Samba4 ADDC /w Windows SC login

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba4 ADDC /w Windows SC login

Restemayer
I'm setting up a small dental office with smartcard authentication for their computers for convenience, security, and meet HIPAA requirements for tracking logins.  I'm using a samba Active Directory setup because at this point, spending $1000 on a copy of the latest Windows Server isn't an option.  I'm am currently on my 4th attempt at it.  Previously, I was compiling it from source on Ubuntu, but for this next attempt I'm going with a Univention VMware image instead to hopefully make it go a little faster.  
 
So, basically, every time, the Active Directory system seems to work fine.  The domain exists, I can log into it, and can access it through RSAT... at least for those functions that exist in a Samba setup, anyway.  Where I'm running into a roadblock is with the certificates.  I've set up my own CA, been slogging through this (https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) verbatim (other than changing the necessary stuff to make it for my domain, obviously)... and when I go to login, it doesn't work.  The best I can tell, it recognizes the certificate I've put on the card, it recognizes the root CA certificate, but it can't find the DC certificate.  That is what certutil -dcinfo kicks back anyway: "KDC Certificate not found".  I've tried publishing the DC certificate.  I've tried manually putting it into the enterprise stores.  I've tried putting it into the group policy system.  I've tried fiddling with the auto-enrollment system (turning it on... turning it off).  Nothing works.  I am completely out of ideas here.
 
Any thoughts?
Reply | Threaded
Open this post in threaded view
|

Re: Samba4 ADDC /w Windows SC login

Restemayer
So, nothing, huh?

Can't help?

Need more information?

Go pound sand?
Reply | Threaded
Open this post in threaded view
|

Re: Samba4 ADDC /w Windows SC login

Samba - General mailing list
In reply to this post by Restemayer
On Wed, 2016-08-17 at 08:27 -0700, Restemayer via samba wrote:

> I'm setting up a small dental office with smartcard authentication
> for their
> computers for convenience, security, and meet HIPAA requirements for
> tracking logins.  I'm using a samba Active Directory setup because at
> this
> point, spending $1000 on a copy of the latest Windows Server isn't an
> option.  I'm am currently on my 4th attempt at it.  Previously, I was
> compiling it from source on Ubuntu, but for this next attempt I'm
> going with
> a Univention VMware image instead to hopefully make it go a little
> faster.  
>  

>  I am completely out of ideas here.
>  
> Any thoughts?

Samba 4.5 may help, as metze (CC'ed) did a pile of work on smart card
logins for this release. 

Smart card login is a fairly unusual use of the AD DC, but while few
folks use it, it is expected to work.

Are you sure the certificates and keys are correctly set in the
krb5.conf?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba4 ADDC /w Windows SC login

Restemayer
As far as I know, yes.  Granted, active directory structure and making my own certificate authority hierarchy is new territory for me, so I could be missing or misinterpreting a step in the setup.  I'm actually going to rebuild it today from scratch.  Compile from source on a fresh Fedora install.  I'll log everything I do so if (when) it fails again, I'll start posting my process on here to see if you guys can tell me where I'm dropping the ball on this.  Thanks.