similar to: Revocation with CRL doesn't work for smartcards

Thanks but I've actually tried that too. Not sure I put it in [kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams

Ah, thank you, obviously this is a bug. Last comment (Łukasz Matyja 2016-04-01) says to have a fix, but how do I know if it has been added to bitbucket/samba? And if so, in which version? Or does the problem remain since the bugzilla case is still there? (Status: New) On Thu, Sep 21, 2017 at 10:52 PM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Thu, 21 Sep 2017

On Thu, 21 Sep 2017 22:08:51 +0200 Peter L via samba <samba at lists.samba.org> wrote: > Thanks but I've actually tried that too. Not sure I put it in [kdc] > section though, I can try again. > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > >

https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Bug ID: 2328 Summary: Per-user certificate revocation list (CRL) in authorized_keys Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd

Unfortunately this does not work. Example: Yes, when i give it a few Days, the client will retrieve the actual crl faster. But the auth still works. I have tried it. I revoked an cert. Installed a new win10 client and joined the domain. After login with the revoked p12 cert on a yubikey, i can see he queries the CDP and still allows the login. With certutil and a cert in DER format, i tried

Hi, already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is

Dear List, I self-host my e-mail and run Dovecot since ever I do that. Dovecot version is 2.3.4.1 (f79e8e7e4), running on Debian testing. Now I am trying to configure Dovecot for client TLS certificates. I have a self-signed certificate whose private key resides on a smartcard (Yubikey, to be exact). I wanted Dovecot to accept that TLS client certificate instead of a password. So I searched and

Hello, has anyone tried Samba 4 AD with SmartCard-Authentication and trust of chain certificates. So with root ca and intermediate ca? I followed the HowTo from the Samba Wiki, but there is only explained how you use with only a root ca. Then i tried it myself. I created a intermediate ca and some certs for the dc and user. But, i always ran into: NT_STATUS_PKINIT_FAILURE Yes, i have paid

Hello, a short history, I am using samba 4 with Debian 9 from the repository, 2 days ago the server was broken, but I was copy all the /var/lib/samba directory to a safe place, then I was installed a new server with the same Debian and samba from repository, and stopped smbd, nmbd and winbind, unmask samba-ad-dc and finally copied all the directory from the old server to the new server and started

Hello, As far as I can read in the Dovecot SSL configuration wiki page, each CA cert must be followed by the related CA CRL in the client certificate verification context ("ssl_ca_file" setting). In my company we do have our own PKI and as soon as Client certificate is compromised we do revoke it and update the related CA's CRL. Does that mean that I have to issue a new

On 20/07/2023 09:37, Hans Schulze via samba wrote: > I found an old bugzilla report for this behavior: > > https://bugzilla.samba.org/show_bug.cgi?id=9612 > > According to the statements in it, there was a patch already in version > 4.16 and in heimdal 8 last year? Which option must be in the krb5.conf? Sorry, but I read it slightly differently, there was a patch available,

Confusing. Github says that is open. Ok. My mistake. The question remains why the Windows clients allow login for an expired certificate despite a correctly loaded CRL. What is the purpose of specifying the CRL in smb.conf? It seems to me that the smartcard login is not really reliable. Then my users still have to log in with password. For now, as long as 4.19 is not yet released. Hans

Hi all, I'm new to this mailing list, so I apologize if my question is "obsolete" for you. I'd like to know if anybody has a clear idea about how to connect smartcards to the SSH framework. I yet got a modified ssh-agent (by Stephen Pellicer) that uses SSP-Lite (CyberflexAccess driver by me) in order to use the smartcard instead of the HD files. Instead, I'd like to

https://bugzilla.mindrot.org/show_bug.cgi?id=3659 Bug ID: 3659 Summary: Certificates are ignored when listing revoked items in a (binary) revocation list Product: Portable OpenSSH Version: 9.2p1 Hardware: All OS: All Status: NEW Severity: minor Priority: P5

Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot: > You will save yourself from world of hurt if you use a dummy ca to sign > you smartcard cert. You can try without generating a CRL. I see. I've done that now, but the effort required seems to be disproportionate. I'm just a single person. Requiring a full-blown CA setup is like cracking breakfast eggs with a

I found an old bugzilla report for this behavior: https://bugzilla.samba.org/show_bug.cgi?id=9612 According to the statements in it, there was a patch already in version 4.16 and in heimdal 8 last year? Which option must be in the krb5.conf? I have tried kdc_pkinit_revoke and pkinit_revoke. Both have no effect. Am 19.07.2023 um 14:27 schrieb Hans Schulze via samba: > Unfortunately this

Hi, I am not sure if this the right place for the question. Sorry if not ... My System: SuSE 9.2 OpenSSH 3.9p1 I have trouble to use a Smartcard with openssh. If i try to connect directly to the Smartcard, it fails: ssh -I 0:45 localhost card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied

Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If

I've read the client ssl cert section in the wiki and it talks about using a self signed cert, if I am using a commercial cert, in this case godaddy, how do I implement a self signed cert for the client side and have dovecot make use of this? I know the mechanics of setting up the self signed ca, the question is more what configuration changes do I need to make in dovecot to handle both

http://bugzilla.mindrot.org/show_bug.cgi?id=1371 Summary: Add PKCS#11 (Smartcards) support into OpenSSH Product: Portable OpenSSH Version: 4.7p1 Platform: All URL: http://alon.barlev.googlepages.com/openssh-pkcs11 OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: