I have finally found out that my problems had to do with wrong certificates.
The commands I used to generate the certificates where taken from
http://k5wiki.kerberos.org/wiki/Pkinit_configuration
I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4,
that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for
the certificates in the first place).
Using the hxtool I created new certificates and ...
Success!
Now that Heimdal has been configured to accept PKINIT, it's time to
configure Samba4 to know about the certificate.
Can anyone point me where to look for Samba 4 configuration options for
PKINIT?
Kind Regards,
Charalampos
-------- Original Message --------
Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: Thu, 05 Jul 2012 13:04:21 +0300
From: Charalampos Anargyrou <[email protected]>
To: [email protected]
Ok, I managed to solve some of my problems
I had typographic errors in my /etc/krb5.conf
Specifically I had
[kdc]
enable_pkinit = yes
pkinit_identify =
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem
Changed to
[kdc]
enable-pkinit = yes
pkinit_identity =
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem
I have also enabled debugging by stopping the samba service and started
samba with:
samba -i -M single -d3
Tried again to test samba4kinit with certificate with:
/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
[email protected]
which again produces
samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
but I can at least see in the console this:
Kerberos: AS-REQ [email protected] from
ipv4:172.16.9.134:49289 for krbtgt/[email protected]
Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- [email protected]
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- [email protected]
Kerberos: Looking for ENC-TS pa-data -- [email protected]
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
[email protected]
Kerberos: AS-REQ [email protected] from
ipv4:172.16.9.134:44976 for krbtgt/[email protected]
Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- [email protected]
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- [email protected]
Kerberos: Looking for ENC-TS pa-data -- [email protected]
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
[email protected]
-------- Original Message --------
Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: Thu, 05 Jul 2012 12:01:13 +0300
From: Charalampos Anargyrou <[email protected]>
To: [email protected]
I've checked the source code and found out the enctypes I can test
/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
[email protected]
produces
samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
For the rest enctypes
/opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96
--request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/client.pem
[email protected]
/opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96
--request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/client.pem
[email protected]
/opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
[email protected]
/opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem
[email protected]
I get
samba4kinit: krb5_get_init_creds: KDC has no support for encryption type
Looking on the Internet, I found a suggestion to write
allow_weak_crypto = true
under
[libdefaults]
in /etc/krb5.conf, which I did, but I still get the same messages back
Can anyone understand what could be my problem?
-------- Original Message --------
Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: Wed, 04 Jul 2012 20:22:12 +0300
From: Charalampos Anargyrou <[email protected]>
To: [email protected]
I have followed the instructions on
http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and
certificates with OpenSSL
I changed the /etc/krb5.conf file to include the new CA and certificates
I still get
samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
So I thought there must be something wrong with the configuration and
not with the certificates
I switched back to the previous configuration I was using when I was
getting the certificate not found error but I am still getting
samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
That sounds to me that there is some cache I have to clean.
Am I right?
How I can 'reset' Samba so I can start over?
-------- Original Message --------
Subject: Re: [Samba] Fwd: Re: Samba 4 & Smart card logon
Date: Wed, 04 Jul 2012 12:50:05 +0300
From: Charalampos Anargyrou <[email protected]>
To: Andrew Bartlett <[email protected]>
CC: [email protected]
I didn't know I couldn't use kadmin.
It makes sense now.
What I tried is to start with Heimal config from the start.
I did:
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
to get the generated krb5.conf
Restarted Samba and checked kinit, which worked correctly.
I cleared the tickets cache with kdestroy.
I then changed /etc/krb5.conf to:
[libdefaults]
default_realm = SERVER.CENTOSDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
[appdefaults]
pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
[realms]
SERVER.CENTOSDOMAIN = {
pkinit_require_eku = true
pkinit_require_krbtgt_otherName = true
pkinit_win2k = yes
pkinit_win2k_require_binding = no
}
[kdc]
enable_pkinit = yes
pkinit_identify =
FILE:/home/virusakos/Downloads/server.centosdomain.pem
pkinit_anchors =FILE:/home/virusakos/Downloads/SuperCA.pem
pkinit_win2k_require_binding = yes
pkinit_principal_in_certificate = yes
I created /usr/local/samba/var/heimdal/pki-mapping with contents:
[email protected]:C=GR,O=Byte
Computers,CN=virusakos,UID=virusakos
[email protected]:CN=virusakos,UID=virusakos
Restarted Samba and checked kinit without any options, which worked
correctly.
I cleared the tickets cache with kdestroy and then tried the following:
/opt/samba-master/bin/samba4kinit --request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/virus.pem
[email protected]
There is no virus.pem so obviously I got
samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert
certs: Failed to open PEM file "/home/virusakos/Downloads/virus.pem": No
such file or directory
Trying again with the correct certificate file:
/opt/samba-master/bin/samba4kinit --request-pac --renewable
--pk-user=FILE:/home/virusakos/Downloads/virusakos.pem
[email protected]
Now, the error is different:
samba4kinit: krb5_get_init_creds: Already tried pkinit, looping
Any hints for the new error?
Does it sound like a configuration error or a certificate error?
Kind Regards,
Charalampos
On 7/4/12 2:39 AM, Andrew Bartlett wrote:
On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote:
I still have no clue what's going on.
In my attempt to find out what's happening, I found out I haven't done
neither 4.23.1 nor 4.23.2 in the Heimdal guide (
http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html )
So I tried 4.23.2 i.e.:
kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR"
[email protected]
and I received this error:
kadmin: invalid option -- '-'
I then tried to do:
kadmin
to get into interactive mode so I can issue the modify command but I
receive this error:
Authenticating as principalAdministrator/[email protected] with
password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface
I was puzzled with the Administrator/admin so next I tried:
kadmin [email protected]
with yet another error:
Authenticating as [email protected] with password.
kadmin: Database error! Required KADM5 principal missing while
initializing kadmin interface
I also tried enabling debugging by using the instructions in
http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html
but I don't see any error messages
1) How can I enable debugging? I'm on CentOS 6.2
2) According to the above, does it look like my installation is broken?
Or is there something I am missing?
You can not use kadmin against Samba4 (we just don't expose the
interfaces needed, sorry), and the configuration we test in our selftest
doesn't need it. This can all be done with just config file entries.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
