Pau Garcia i Quiles wrote:
Quoting Asier Baranguán <[EMAIL PROTECTED]>:
Hi all
Is possible to perform a logon from a XP workstation to a Samba3+LDAP
managed domain with a smartcard? I've readed somewhere that this is not
possible with Samba3, but /could/ be possible with the Samba4 package.
Thanks
Although I have never tried it, it should be possible by configuring
Samba for PAM authentication
(http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html)
and using an appropriate PAM module, such as
http://www.opensc-project.org/pam_p11/
Actually what you want is the Kerberos PKINIT and a pam_krb5 that
understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
is part of newer versions of Samba. The Heimdal KDC then
accepts the PKINIT and returns Kerberos tickets. This is essentially
what Windows AD does today with smart card login. You login to the
domain.
The OpenSC and many other smart card pam logins only log you into the
the local machine, not the domain.
See http://www.eyrie.org/~eagle/software/pam-krb5/
for a pam_krb5 that works with Heimdal and PKINIT.
PKINIT
http://www.ietf.org/rfc/rfc4557.txt
Even if PAM P11 is not ready for Samba use, it shouldn't be too
difficult (and take this with a grain of salt, given that PAM is mystic
per se :-) to produce a new PAM-Samba-Smartcard by "merging" PAM P11 and
one of the PAM modules included in Samba currently (PAM password, PAM
Winbind, etc).
Pam Windbind probably needs some updates to have it use the Heimdal
PKINIT and the PKCS#11.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
