Re: [Samba] Smart card logon

Tue, 29 Jan 2008 12:10:32 -0800 

Quoting "Douglas E. Engert" <[EMAIL PROTECTED]>:


Pau Garcia i Quiles wrote:

Quoting Asier Baranguán <[EMAIL PROTECTED]>:


Hi all

Is possible to perform a logon from a XP workstation to a Samba3+LDAP
managed domain with a smartcard? I've readed somewhere that this is not
possible with Samba3, but /could/ be possible with the Samba4 package.

Thanks
Although I have never tried it, it should be possible by configuring Samba for PAM authentication (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html) and using an appropriate PAM module, such as http://www.opensc-project.org/pam_p11/ 

Actually what you want is the Kerberos PKINIT and a pam_krb5 that
understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
is part of newer versions of Samba. The Heimdal KDC then
accepts the PKINIT and returns Kerberos tickets. This is essentially
what Windows AD does today with smart card login. You login to the
domain.

The OpenSC and many other smart card pam logins only log you into the
the local machine, not the domain.


Good to know PAM_KRB5 exists and can log into Samba.
I was thinking of a much simpler solution consisting on chaining two PAM modules: PAM P11 would get the credentials from the Smartcard and PAM Winbind or whatever would check they are valid. 


See http://www.eyrie.org/~eagle/software/pam-krb5/
for a pam_krb5 that works with Heimdal and PKINIT.

PKINIT
http://www.ietf.org/rfc/rfc4557.txt
Even if PAM P11 is not ready for Samba use, it shouldn't be too difficult (and take this with a grain of salt, given that PAM is mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging" PAM P11 and one of the PAM modules included in Samba currently (PAM password, PAM Winbind, etc). 

Pam Windbind probably needs some updates to have it use the Heimdal
PKINIT and the PKCS#11.




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444




--
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to