search for: pkinit_identities

...rprise, I was able to authenticate without pam_pkcs11 or pam_krb5 in my PAM stack, using only pam_winbind, after I've added config like this into /etc/krb5.conf: ``` EXAMPLE.COM = { pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature pkinit_eku_checking = kpServerAuth pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so pkinit_kdc_hostname = example.com } [appdefaults] pam = { mappings = ^EXAMPLE\\(.*)$ $1 at EXAMPLE.COM } ``` >From what I understand, that works because I have `krb5_auth = yes` in pam_winbind.conf, so the actual auth is done by libkrb5. But I had e...

Hello, has anyone tried Samba 4 AD with SmartCard-Authentication and trust of chain certificates. So with root ca and intermediate ca? I followed the HowTo from the Samba Wiki, but there is only explained how you use with only a root ca. Then i tried it myself. I created a intermediate ca and some certs for the dc and user. But, i always ran into: NT_STATUS_PKINIT_FAILURE Yes, i have paid

...k at the pcscd.pid... and selinux complains that this is naughty. (We're in permissive mode.) I don't know deeply enough if anything else really needs to do this on the server, but I'd like to fix it so that doing svn stuff does *not* invoke that call. It *appears* if I comment out the pkinit_identities, we don't get the error (for obvious reasons). Ideally, I'd like to find some way to configure subversion - maybe in the /etc/httpd/conf.d/subversion.conf - so that it doesn't try that, but we *do* want it to do password krb5 authentication. Does this make sense? If so, is it do-able?...

...TS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so > My krb5.conf is: [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes > > and removed "krb5.keytab" too. You told me that my domain...

...ES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_win2k_require_binding = false >> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >> > My krb5.conf is: > > [libdefaults] > default_realm = EXAMPLE.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > >> and removed &quot...

...gt;>> pkinit_kdc_hostname = <DNS> >>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>> pkinit_eku_checking = kpServerAuth >>> pkinit_win2k_require_binding = false >>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>> >>> [realms] >>> EXAMPLE.COM = { >>> kdc = kerberos.example.com >>> admin_server = kerberos.example.com >>> } >>> JASONDOMAIN.JJ = { >>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\...

...preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC pkinit_kdc_hostname = <DNS> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> pkinit_eku_checking = kpServerAuth pkinit_win2k_require_binding = false pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use &qu...

...TS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so > My krb5.conf is: [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes > > and removed "krb5.keytab" too. You told me that my domain...

> > Hi friends, > I need your help. > > I implemented > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login > > https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities > enabling smart card logon on a Windows Server 2016 as a domain member of > Samba DC. > > Currently I

...S RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > # pkinit_kdc_hostname = <DNS> > # pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > # pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > # pkinit_eku_checking = kpServerAuth > # pkinit_win2k_require_binding = false > # pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > Thank you so much and Please let me know your idea. > > > > > > > On Wednesday, January 14, 2015 8:10 AM, Rowland Penny <rowlandpenny at googlemail...

...ES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_win2k_require_binding = false >> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >> > My krb5.conf is: > > [libdefaults] > default_realm = EXAMPLE.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > >> and removed &quot...

...ES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_win2k_require_binding = false >> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >> > My krb5.conf is: > > [libdefaults] > default_realm = EXAMPLE.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > >> and removed &quot...

...TS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so > > [realms] > EXAMPLE.COM = { > kdc = kerberos.example.com > admin_server = kerberos.example.com > } > JASONDOMAIN.JJ = { > auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ > auth_to_local = RULE:[...

...ES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_win2k_require_binding = false >> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >> >> [realms] >> EXAMPLE.COM = { >> kdc = kerberos.example.com >> admin_server = kerberos.example.com >> } >> JASONDOMAIN.JJ = { >> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMA...

...preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC pkinit_kdc_hostname = <DNS> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> pkinit_eku_checking = kpServerAuth pkinit_win2k_require_binding = false pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } JASONDOMAIN.JJ = { auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVE...

...TS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so > > [realms] > EXAMPLE.COM = { > kdc = kerberos.example.com > admin_server = kerberos.example.com > } > JASONDOMAIN.JJ = { > auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ > auth_to_local = RULE:[...

...ES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_win2k_require_binding = false >> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >> >> [realms] >> EXAMPLE.COM = { >> kdc = kerberos.example.com >> admin_server = kerberos.example.com >> } >> JASONDOMAIN.JJ = { >> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMA...

On 04/01/15 13:00, Rowland Penny wrote: > On 04/01/15 10:17, Jason Long wrote: >> Thanks a lot. >> I enter the command and result is : >> >> Using short domain name -- JASONDOMAINI >> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >> but after run "net rpc testjoin" : >> >> Unable to find a suitable server for domain