search for: pkinit

Alon, I should have provided more background. You are assuming that I could perform the PKINIT prior to connecting to the SSH server. In this case (and others) there is an interest in not exposing the kerberos servers to the world and thus someone connecting remotely would not be able to obtain a TGT or do a PKINIT. The goal would be for SSH to handle all the auth and only after connecting...

...le sharing the reader between local > and remote machines, rdesktop is using this method. > 3. Delegate PKCS#11, this is the preferred method, however, there is > no maintained solution to do so. > 4. Delegate the ssh-agent and implement a minimal PKCS#11 provider on > top to support PKINIT requirements. > 5. If your card is gpg supported, use gpg-agent as ssh-gent and > delegate gpg-agent to remote and use scute[1] as PKCS#11 provider, > however, scute is unmaintained. I agree that number 3 would be preferred. My hope was that maybe this would be something that the OpenSSH...

...something similar on other *NIX) which allows smartcard auth to a Kerberos (including AD) server, where a TGT can also be granted. How difficult would it be to add functionality to OpenSSH so that it can funnel PKCS11 certs from SSH client to server and on to PAM where it could be used by Kerberos/PKINIT? My thought is that this is at least part way there with the current PKCS11 support but I won't claim to be an expert regarding the internals of what would be needed. I would think that a number of places using smartcards (I currently work for a gov agency that uses smartcards) would find thi...

...I press enter after entering a bad password, 2 attempts are made at checking it. The second time I enter a bad password, the account is locked. <grep aslate log.samba> Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65414 for krbtgt/DOMAIN at DOMAIN Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65415 for krbtgt/DOMAIN at DOMAIN Kerberos: Looking for PKINIT pa-d...

...0000-0000-0000-0000 \@upn.example.com at REALM.COM which works fine. But during the TGS phase, it checks only for 0000-0000-0000-0000 at REALM.COM and this entry is missing in Kerberos. Log file shows this : [...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: PKINIT pre-authentication succeeded -- 0000-0000-0000-0000 \@upn.example.com at REALM.COM using XXXX [...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ 0000-0000-0000-0000 at REALM.COM from ipv4:10.0.0.5:62591 for host/XXX [canonicalize, renewable, forwardab...

...39;ve forgotten all about. My questions are: - I am a little confused about the PKI implementation. Especially as regards the particular details of how I should set up the X509 information in the certificates. I found this: http://middleware.internet2.edu/pki07/proceedings/slides/10-kornievskaia-pkinit-interop.pdfwhich seems quite detailed and covers quite a bit, in particular it mentions this: -------QUOTE---------------------------------------------------------- CLIENT IDENTITY - Kerberos principal name encoded in X509 SAN - Mapping facility at the KDC - Must have X509 EKU fields --------/QUOT...

...and trust of chain certificates. So with root ca and intermediate ca? I followed the HowTo from the Samba Wiki, but there is only explained how you use with only a root ca. Then i tried it myself. I created a intermediate ca and some certs for the dc and user. But, i always ran into: NT_STATUS_PKINIT_FAILURE Yes, i have paid attention to the CRL Distribution Points and that also the clients have connection to them. But the authentication fails. With log level = 9 i found this... |../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: PKINIT request but PKINIT...

On Tue, 20 Dec 2016 13:50:40 +0000 Brian Candler via samba <samba at lists.samba.org> wrote: > Rowland Perry wrote: > > >/imdap config AD : backend = rid /> >/ > /> How did you 'fix' > > >this, on face value, there is nothing wrong with that line. > > > "imdap" is not "idmap" > > (so now you understand why I

...oin -UAdministrator Enter Administrator's password: Using short domain name -- POLOP Joined 'LUBUNTU7' to realm 'hh3.site' No DNS domain configured for lubuntu7. Unable to perform DNS Update. DNS update failed! during the join this all seems OK: Kerberos: Looking for PKINIT pa-data -- LUBUNTU7$@HH3.SITE Kerberos: Looking for ENC-TS pa-data -- LUBUNTU7$@HH3.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- LUBUNTU7$@HH3.SITE Kerberos: AS-REQ LUBUNTU7$@HH3.SITE from ipv4:192.168.1.24:59014 for krbtgt/HH3.SITE at HH3.SITE Kerberos: Client sent patypes: encr...

On Mon, 2018-03-19 at 11:55 +1300, Garming Sam via samba wrote: > Hi, > > Maybe this page might be helpful. I don't know how up to date it is, but > the expectation seems to be that it should be able to work with > alternative forms of authentication (with Kerberos PKINIT). > > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Yeah, I think something that presents as smart card login is likely to be the best bet. Smart cards are a pain, but could certainly help with the speed (compared with long complex passwords). The PKINIT stuff is meant to wo...

...ministrator at HH3.SITE Password for Administrator at HH3.SITE: Warning: Your password will expire in 40 days on Tue Jan 31 23:40:57 2012 Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:39949 for krbtgt/HH3.SITE at HH3.SITE Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator at HH3.SITE Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:33899 for krbtgt/HH3.SITE at HH3.SITE Kerbero...

..." on my screen. > Samba log with auth:10 and kerberos:10 shows the following: > > Kerberos: AS-REQ administrator\@svitla3.room at SVITLA3.ROOM from ipv4: > 10.0.0.2:63245 for krbtgt/SVITLA3.ROOM at SVITLA3.ROOM > Kerberos: Client sent patypes: 150, 128 > Kerberos: Looking for PKINIT pa-data -- > administrator\@svitla3.room at SVITLA3.ROOM > Kerberos: Looking for ENC-TS pa-data -- > administrator\@svitla3.room at SVITLA3.ROOM > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > administrator\@svitla3.room at SVITLA3.ROOM > Kerberos: AS-REQ administrat...

...and I get this on log.samba from samba's Kerberos daemon: *...* * Kerberos: AS-REQ username\@domain at DOMAIN from ipv4:192.168.1.69:53053 <http://192.168.1.69:53053> for krbtgt/DOMAIN at DOMAIN* * Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128* * Kerberos: Looking for PKINIT pa-data -- username\@domain at DOMAIN* * Kerberos: PK-INIT request of type PK-INIT-Win2k* * Kerberos: Trying to authorize PK-INIT subject DN CN=USER FULL NAME,OU=Enterprise2,OU=Enterprise 1,OU=AC,O=Entity,C=CO* *...* * Kerberos: found MS UPN SAN: username at domain* *...* * Kerberos: PKINIT pre...

...use it's knowledge of the private key/certificate to authenticate against the server that contains a copy of the public key. The following is what I think the authentication (not provisioning) process boils down to: - User attempts to login and provides their PIN to unlock their TPM - Kerberos PKINIT authentication is attempted using the private key/certificate stored in the TPM With the above authentication process in mind, I'm thinking that the provisioning process could be boiled down to: - Configure the TPM to store a private key and protect it with a PIN - Write the public key to the...

Hi to Samba list, dev, contributors and all the community. We are samba users for a long time now, and S4 since the early alpha version. We run now 5 DC for 700 users in our hospital and are very enthusiastic. This is definitely a great project. But now, we face a new challenge. We look over a new authentication method rather than the old user/password. Because we have many users switching

...---------- Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code. Revocation support in Heimdal KDC for PKINIT certificates --------------------------------------------------------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file...

...---------- Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code. Revocation support in Heimdal KDC for PKINIT certificates --------------------------------------------------------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file...

...ative for 'userstream.twitter.com', forwarding Not authoritative for 'userstream.twitter.com', forwarding Kerberos: AS-REQ kontor$@STH.SOMEDOMAIN.SE from ipv4:10.101.1.98:49159 for krbtgt/STH.SOMEDOMAIN.SE at STH.SOMEDOMAIN.SE Kerberos: Client sent patypes: 128 Kerberos: Looking for PKINIT pa-data -- kontor$@STH.SOMEDOMAIN.SE Kerberos: Looking for ENC-TS pa-data -- kontor$@STH.SOMEDOMAIN.SE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- kontor$@STH.SOMEDOMAIN.SE Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTE...

...---------- Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code. Revocation support in Heimdal KDC for PKINIT certificates --------------------------------------------------------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file...

...---------- Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code. Revocation support in Heimdal KDC for PKINIT certificates --------------------------------------------------------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file...