[Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon

2012-07-12 Thread Charalampos Anargyrou 


I have finally found out that my problems had to do with wrong certificates.

The commands I used to generate the certificates where taken from 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration
I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, 
that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for 
the certificates in the first place).

Using the hxtool I created new certificates and ...
Success!

Now that Heimdal has been configured to accept PKINIT, it's time to 
configure Samba4 to know about the certificate.


Can anyone point me where to look for Samba 4 configuration options for 
PKINIT?


Kind Regards,
Charalampos


 Original Message 
Subject:Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4  Smart card logon
Date:   Thu, 05 Jul 2012 13:04:21 +0300
From:   Charalampos Anargyrou charalampos.anargy...@gmail.com
To: samba@lists.samba.org



Ok, I managed to solve some of my problems

I had typographic errors in my /etc/krb5.conf
Specifically I had

[kdc]
enable_pkinit = yes
pkinit_identify = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem


Changed to

[kdc]
enable-pkinit = yes
pkinit_identity = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem



I have also enabled debugging by stopping the samba service and started 
samba with:


samba -i -M single -d3


Tried again to test samba4kinit with certificate with:

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN


which again produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

but I can at least see in the console this:

Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN

Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos@SERVER.CENTOSDOMAIN
Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN

Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 569890
Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos@SERVER.CENTOSDOMAIN





 Original Message 
Subject:Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4  Smart card logon
Date:   Thu, 05 Jul 2012 12:01:13 +0300
From:   Charalampos Anargyrou charalampos.anargy...@gmail.com
To: samba@lists.samba.org



I've checked the source code and found out the enctypes I can test

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN


produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


For the rest enctypes

/opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN


I get

samba4kinit: krb5_get_init_creds: KDC has no support for encryption type


Looking on the Internet, I found a suggestion to write

allow_weak_crypto = true

under

[libdefaults]

in /etc/krb5.conf, which I did, but I still get the same messages back


Can anyone understand what could be my problem?



 Original Message 
Subject:Fwd: Re: [Samba] Fwd: Re: Samba 4  Smart card logon
Date:   Wed, 04 Jul 2012 20:22:12 +0300
From:   Charalampos Anargyrou charalampos.anargy...@gmail.com
To: samba@lists.samba.org



I have followed the instructions on 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and 
certificates with OpenSSL

I changed the /etc/krb5.conf file to include the new CA and

Re: [Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon

2012-07-12 Thread Gémes Géza 

2012-07-12 10:47 keltezéssel, Charalampos Anargyrou írta:


I have finally found out that my problems had to do with wrong 
certificates.


The commands I used to generate the certificates where taken from 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration
I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 
4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki 
for the certificates in the first place).

Using the hxtool I created new certificates and ...
Success!

Now that Heimdal has been configured to accept PKINIT, it's time to 
configure Samba4 to know about the certificate.


Can anyone point me where to look for Samba 4 configuration options 
for PKINIT?


Kind Regards,
Charalampos


 Original Message 
Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4  Smart card 
logon

Date: Thu, 05 Jul 2012 13:04:21 +0300
From: Charalampos Anargyrou charalampos.anargy...@gmail.com
To: samba@lists.samba.org



Ok, I managed to solve some of my problems

I had typographic errors in my /etc/krb5.conf
Specifically I had

[kdc]
enable_pkinit = yes
pkinit_identify = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem


Changed to

[kdc]
enable-pkinit = yes
pkinit_identity = 
FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem



I have also enabled debugging by stopping the samba service and 
started samba with:


samba -i -M single -d3


Tried again to test samba4kinit with certificate with:

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN


which again produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping

but I can at least see in the console this:

Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:49289 for 
krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN

Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 
569890

Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- 
virusakos@SERVER.CENTOSDOMAIN

Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos@SERVER.CENTOSDOMAIN
Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from 
ipv4:172.16.9.134:44976 for 
krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN

Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128
Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: PKINIT: failed to verify signature: No signers where found: 
569890

Kerberos: PKINIT: Couldn't find signers certificate
Kerberos: Failed to decode PKINIT PA-DATA -- 
virusakos@SERVER.CENTOSDOMAIN

Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
virusakos@SERVER.CENTOSDOMAIN





 Original Message 
Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4  Smart card logon
Date: Thu, 05 Jul 2012 12:01:13 +0300
From: Charalampos Anargyrou charalampos.anargy...@gmail.com
To: samba@lists.samba.org



I've checked the source code and found out the enctypes I can test

/opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN


produces

samba4kinit: krb5_get_init_creds: Already tried pkinit, looping


For the rest enctypes

/opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 
--request-pac --renewable 
--pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN
/opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac 
--renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem 
virusakos@SERVER.CENTOSDOMAIN


I get

samba4kinit: krb5_get_init_creds: KDC has no support for encryption type


Looking on the Internet, I found a suggestion to write

allow_weak_crypto = true

under

[libdefaults]

in /etc/krb5.conf, which I did, but I still get the same messages back


Can anyone understand what could be my problem?



 Original Message 
Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4  Smart card logon
Date: Wed, 04 Jul 2012 20:22:12 +0300
From: Charalampos Anargyrou charalampos.anargy...@gmail.com
To: samba@lists.samba.org



I have followed the instructions on 
http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA 
and certificates with