[Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon
I have finally found out that my problems had to do with wrong certificates. The commands I used to generate the certificates where taken from http://k5wiki.kerberos.org/wiki/Pkinit_configuration I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for the certificates in the first place). Using the hxtool I created new certificates and ... Success! Now that Heimdal has been configured to accept PKINIT, it's time to configure Samba4 to know about the certificate. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos Original Message Subject:Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 13:04:21 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org Ok, I managed to solve some of my problems I had typographic errors in my /etc/krb5.conf Specifically I had [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem Changed to [kdc] enable-pkinit = yes pkinit_identity = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem I have also enabled debugging by stopping the samba service and started samba with: samba -i -M single -d3 Tried again to test samba4kinit with certificate with: /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN which again produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping but I can at least see in the console this: Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Original Message Subject:Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 12:01:13 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I've checked the source code and found out the enctypes I can test /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping For the rest enctypes /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN I get samba4kinit: krb5_get_init_creds: KDC has no support for encryption type Looking on the Internet, I found a suggestion to write allow_weak_crypto = true under [libdefaults] in /etc/krb5.conf, which I did, but I still get the same messages back Can anyone understand what could be my problem? Original Message Subject:Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Wed, 04 Jul 2012 20:22:12 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I have followed the instructions on http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and certificates with OpenSSL I changed the /etc/krb5.conf file to include the new CA and
Re: [Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon
2012-07-12 10:47 keltezéssel, Charalampos Anargyrou írta: I have finally found out that my problems had to do with wrong certificates. The commands I used to generate the certificates where taken from http://k5wiki.kerberos.org/wiki/Pkinit_configuration I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for the certificates in the first place). Using the hxtool I created new certificates and ... Success! Now that Heimdal has been configured to accept PKINIT, it's time to configure Samba4 to know about the certificate. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos Original Message Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 13:04:21 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org Ok, I managed to solve some of my problems I had typographic errors in my /etc/krb5.conf Specifically I had [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem Changed to [kdc] enable-pkinit = yes pkinit_identity = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem I have also enabled debugging by stopping the samba service and started samba with: samba -i -M single -d3 Tried again to test samba4kinit with certificate with: /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN which again produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping but I can at least see in the console this: Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Original Message Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 12:01:13 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I've checked the source code and found out the enctypes I can test /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping For the rest enctypes /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN I get samba4kinit: krb5_get_init_creds: KDC has no support for encryption type Looking on the Internet, I found a suggestion to write allow_weak_crypto = true under [libdefaults] in /etc/krb5.conf, which I did, but I still get the same messages back Can anyone understand what could be my problem? Original Message Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Wed, 04 Jul 2012 20:22:12 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I have followed the instructions on http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and certificates with