Hello Andrew,
Thanks for your reply.
Yes I could fill in the wiki if I manage to make it work :-)
I'm trying to test the Kerberos configuration with the certificates I
have created
I'm getting this error:
samba4kinit: krb5_pk_enterprise_certs: Failed to find PKINIT
certificate: Certificate not found
using this command:
samba4kinit --pk-user=FILE:/home/myuser/Downloads/myuser.pem --pk-enterprise
Does the error mean my certificates are wrong or does it mean I have not
configured kerberos properly?
Here is my /etc/krb5.conf
[libdefaults]
default_realm = SERVER.CENTOSDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
[appdefaults]
pkinit_anchors = FILE:/usr/local/samba/private/tls/SuperCA.pem
[realms]
SERVER.CENTOSDOMAIN = {
kdc = server.centosdomain:88
default_domain = centosdomain
pkinit_require_eku = true
pkinit_require_krbtgt_otherName = true
pkinit_win2k = no
pkinit_win2k_require_binding = yes
}
[domain_realm]
.centosdomain = SERVER.CENTOSDOMAIN
centosdomain = SERVER.CENTOSDOMAIN
[kdc]
enable-pkinit = yes
pkinit_identify =
FILE:/usr/local/samba/private/tls/server.centosdomain.pem
pkinit_anchors = FILE:/usr/local/samba/private/tls/SuperCA.pem
pkinit_win2k_require_binding = yes
pkinit_principal_in_certificate = yes
Any ideas how to find out what's wrong?
Kind Regards,
Charalampos
On 7/3/12 1:26 AM, Andrew Bartlett wrote:
On Mon, 2012-07-02 at 17:24 +0300, Charalampos Anargyrou wrote:
Hello list,
I have installed and configured a domain with Samba version
4.0.0beta2-GIT-7e80b89 on a CentOS 6.2
I can successfully join a Windows PC in the domain (both Windows XP and
Windows 7 tested)
Now, I am trying to move a step forward and I would like to configure
Samba to accept Windows smart card logon
This is a requirement for a project I am involved to
I have already installed the required client on Windows and I have a
smart card for testing
I have already installed EJBCA as my CA on CentOS 6.2
On Samba wiki the how to in
http://wiki.samba.org/index.php/Samba4/Smart_Card_Login is not ready, so
if anyone can help I will appreciate it
According to the headers in the how to, I have to configure Heimdal to
accept PKINIT
I found a guide on
http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
I've also found a guide on
http://k5wiki.kerberos.org/wiki/Pkinit_configuration for MIT Kerberos
which has some more info on the certificates
I have created the Kerberos certificate according to what I have
understood from the guides but I don't know how to test if the
certificate is correct
So, my first question is how to test if the Kerberos certificate is correct?
Second question is when I create a client certificate (I think I
understood from the guides how to create) how I will test it?
Will a kinit command like "kinit -C FILE:$HOME/clientcert.crt
example-user@EXAMPLE-DOMAIN" be enough to test the client certificate?
I think so, see testprogs/blackbox/test_pkinit.sh for our tests of this
functionality.
And a final question (for now) is if there is any kind of documentation
related to "Configure Samba4 to know about the certificate" and where I
can find it?
Sorry, while some have had success with this, we didn't end up getting
it documented. If you could fill in the wiki with your experiences,
that would be most valuable to others!
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
