Re: [Samba] Fwd: Re: Samba 4 Smart card logon
I didn't know I couldn't use kadmin. It makes sense now. What I tried is to start with Heimal config from the start. I did: cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf to get the generated krb5.conf Restarted Samba and checked kinit, which worked correctly. I cleared the tickets cache with kdestroy. I then changed /etc/krb5.conf to: [libdefaults] default_realm = SERVER.CENTOSDOMAIN dns_lookup_realm = false dns_lookup_kdc = true [appdefaults] pkinit_anchors = FILE:/home/virusakos/Downloads/SuperCA.pem [realms] SERVER.CENTOSDOMAIN = { pkinit_require_eku = true pkinit_require_krbtgt_otherName = true pkinit_win2k = yes pkinit_win2k_require_binding = no } [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/server.centosdomain.pem pkinit_anchors = FILE:/home/virusakos/Downloads/SuperCA.pem pkinit_win2k_require_binding = yes pkinit_principal_in_certificate = yes I created /usr/local/samba/var/heimdal/pki-mapping with contents: virusakos@SERVER.CENTOSDOMAIN:C=GR,O=Byte Computers,CN=virusakos,UID=virusakos virusakos@SERVER.CENTOSDOMAIN:CN=virusakos,UID=virusakos Restarted Samba and checked kinit without any options, which worked correctly. I cleared the tickets cache with kdestroy and then tried the following: /opt/samba-master/bin/samba4kinit --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/virus.pem virusakos@SERVER.CENTOSDOMAIN There is no virus.pem so obviously I got samba4kinit: krb5_get_init_creds_opt_set_pkinit: Failed to init cert certs: Failed to open PEM file /home/virusakos/Downloads/virus.pem: No such file or directory Trying again with the correct certificate file: /opt/samba-master/bin/samba4kinit --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/virusakos.pem virusakos@SERVER.CENTOSDOMAIN Now, the error is different: samba4kinit: krb5_get_init_creds: Already tried pkinit, looping Any hints for the new error? Does it sound like a configuration error or a certificate error? Kind Regards, Charalampos On 7/4/12 2:39 AM, Andrew Bartlett wrote: On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote: I still have no clue what's going on. In my attempt to find out what's happening, I found out I haven't done neither 4.23.1 nor 4.23.2 in the Heimdal guide ( http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html ) So I tried 4.23.2 i.e.: kadmin modify --pkinit-acl=CN=myuser,O=mycompany,C=GR myuser@SERVER.CENTOSDOMAIN and I received this error: kadmin: invalid option -- '-' I then tried to do: kadmin to get into interactive mode so I can issue the modify command but I receive this error: Authenticating as principal Administrator/admin@SERVER.CENTOSDOMAIN with password. kadmin: Client not found in Kerberos database while initializing kadmin interface I was puzzled with the Administrator/admin so next I tried: kadmin -p Administrator@SERVER.CENTOSDOMAIN with yet another error: Authenticating as principal Administrator@SERVER.CENTOSDOMAIN with password. kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface I also tried enabling debugging by using the instructions in http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html but I don't see any error messages 1) How can I enable debugging? I'm on CentOS 6.2 2) According to the above, does it look like my installation is broken? Or is there something I am missing? You can not use kadmin against Samba4 (we just don't expose the interfaces needed, sorry), and the configuration we test in our selftest doesn't need it. This can all be done with just config file entries. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Re: Samba 4 Smart card logon
I still have no clue what's going on. In my attempt to find out what's happening, I found out I haven't done neither 4.23.1 nor 4.23.2 in the Heimdal guide ( http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html ) So I tried 4.23.2 i.e.: kadmin modify --pkinit-acl=CN=myuser,O=mycompany,C=GR myuser@SERVER.CENTOSDOMAIN and I received this error: kadmin: invalid option -- '-' I then tried to do: kadmin to get into interactive mode so I can issue the modify command but I receive this error: Authenticating as principal Administrator/admin@SERVER.CENTOSDOMAIN with password. kadmin: Client not found in Kerberos database while initializing kadmin interface I was puzzled with the Administrator/admin so next I tried: kadmin -p Administrator@SERVER.CENTOSDOMAIN with yet another error: Authenticating as principal Administrator@SERVER.CENTOSDOMAIN with password. kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface I also tried enabling debugging by using the instructions in http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html but I don't see any error messages 1) How can I enable debugging? I'm on CentOS 6.2 2) According to the above, does it look like my installation is broken? Or is there something I am missing? Kind Regards, Charalampos Original Message Subject:Re: [Samba] Samba 4 Smart card logon Date: Tue, 03 Jul 2012 13:49:06 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: Andrew Bartlett abart...@samba.org CC: samba@lists.samba.org Which certificate you mean? myuser.pem or the Kerberos certificate? On 7/3/12 12:56 PM, Andrew Bartlett wrote: On Tue, 2012-07-03 at 12:25 +0300, Charalampos Anargyrou wrote: Hello Andrew, Thanks for your reply. Yes I could fill in the wiki if I manage to make it work :-) I'm trying to test the Kerberos configuration with the certificates I have created I'm getting this error: samba4kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found using this command: samba4kinit --pk-user=FILE:/home/myuser/Downloads/myuser.pem --pk-enterprise Does the error mean my certificates are wrong or does it mean I have not configured kerberos properly? My guess is that the client running samba4kinit isn't finding the certificate correctly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Re: Samba 4 Smart card logon
On Tue, 2012-07-03 at 17:50 +0300, Charalampos Anargyrou wrote: I still have no clue what's going on. In my attempt to find out what's happening, I found out I haven't done neither 4.23.1 nor 4.23.2 in the Heimdal guide ( http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html ) So I tried 4.23.2 i.e.: kadmin modify --pkinit-acl=CN=myuser,O=mycompany,C=GR myuser@SERVER.CENTOSDOMAIN and I received this error: kadmin: invalid option -- '-' I then tried to do: kadmin to get into interactive mode so I can issue the modify command but I receive this error: Authenticating as principal Administrator/admin@SERVER.CENTOSDOMAIN with password. kadmin: Client not found in Kerberos database while initializing kadmin interface I was puzzled with the Administrator/admin so next I tried: kadmin -p Administrator@SERVER.CENTOSDOMAIN with yet another error: Authenticating as principal Administrator@SERVER.CENTOSDOMAIN with password. kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface I also tried enabling debugging by using the instructions in http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html but I don't see any error messages 1) How can I enable debugging? I'm on CentOS 6.2 2) According to the above, does it look like my installation is broken? Or is there something I am missing? You can not use kadmin against Samba4 (we just don't expose the interfaces needed, sorry), and the configuration we test in our selftest doesn't need it. This can all be done with just config file entries. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba