[Samba] Smart card logon - Samba

This is a discussion on [Samba] Smart card logon - Samba ; Hi all Is possible to perform a logon from a XP workstation to a Samba3+LDAP managed domain with a smartcard? I've readed somewhere that this is not possible with Samba3, but /could/ be possible with the Samba4 package. Thanks -- ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: [Samba] Smart card logon

  1. [Samba] Smart card logon

    Hi all

    Is possible to perform a logon from a XP workstation to a Samba3+LDAP managed domain with
    a smartcard? I've readed somewhere that this is not possible with Samba3, but /could/ be
    possible with the Samba4 package.

    Thanks

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Smart card logon

    Quoting Asier BaranguŠn :

    > Hi all
    >
    > Is possible to perform a logon from a XP workstation to a Samba3+LDAP
    > managed domain with a smartcard? I've readed somewhere that this is not
    > possible with Samba3, but /could/ be possible with the Samba4 package.
    >
    > Thanks


    Although I have never tried it, it should be possible by configuring
    Samba for PAM authentication
    (http://www.samba.org/samba/docs/man/...ction/pam.html)
    and using an appropriate PAM module, such as
    http://www.opensc-project.org/pam_p11/

    Even if PAM P11 is not ready for Samba use, it shouldn't be too
    difficult (and take this with a grain of salt, given that PAM is
    mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging"
    PAM P11 and one of the PAM modules included in Samba currently (PAM
    password, PAM Winbind, etc).

    --
    Pau Garcia i Quiles
    http://www.elpauer.org
    (Due to my workload, I may need 10 days to answer)

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Smart card logon

    Quoting "Douglas E. Engert" :

    > Pau Garcia i Quiles wrote:
    >> Quoting Asier BaranguŠn :
    >>
    >>> Hi all
    >>>
    >>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
    >>> managed domain with a smartcard? I've readed somewhere that this is not
    >>> possible with Samba3, but /could/ be possible with the Samba4 package.
    >>>
    >>> Thanks

    >>
    >> Although I have never tried it, it should be possible by
    >> configuring Samba for PAM authentication
    >> (http://www.samba.org/samba/docs/man/...ction/pam.html) and
    >> using an appropriate PAM module, such as
    >> http://www.opensc-project.org/pam_p11/

    >
    > Actually what you want is the Kerberos PKINIT and a pam_krb5 that
    > understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
    > is part of newer versions of Samba. The Heimdal KDC then
    > accepts the PKINIT and returns Kerberos tickets. This is essentially
    > what Windows AD does today with smart card login. You login to the
    > domain.
    >
    > The OpenSC and many other smart card pam logins only log you into the
    > the local machine, not the domain.


    Good to know PAM_KRB5 exists and can log into Samba.

    I was thinking of a much simpler solution consisting on chaining two
    PAM modules: PAM P11 would get the credentials from the Smartcard and
    PAM Winbind or whatever would check they are valid.

    > See http://www.eyrie.org/~eagle/software/pam-krb5/
    > for a pam_krb5 that works with Heimdal and PKINIT.
    >
    > PKINIT
    > http://www.ietf.org/rfc/rfc4557.txt
    >
    >>
    >> Even if PAM P11 is not ready for Samba use, it shouldn't be too
    >> difficult (and take this with a grain of salt, given that PAM is
    >> mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging"
    >> PAM P11 and one of the PAM modules included in Samba currently
    >> (PAM password, PAM Winbind, etc).

    >
    > Pam Windbind probably needs some updates to have it use the Heimdal
    > PKINIT and the PKCS#11.
    >>

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444




    --
    Pau Garcia i Quiles
    http://www.elpauer.org
    (Due to my workload, I may need 10 days to answer)

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Smart card logon



    Pau Garcia i Quiles wrote:
    > Quoting Asier BaranguŠn :
    >
    >> Hi all
    >>
    >> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
    >> managed domain with a smartcard? I've readed somewhere that this is not
    >> possible with Samba3, but /could/ be possible with the Samba4 package.
    >>
    >> Thanks

    >
    > Although I have never tried it, it should be possible by configuring
    > Samba for PAM authentication
    > (http://www.samba.org/samba/docs/man/...ction/pam.html)
    > and using an appropriate PAM module, such as
    > http://www.opensc-project.org/pam_p11/


    Actually what you want is the Kerberos PKINIT and a pam_krb5 that
    understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
    is part of newer versions of Samba. The Heimdal KDC then
    accepts the PKINIT and returns Kerberos tickets. This is essentially
    what Windows AD does today with smart card login. You login to the
    domain.

    The OpenSC and many other smart card pam logins only log you into the
    the local machine, not the domain.

    See http://www.eyrie.org/~eagle/software/pam-krb5/
    for a pam_krb5 that works with Heimdal and PKINIT.

    PKINIT
    http://www.ietf.org/rfc/rfc4557.txt

    >
    > Even if PAM P11 is not ready for Samba use, it shouldn't be too
    > difficult (and take this with a grain of salt, given that PAM is mystic
    > per se :-) to produce a new PAM-Samba-Smartcard by "merging" PAM P11 and
    > one of the PAM modules included in Samba currently (PAM password, PAM
    > Winbind, etc).


    Pam Windbind probably needs some updates to have it use the Heimdal
    PKINIT and the PKCS#11.
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Smart card logon



    Pau Garcia i Quiles wrote:
    > Quoting "Douglas E. Engert" :
    >
    >> Pau Garcia i Quiles wrote:
    >>> Quoting Asier BaranguŠn :
    >>>
    >>>> Hi all
    >>>>
    >>>> Is possible to perform a logon from a XP workstation to a Samba3+LDAP
    >>>> managed domain with a smartcard? I've readed somewhere that this is not
    >>>> possible with Samba3, but /could/ be possible with the Samba4 package.
    >>>>
    >>>> Thanks
    >>>
    >>> Although I have never tried it, it should be possible by configuring
    >>> Samba for PAM authentication
    >>> (http://www.samba.org/samba/docs/man/...ction/pam.html)
    >>> and using an appropriate PAM module, such as
    >>> http://www.opensc-project.org/pam_p11/

    >>
    >> Actually what you want is the Kerberos PKINIT and a pam_krb5 that
    >> understands PKINIT and can to talk to a PKCS#11. Heimdal Kerberos
    >> is part of newer versions of Samba. The Heimdal KDC then
    >> accepts the PKINIT and returns Kerberos tickets. This is essentially
    >> what Windows AD does today with smart card login. You login to the
    >> domain.
    >>
    >> The OpenSC and many other smart card pam logins only log you into the
    >> the local machine, not the domain.

    >
    > Good to know PAM_KRB5 exists and can log into Samba.


    I have not tried this. In theory it should. I have tried earlier of pam_krb5
    with Heimdal clients and OpenSC smart cards to AD.

    >
    > I was thinking of a much simpler solution consisting on chaining two PAM
    > modules: PAM P11 would get the credentials from the Smartcard and PAM
    > Winbind or whatever would check they are valid.
    >


    The key point is "check they are valid". The Windbind client can not
    be trusted Only the DC. This is the point of PKINIT, the DC is verifying
    the credentials.


    >> See http://www.eyrie.org/~eagle/software/pam-krb5/
    >> for a pam_krb5 that works with Heimdal and PKINIT.
    >>
    >> PKINIT
    >> http://www.ietf.org/rfc/rfc4557.txt
    >>
    >>>
    >>> Even if PAM P11 is not ready for Samba use, it shouldn't be too
    >>> difficult (and take this with a grain of salt, given that PAM is
    >>> mystic per se :-) to produce a new PAM-Samba-Smartcard by "merging"
    >>> PAM P11 and one of the PAM modules included in Samba currently (PAM
    >>> password, PAM Winbind, etc).

    >>
    >> Pam Windbind probably needs some updates to have it use the Heimdal
    >> PKINIT and the PKCS#11.
    >>>

    >>
    >> --
    >>
    >> Douglas E. Engert
    >> Argonne National Laboratory
    >> 9700 South Cass Avenue
    >> Argonne, Illinois 60439
    >> (630) 252-5444

    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Smart card logon

    Douglas E. Engert escribiů:

    >>> The OpenSC and many other smart card pam logins only log you into the
    >>> the local machine, not the domain.

    >>
    >> Good to know PAM_KRB5 exists and can log into Samba.

    >
    > I have not tried this. In theory it should. I have tried earlier of
    > pam_krb5
    > with Heimdal clients and OpenSC smart cards to AD.


    So there's no option to make it "the easy way". Well, we'll wait for Samba4.

    Thanks


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. Re: [Samba] Smart card logon


    On Thu, 2008-01-31 at 13:15 +0100, Asier Barangu√°n wrote:
    > Douglas E. Engert escribió:
    >
    > >>> The OpenSC and many other smart card pam logins only log you into the
    > >>> the local machine, not the domain.
    > >>
    > >> Good to know PAM_KRB5 exists and can log into Samba.

    > >
    > > I have not tried this. In theory it should. I have tried earlier of
    > > pam_krb5
    > > with Heimdal clients and OpenSC smart cards to AD.

    >
    > So there's no option to make it "the easy way". Well, we'll wait for Samba4.


    I would love to work with someone to try and get smart card logins to
    work with Samba4.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBHuL2nz4A8Wyi0NrsRAijsAJ9rBu5RhqoM0WRrxYmTi3 eSzGb7mgCcC9D5
    TBmlMGhW8LCMjqbDBJPqGso=
    =Bn/o
    -----END PGP SIGNATURE-----


  8. Re: [Samba] Smart card logon

    Andrew Bartlett escribió:

    >>> with Heimdal clients and OpenSC smart cards to AD.

    >> So there's no option to make it "the easy way". Well, we'll wait for Samba4.

    >
    > I would love to work with someone to try and get smart card logins to
    > work with Samba4.


    I'm not a coder (almost in C), but have the time and need for trying smartcard logon with
    Samba. I have all the tools ans software needed: smartcards+usb readers, usb tokens, PKI
    infraestructure... ¬Ņhow can I help?

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread