search for: pkinit_revoke

...ile system: > > ..../private/tls/mycrl.pem > > > mycrl.pem > > - Contains serial number 0x12ab > > The Heimdal code doing the SmartCard stuff doens't know about the > smb.conf, you need to configure this in krb5.conf. > > Something like: > > [kdc] > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > (Sadly this isn't used in our test scripts, so please test carefully > and research the exact syntax further). > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authe...

Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) Client setup: - Windows 7 machine as

...gt; > > > mycrl.pem > > > - Contains serial number 0x12ab > > > > The Heimdal code doing the SmartCard stuff doens't know about the > > smb.conf, you need to configure this in krb5.conf. > > > > Something like: > > > > [kdc] > > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > > > (Sadly this isn't used in our test scripts, so please test carefully > > and research the exact syntax further). > > > > Sorry, > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett...

...{ default_domain = test.example.de pkinit_require_eku = true } [domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes pkinit_identity = FILE:/var/lib/samba/private/tls/dc0-cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem pkinit_revoke = FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tls/root.crl pkinit_principal_in_certificate = yes pkinit_win2k = no pkinit_win2k_require_binding = yes | My smb.conf: || |||# Global parameters [global] dns forwarder = 10.0.0.2 netbios name = DC0 realm = TEST.EXAMPLE.DE ser...

I found an old bugzilla report for this behavior: https://bugzilla.samba.org/show_bug.cgi?id=9612 According to the statements in it, there was a patch already in version 4.16 and in heimdal 8 last year? Which option must be in the krb5.conf? I have tried kdc_pkinit_revoke and pkinit_revoke. Both have no effect. Am 19.07.2023 um 14:27 schrieb Hans Schulze via samba: > Unfortunately this does not work. > > Example: Yes, when i give it a few Days, the client will retrieve the > actual crl faster. But the auth still works. > > I have tried it. I rev...

...gt; - Contains serial number 0x12ab > > > > > > The Heimdal code doing the SmartCard stuff doens't know about the > > > smb.conf, you need to configure this in krb5.conf. > > > > > > Something like: > > > > > > [kdc] > > > pkinit_revoke = FILE:..../private/tls/mycrl.pem > > > > > > (Sadly this isn't used in our test scripts, so please test carefully > > > and research the exact syntax further). > > > > > > Sorry, > > > > > > Andrew Bartlett > > > > >...

Unfortunately this does not work. Example: Yes, when i give it a few Days, the client will retrieve the actual crl faster. But the auth still works. I have tried it. I revoked an cert. Installed a new win10 client and joined the domain. After login with the revoked p12 cert on a yubikey, i can see he queries the CDP and still allows the login. With certutil and a cert in DER format, i tried

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...

...------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required.? The additional krb5.conf option is: ?[kdc] ?? ?pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: ?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKIN...