This seems like a question for the samba-technical list. I have added it to the Cc list. The Heimdal mailing list might also be able to help.
2010/10/5 Николай Домуховский <nick2005...@gmail.com>: > Hello. > As I can see this post: https://jira.it.su.se/jira/browse/HEIMDAL-241, > at least Samba 4.0.0alpha5 supported Smart Card logon for Windows XP > workstations. > Current version (Version 4.0.0alpha14-GIT-77d959f+) does not support > smart card logon on Windows XP workstation (but Windows 7 works well). > I tried to compare Kerberos traffic examples from genuine domain > controller and Samba's response and found at least one difference, > which could be a cause of issue: Samba (in fact, Heimdal) generates > PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax). > RFC 3852 says: > > If the RecipientIdentifier > is the CHOICE issuerAndSerialNumber, then the version MUST be 0. > If the RecipientIdentifier is subjectKeyIdentifier, then the > version MUST be 2. > > > But Heimdal uses subjectKeyIdentifier in response and version number > 0. MS uses issuerAndSerialNumber. > I tried to force Heimdal use issuerAndSerialNumber in response (simply > by commenting if statement in hx509_cms_create_signed function and > make sigctx.cmsidflag always equal CMS_ID_NAME), but this didn't work: > even after that, response from Samba contains subjectKeyIdentifier and > version number 0. So I think, that maybe this is a Heimdal bug and > there are some workaround - if you know it, please tell me. > > In addition - here parsing results of Krb5 AS-REP packet fragments (I > used Netmon 3.4 - it somewhere better then Wireshark in parsing > Kerberos packets). > > > From Windows DC: > > - Kerberos: AS Response > + Length: Length = 2890 > - AsRep: Kerberos AS Response > + ApplicationTag: > - KdcRep: KRB_AS_REP (11) > + SequenceHeader: > + Tag0: > + PvNo: 5 > + Tag1: > + MsgType: KRB_AS_REP (11) > + Tag2: > - Padata: > + SequenceOfHeader: > - PaData: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > + SequenceHeader: > + Tag1: > + PaDataType: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > + Tag2: > + OctetStringHeader: > - PkAsRepOld: > + Tag1: > - EncKeyPack: > + SequenceHeader: > + ContentType: IdEnvelopedData (1.2.840.113549.1.7.3) > + Tag0: > - Content: 0x1 > - IdEnvelopedData: 0x1 > + SequenceHeader: > + Version: v0 (0) > - RecipientInfos: > + SetOfHeader: > - Info: > - Ktri: > + SequenceHeader: > + Version: v0 (0) > - RId: > - IssuerAndSerialNumber: > + SequenceHeader: > + Issuer: ru,neyvabank,CA > + SerialNumber: 1077249724 > + KeyEncryptionAlgorithm: RsaEncryption (1.2.840.113549.1.1.1) > > From Samba: > > - Kerberos: AS Response > + Length: Length = 2960 > - AsRep: Kerberos AS Response > + ApplicationTag: > - KdcRep: KRB_AS_REP (11) > + SequenceHeader: > + Tag0: > + PvNo: 5 > + Tag1: > + MsgType: KRB_AS_REP (11) > + Tag2: > - Padata: > + SequenceOfHeader: > - PaData: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > + SequenceHeader: > + Tag1: > + PaDataType: PA-PK-AS-REP_OLD/ PA_PK_AS_REQ_WINDOWS_OLD/ > PA_PK_AS_REP_WINDOWS_OLD (15) > + Tag2: > + OctetStringHeader: > - PkAsRepOld: > + Tag1: > - EncKeyPack: > + SequenceHeader: > + ContentType: IdEnvelopedData (1.2.840.113549.1.7.3) > + Tag0: > - Content: 0x1 > - IdEnvelopedData: 0x1 > + SequenceHeader: > + Version: v0 (0) > - RecipientInfos: > + SetOfHeader: > - Info: > - Ktri: > + SequenceHeader: > + Version: v0 (0) > - RId: > + SubjectKeyIdentifier: > + KeyEncryptionAlgorithm: RsaEncryption (1.2.840.113549.1.1.1) -- Michael Wood <esiot...@gmail.com> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
