Displaying 17 results from an estimated 17 matches for "pkinit_revoke".
2017 Sep 21
2
Revocation with CRL doesn't work for smartcards
...ile system:
> > ..../private/tls/mycrl.pem
> > > mycrl.pem
> > - Contains serial number 0x12ab
>
> The Heimdal code doing the SmartCard stuff doens't know about the
> smb.conf, you need to configure this in krb5.conf.
>
> Something like:
>
> [kdc]
> pkinit_revoke = FILE:..../private/tls/mycrl.pem
>
> (Sadly this isn't used in our test scripts, so please test carefully
> and research the exact syntax further).
>
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authe...
2017 Sep 21
2
Revocation with CRL doesn't work for smartcards
Hi,
I have a smartcard which is revoked in the Certificate Revocation List
(CRL) but I can still login. Seams like the CRL check is not performed. Any
known bug around this?
Server setup:
- Samba 4.4 on Debian as AD DC
- Created domain MYDOM
- smb.conf (extract):
tls enabled = yes
tls crlfile = tls/mycrl.pem (default is to look under private/ folder)
Client setup:
- Windows 7 machine as
2017 Sep 21
0
Revocation with CRL doesn't work for smartcards
...gt; > > > mycrl.pem
> > > - Contains serial number 0x12ab
> >
> > The Heimdal code doing the SmartCard stuff doens't know about the
> > smb.conf, you need to configure this in krb5.conf.
> >
> > Something like:
> >
> > [kdc]
> > pkinit_revoke = FILE:..../private/tls/mycrl.pem
> >
> > (Sadly this isn't used in our test scripts, so please test carefully
> > and research the exact syntax further).
> >
> > Sorry,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett...
2023 Jul 14
1
Samba 4 AD SmartCard Authentication Problem
...{
default_domain = test.example.de pkinit_require_eku = true }
[domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
pkinit_identity =
FILE:/var/lib/samba/private/tls/dc0-cert.pem,/var/lib/samba/private/tls/secure/dc0-privkey.pem
pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem pkinit_revoke =
FILE:/var/lib/samba/private/tls/inter.crl,/var/lib/samba/private/tls/root.crl
pkinit_principal_in_certificate = yes pkinit_win2k = no
pkinit_win2k_require_binding = yes |
My smb.conf:
||
|||# Global parameters [global] dns forwarder = 10.0.0.2 netbios name =
DC0 realm = TEST.EXAMPLE.DE ser...
2023 Jul 20
1
Samba 4 AD SmartCard Authentication Problem
I found an old bugzilla report for this behavior:
https://bugzilla.samba.org/show_bug.cgi?id=9612
According to the statements in it, there was a patch already in version
4.16 and in heimdal 8 last year? Which option must be in the krb5.conf?
I have tried kdc_pkinit_revoke and pkinit_revoke. Both have no effect.
Am 19.07.2023 um 14:27 schrieb Hans Schulze via samba:
> Unfortunately this does not work.
>
> Example: Yes, when i give it a few Days, the client will retrieve the
> actual crl faster. But the auth still works.
>
> I have tried it. I rev...
2017 Sep 22
2
Revocation with CRL doesn't work for smartcards
...gt; - Contains serial number 0x12ab
> > >
> > > The Heimdal code doing the SmartCard stuff doens't know about the
> > > smb.conf, you need to configure this in krb5.conf.
> > >
> > > Something like:
> > >
> > > [kdc]
> > > pkinit_revoke = FILE:..../private/tls/mycrl.pem
> > >
> > > (Sadly this isn't used in our test scripts, so please test carefully
> > > and research the exact syntax further).
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> >...
2023 Jul 19
1
Samba 4 AD SmartCard Authentication Problem
Unfortunately this does not work.
Example: Yes, when i give it a few Days, the client will retrieve the
actual crl faster. But the auth still works.
I have tried it. I revoked an cert. Installed a new win10 client and
joined the domain. After login with the revoked p12 cert on a yubikey, i
can see he queries the CDP and still allows the login.
With certutil and a cert in DER format, i tried
2023 Jul 28
0
[Announce] Samba 4.19.0rc1 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Jul 28
0
[Announce] Samba 4.19.0rc1 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Aug 08
1
[Announce] Samba 4.19.0rc2 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Aug 08
1
[Announce] Samba 4.19.0rc2 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Aug 18
0
[Announce] Samba 4.19.0rc3 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Aug 18
0
[Announce] Samba 4.19.0rc3 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Aug 28
0
[Announce] Samba 4.19.0rc4 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Aug 28
0
[Announce] Samba 4.19.0rc4 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Sep 04
0
[Announce] Samba 4.19.0 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...
2023 Sep 04
0
[Announce] Samba 4.19.0 Available for Download
...-------
Samba will now correctly honour the revocation of 'smart card'
certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action
other than replacing the file is required.? The additional krb5.conf
option is:
?[kdc]
?? ?pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
?https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Protocol level testsuite for (Smart Card Logon) PKINIT
------------------------------------------------------
Previously Samba's PKIN...