:f7:60:1c:7c:17:81:9b:e6:bc:95:1c:e8:5d: > ??????????????????? 41:15:09:e5:d6:50:2b:4f:d2:d6:08:3c:c8:fd:25: > ??????????????????? 46:77:c4:e5:13:70:1a:c3:13:04:77:fc:ef:6c:f4: > ??????????????????? a8:5e:88:df:56:22:56:86:93:c0:7b:ad:d3:db:bb: > ??????????????????? ad:9a:df:9b:1e:9e:40:99:11:a1:04:6b:50:bc:4a: > ??????????????????? 07:5c:5a:7a:2f:2f:5c:3b:75:5a:d2:63:9a:ab:6d: > ??????????????????? 42:f4:b3:c0:f5:6f:f3:30:93:37:bc:c6:fd:b4:8d: > ??????????????????? be:53:f3:c8:5f:fb:ef:f3:ff:91:04:9c:e1:54:c2: > ??????????????????? a3:fc:77:bf:d9:86:68:90:d6:48:b5:f5:21:d9:1f: > ??????????????????? e7:83 > ??????????????? Exponent: 65537 (0x10001) > ??????? X509v3 extensions: > ??????????? X509v3 Key Usage: critical > ??????????????? Digital Signature, Key Encipherment > ??????????? X509v3 Extended Key Usage: > ??????????????? TLS Web Client Authentication, Microsoft Smartcard Login > ??????????? X509v3 Subject Key Identifier: > A1:22:3F:42:9F:2A:6C:DA:7A:D2:B6:EC:A9:93:96:4B:01:8B:E0:3F > ??????????? X509v3 Authority Key Identifier: > 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA > ??????????? X509v3 CRL Distribution Points: > ??????????????? Full Name: > ????????????????? URI:http://ca.redacted.com/1.0/crl > > ??????????? X509v3 Subject Alternative Name: > ??????????????? email:mwegrzynek at litexservice.pl, othername: > UPN:mwegrzynek at ad.redacted.com > ??? Signature Algorithm: rsassaPss > ??? Signature Value: > ??????? Hash Algorithm: sha256 > ??????? Mask Algorithm: mgf1 with sha256 > ???????? Salt Length: 0x20 > ??????? Trailer Field: 0x01 (default) > ??????? 35:2e:81:e8:72:ac:68:75:b5:87:ac:db:5b:f5:74:c5:05:26: > ??????? 74:5c:58:e0:c9:19:f4:bf:34:69:75:76:ed:48:ea:fd:20:05: > ??????? 8e:3e:42:e8:c8:c9:ca:67:53:42:8c:c8:0a:5d:42:b0:e8:ef: > ??????? ea:87:b5:52:d8:72:96:77:95:5b:ba:e6:c7:e1:0b:64:d2:da: > ??????? b3:f7:a3:cc:bc:f0:92:4e:74:7f:7a:62:b5:72:a2:54:99:81: > ??????? fb:16:1c:2e:60:e6:a0:8a:4f:16:1d:24:c3:c4:d2:d4:24:1f: > ??????? f1:c7:62:72:5f:2e:1c:96:cc:15:a9:dc:c6:1d:cf:e0:78:8b: > ??????? d3:c5:e7:7b:a4:36:40:f0:14:21:0c:1f:07:5d:0c:90:63:c1: > ??????? 2c:de:64:5d:01:75:24:d4:2f:44:a1:7c:8c:01:a9:33:e3:23: > ??????? 26:b7:25:f8:3d:bd:5e:4b:8b:91:e9:dd:65:5a:a4:c2:93:0e: > ??????? 89:c9:e3:86:71:24:b0:68:30:f5:a0:4e:c0:3d:3b:4c:e6:ea: > ??????? e5:ef:5d:77:f6:ad:7f:f1:87:3e:7c:47:fd:97:f8:59:74:51: > ??????? 40:53:d8:7c:4a:b0:1c:a5:b1:01:be:be:88:fc:e9:aa:85:78: > ??????? 18:a3:15:91:e4:d5:b7:07:6e:87:9b:8e:a0:52:71:59:23:5f: > ??????? 9f:db:da:73:ce:4a:81:4d:15:50:2d:81:42:6f:ee:4c:bf:7d: > ??????? 1d:69:87:22:49:08:7c:3b:fc:10:6a:51:84:4a:7e:83:3b:54: > ??????? 72:fb:54:71:b8:85:ae:a7:78:5b:d5:d9:ea:6f:7d:c1:b2:d2: > ??????? cd:72:27:31:cc:e0:7f:7e:0b:0d:dd:ae:e5:52:50:23:bb:50: > ??????? ba:87:77:f7:b9:d4:2a:08:e1:02:6d:08:cd:af:9a:ce:7b:e4: > ??????? 50:e9:be:f8:c8:06:96:4d:ea:3f:f1:2f:d1:28:a6:a9:9d:ed: > ??????? 84:a6:34:c4:29:b1:f7:c6:a0:ae:6c:7a:a6:c4:c0:42:d3:fa: > > Below are root and intermediate certs: > > Certificate: > ??? Data: > ??????? Version: 3 (0x2) > ??????? Serial Number: > ??????????? ef:dd:02:19:d8:88:f3:fd:3b:86:d0:af:af:d5:53:5b > ??????? Signature Algorithm: rsassaPss > ??????? Hash Algorithm: sha256 > ??????? Mask Algorithm: mgf1 with sha256 > ???????? Salt Length: 0x20 > ??????? Trailer Field: 0x01 (default) > ??????? Issuer: CN = REDACTED Root CA > ??????? Validity > ??????????? Not Before: Apr 15 09:11:39 2025 GMT > ??????????? Not After : Apr 15 21:11:39 2035 GMT > ??????? Subject: CN = REDACTED Root CA > ??????? Subject Public Key Info: > ??????????? Public Key Algorithm: rsaEncryption > ??????????????? Public-Key: (3072 bit) > ??????????????? Modulus: > ??????????????????? 00:df:0b:aa:ed:97:2a:44:e0:34:b6:42:6b:0f:07: > ??????????????????? b8:08:dd:25:fb:55:0b:85:d4:06:76:cd:1b:0f:5c: > ??????????????????? 61:ec:c5:73:2d:91:12:b6:f9:6c:d2:33:66:f2:ec: > ??????????????????? c6:4d:83:20:39:dd:2b:61:ae:9e:9c:af:07:fe:b9: > ??????????????????? 4d:f0:4d:c7:8c:b8:af:bc:a0:4f:a5:26:da:dd:f5: > ??????????????????? 5a:91:a8:54:12:4f:06:e2:6d:2c:7a:fb:c6:13:2a: > ??????????????????? db:4a:34:89:4f:67:f0:da:1d:e5:58:48:5c:d9:91: > ??????????????????? 61:33:f3:d2:a6:0d:d4:c7:d0:b0:f0:9f:2c:53:10: > ??????????????????? 95:72:1e:34:39:28:82:f7:e4:96:e3:1a:25:bd:47: > ??????????????????? c8:3b:ec:1d:05:ce:51:7c:75:bd:cf:41:83:42:1f: > ??????????????????? 8a:0e:45:cd:55:cd:3b:91:3b:19:1b:f3:ec:3a:99: > ??????????????????? 27:87:23:c8:84:68:6c:0a:ec:4f:f8:c5:9e:59:07: > ??????????????????? 75:2d:05:02:f2:aa:ca:ce:23:6f:5b:31:a0:f0:89: > ??????????????????? 00:13:26:eb:dd:6b:3d:22:f5:8b:24:8f:01:64:a1: > ??????????????????? dd:7b:24:9a:c3:7a:58:65:96:cf:a8:0c:80:5e:36: > ??????????????????? 2e:7b:f0:9e:33:3d:53:18:8d:3b:90:11:e5:6b:df: > ??????????????????? c1:27:74:0c:f0:cf:da:c4:e1:18:07:f0:f7:1f:ff: > ??????????????????? e8:08:fb:34:3d:5f:ac:29:0d:4d:16:71:f5:18:51: > ??????????????????? f8:57:01:d0:20:8a:16:61:7f:42:56:a0:66:aa:fa: > ??????????????????? 9e:d1:50:20:da:d6:52:63:fd:88:7c:ae:47:b0:eb: > ??????????????????? f7:ba:25:ac:af:33:f5:ec:b2:40:37:c8:2c:d4:c3: > ??????????????????? eb:9a:53:24:ff:8f:9a:47:7c:bf:60:a3:01:49:ff: > ??????????????????? 67:71:ed:6b:4f:7c:b2:5e:e3:31:9f:b3:df:3b:32: > ??????????????????? ea:e3:6e:93:eb:da:34:3b:c3:f9:7c:14:94:73:da: > ??????????????????? a8:df:0e:32:f8:52:5a:28:6e:1d:1d:76:88:4e:66: > ??????????????????? a0:79:fb:74:f5:4b:dd:e5:dc:7b > ??????????????? Exponent: 65537 (0x10001) > ??????? X509v3 extensions: > ??????????? X509v3 Key Usage: critical > ??????????????? Certificate Sign, CRL Sign > ??????????? X509v3 Basic Constraints: critical > ??????????????? CA:TRUE, pathlen:1 > ??????????? X509v3 Subject Key Identifier: > 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC > ??? Signature Algorithm: rsassaPss > ??? Signature Value: > ??????? Hash Algorithm: sha256 > ??????? Mask Algorithm: mgf1 with sha256 > ???????? Salt Length: 0x20 > ??????? Trailer Field: 0x01 (default) > ??????? 11:70:8a:fc:17:a4:1f:93:9a:a4:30:8f:71:41:02:77:57:5e: > ??????? 02:12:b8:45:45:19:e4:e2:d6:2a:df:5c:ba:f5:7c:ad:ae:a9: > ??????? 2e:f3:ab:6b:3c:02:1c:86:42:53:12:29:53:f9:50:01:77:03: > ??????? b3:16:ca:d2:ab:fb:9b:fe:92:69:39:6f:b1:1c:51:cc:60:78: > ??????? f7:dc:c1:dd:82:5c:68:6f:a9:5a:d5:da:b8:c2:54:0e:18:d6: > ??????? a2:a9:eb:1e:e2:97:65:2a:7b:81:74:ee:18:10:17:81:13:d3: > ??????? f4:cb:24:24:7c:2e:1a:6a:39:84:e4:8c:45:f5:c4:f7:11:d2: > ??????? fb:0e:3a:5f:66:8c:4c:d1:78:e6:0e:f2:42:ca:77:d5:fd:cf: > ??????? 12:6b:f7:d2:ea:bf:89:58:89:26:a8:da:37:c5:45:16:e4:fc: > ??????? df:59:ac:3d:44:27:e6:ab:f7:6f:a8:6b:e0:13:33:47:7c:b3: > ??????? 9a:0b:af:20:6a:19:02:2b:84:15:77:ab:ec:f4:dc:4c:ce:e3: > ??????? 97:72:d2:1c:53:86:8e:aa:da:96:04:6f:3a:a5:5a:6b:78:22: > ??????? 73:e6:07:6d:e4:35:f0:ef:13:dc:e6:05:58:ec:41:96:2d:d9: > ??????? 00:de:7e:dc:b8:60:25:c8:48:65:5b:51:4c:16:0b:14:02:75: > ??????? 11:19:86:d5:22:1d:9e:c1:80:51:b8:ed:eb:f3:1a:e6:fb:35: > ??????? 34:8b:12:22:c8:8b:b7:6f:10:64:23:62:ad:5c:f8:99:7d:18: > ??????? 15:e8:a3:da:3c:10:58:84:63:ce:7e:c9:ed:63:87:2d:02:53: > ??????? 10:39:6e:b5:af:46:21:b5:d3:d0:53:c2:3d:4c:b0:ab:5c:b4: > ??????? a1:bf:e9:5e:cf:bd:d3:cf:f6:b6:c8:d6:3c:be:58:4a:1f:16: > ??????? 1e:4a:77:af:37:11:aa:05:79:04:fb:9e:f4:f6:80:d9:b0:9d: > ??????? 60:c6:a2:39:2b:d9:df:17:71:8a:12:bf:2f:45:e5:22:25:17: > ??????? 96:af:f5:30:8d:e3 > Certificate: > ??? Data: > ??????? Version: 3 (0x2) > ??????? Serial Number: > ??????????? 88:77:13:53:37:88:34:95:7f:bc:29:74:e6:a1:8f:06 > ??????? Signature Algorithm: rsassaPss > ??????? Hash Algorithm: sha256 > ??????? Mask Algorithm: mgf1 with sha256 > ???????? Salt Length: 0x20 > ??????? Trailer Field: 0x01 (default) > ??????? Issuer: CN = REDACTED Root CA > ??????? Validity > ??????????? Not Before: Apr 22 07:46:23 2025 GMT > ??????????? Not After : Apr 22 19:46:16 2035 GMT > ??????? Subject: CN = REDACTED Intermediate CA > ??????? Subject Public Key Info: > ??????????? Public Key Algorithm: rsaEncryption > ??????????????? Public-Key: (3072 bit) > ??????????????? Modulus: > ??????????????????? 00:e7:7e:04:c8:b2:5c:ec:ba:ed:0f:9e:fa:bd:2a: > ??????????????????? 19:cf:9f:1b:a3:ad:38:b0:d8:56:0f:56:05:01:67: > ??????????????????? dc:07:27:1f:c7:9c:53:9a:f1:0a:26:9f:7d:28:30: > ??????????????????? 4b:b5:66:d1:73:b4:f7:9b:a1:cf:a6:00:5a:97:32: > ??????????????????? 74:7c:e6:ca:99:ae:e7:30:c7:5a:8d:fb:91:6d:c8: > ??????????????????? 51:d4:89:ef:24:8f:c9:b5:a1:84:68:52:d5:dc:4c: > ??????????????????? 5d:05:b5:d9:47:63:27:d0:90:4d:43:2c:d6:60:8d: > ??????????????????? 91:71:00:7f:5b:fb:23:c1:79:04:3c:45:e5:11:ec: > ??????????????????? 8c:0d:7e:ef:2a:5f:83:19:00:da:c2:9f:64:f9:24: > ??????????????????? c9:e3:bd:37:8e:b2:72:a6:5d:90:ca:23:f3:a9:e6: > ??????????????????? f0:66:d6:60:06:e6:57:a9:c7:49:0f:30:90:1f:d7: > ??????????????????? 52:07:a1:4d:c4:49:12:ce:d1:e3:43:6e:4a:c9:dc: > ??????????????????? 7a:d2:dd:94:d4:8d:6a:df:2f:96:75:d2:c6:6f:c1: > ??????????????????? ab:75:90:80:8e:cb:b2:5e:43:0a:a5:c8:69:8b:11: > ??????????????????? 48:5f:ce:2c:5f:2b:93:d2:b0:9a:6f:96:e0:88:ad: > ??????????????????? fa:4d:6b:0b:b9:f4:05:7a:1d:1c:be:20:41:df:90: > ??????????????????? a6:2e:9a:94:4c:ff:40:81:4d:2a:df:4a:6f:ed:91: > ??????????????????? e4:fe:bf:6f:0f:cd:4e:a6:70:a9:d8:e4:e3:72:95: > ??????????????????? 35:37:bf:f1:62:15:ab:57:ec:5c:d6:08:a7:bb:0f: > ??????????????????? 9f:7a:25:c5:5a:59:ce:3f:e0:dd:99:39:d4:ab:f5: > ??????????????????? a7:94:9b:e6:7b:5e:30:47:df:4a:e1:2a:b1:84:33: > ??????????????????? 65:f1:a5:b0:af:53:62:ef:7d:f5:59:4d:77:bf:78: > ??????????????????? 3e:82:58:2e:91:54:b6:3c:df:ea:0b:6e:7b:69:43: > ??????????????????? ca:0d:c0:33:c1:6d:1d:9c:99:63:0d:80:55:f9:cd: > ??????????????????? e5:6d:9b:8f:ef:25:76:44:0f:67:7d:f9:5d:e2:32: > ??????????????????? ba:4b:cd:ec:4e:b3:b6:50:67:2b > ??????????????? Exponent: 65537 (0x10001) > ??????? X509v3 extensions: > ??????????? X509v3 Key Usage: critical > ??????????????? Certificate Sign, CRL Sign > ??????????? X509v3 Basic Constraints: critical > ??????????????? CA:TRUE, pathlen:0 > ??????????? X509v3 Subject Key Identifier: > 4C:C3:72:31:69:D6:17:2A:AB:04:39:6F:A3:D3:74:26:36:3D:51:AA > ??????????? X509v3 Authority Key Identifier: > 74:C3:32:8D:E1:C9:D5:69:DA:C6:E6:D9:81:79:F5:E0:0D:01:07:AC > ??? Signature Algorithm: rsassaPss > ??? Signature Value: > ??????? Hash Algorithm: sha256 > ??????? Mask Algorithm: mgf1 with sha256 > ???????? Salt Length: 0x20 > ??????? Trailer Field: 0x01 (default) > ??????? 69:02:31:cd:98:44:3f:fd:c4:6e:93:f8:8d:e4:37:d1:0b:38: > ??????? 8f:fb:f7:c3:7e:61:ad:2c:bf:0e:31:2a:0b:f5:c9:54:b3:0b: > ??????? 1f:f0:89:11:66:8e:03:6b:61:a4:44:7e:09:13:55:b0:95:0e: > ??????? 03:c0:3f:16:f2:33:fd:a4:44:17:f0:29:77:64:f6:96:36:4a: > ??????? fa:88:73:bc:b8:36:44:fe:27:48:ec:28:b9:83:17:3b:e2:03: > ??????? 50:33:18:d4:f4:3d:b7:e9:82:c0:19:b9:ea:79:bd:f8:d0:ea: > ??????? d5:c5:4a:f6:41:e0:73:78:98:80:a4:3e:e5:77:9e:32:08:6d: > ??????? 93:bc:e3:76:f5:95:1b:3d:69:36:71:65:f3:24:cb:70:ae:79: > ??????? c3:8c:9c:87:d4:a3:62:e2:35:4a:1f:a6:3a:c3:f3:8a:f0:a5: > ??????? 8d:22:45:1e:e6:52:56:a3:ee:88:5d:56:91:e4:f3:c0:01:6e: > ??????? 26:a3:0f:14:80:53:70:09:fb:b0:21:9e:65:78:62:79:b2:50: > ??????? 21:52:63:1f:21:59:8f:1f:dd:01:2d:79:c5:18:8a:bd:7b:90: > ??????? 1b:0a:24:28:ea:68:54:ef:b3:a8:59:23:01:20:6b:00:1b:6a: > ??????? cd:99:e5:d7:e1:fa:52:c4:ef:b9:c9:8e:29:7d:6c:17:f6:75: > ??????? da:04:69:27:6d:0c:95:c1:f0:bd:bf:fd:81:24:53:55:ae:2b: > ??????? 7c:9d:26:59:99:4a:56:d8:8c:ea:e9:09:fa:42:87:ca:ae:05: > ??????? 43:37:ad:8c:64:63:d3:3a:88:8d:3d:44:cc:c0:54:c4:75:c0: > ??????? d3:af:e5:de:79:65:9a:2f:a9:e3:fc:09:0a:79:28:d7:99:2e: > ??????? 11:01:c4:4c:a7:91:2c:c9:df:d7:27:3a:83:cb:22:f0:10:ff: > ??????? 1d:d3:0e:19:ce:84:31:8b:3f:cf:84:84:0d:f2:8b:e4:ff:5d: > ??????? 92:33:26:40:2d:e1:a4:d7:07:26:6f:61:45:dd:7d:53:e7:e8: > ??????? 68:27:b3:74:85:af > > The messages > > [2025/04/22 15:15:05.011663,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: PKINIT: failed to verify signature: Failed to verify > signature of certificate: 569861 > [2025/04/22 15:15:05.011684,? 3] > source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) > ?Kerberos: PKINIT: Signature algorithm not supported > > indicate, there is probably something wrong with my certs, but I > wasn't able to deduce what exactly. > > Can someone help me out? > > Thanks in advance, > > Micha? W?grzynek > > >-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com