Samba4: SamLogonWithFlags on RPCNetlogon - Samba

This is a discussion on Samba4: SamLogonWithFlags on RPCNetlogon - Samba ; Dear all, I installed Samba4 alpha4, and now I am trying Windows Smart-Card Logon to Samba4-DC. I arranged a server and user certificates referring the Heimdal web site. And now, I am testing Samba's netlogon process. Samba makes responses to ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Samba4: SamLogonWithFlags on RPCNetlogon

  1. Samba4: SamLogonWithFlags on RPCNetlogon

    Dear all,

    I installed Samba4 alpha4, and now I am trying Windows Smart-Card Logon to Samba4-DC.

    I arranged a server and user certificates referring the Heimdal web site.

    And now, I am testing Samba's netlogon process.
    Samba makes responses to the netlogon requests such as "ServerReqChallnenge", "ServerAuthenticate3", and "LogonGetDomainInfo".
    However, when a client windows machine sent a "LogonSamLogonWithFlags" request to the samba DC, it did not make a response.

    In my smbd.log, I found the following message:
    ndr_pull_error(2): Bad switch value 4

    And I found that this message was generated in the function "ndr_pull_netr_LogonLevel()" called by the function "ndr_pull_netr_LogonSamLogonWithFlags()" in "librpc/gen_ndr/ndr_netlogon.c".
    In the logon-level function, there is not "case 4".
    I copied "case 6" part to "case 4" part, but it did not work well.

    Would you please give me some advice?

    Best regards

    Takeshi Higashizaki


  2. Re: Samba4: SamLogonWithFlags on RPCNetlogon

    On Tue, 2008-06-24 at 19:36 +0900, 西崎 隆志 wrote:
    > Dear all,
    >
    > I installed Samba4 alpha4, and now I am trying Windows Smart-Card Logon to Samba4-DC.


    Very interesting!

    > I arranged a server and user certificates referring the Heimdal web site.
    >
    > And now, I am testing Samba's netlogon process.
    > Samba makes responses to the netlogon requests such as "ServerReqChallnenge", "ServerAuthenticate3", and "LogonGetDomainInfo".
    > However, when a client windows machine sent a "LogonSamLogonWithFlags" request to the samba DC, it did not make a response.
    >
    > In my smbd.log, I found the following message:
    > ndr_pull_error(2): Bad switch value 4


    It looks like we need to implement 'generic package logons'.

    > And I found that this message was generated in the function "ndr_pull_netr_LogonLevel()" called by the function "ndr_pull_netr_LogonSamLogonWithFlags()" in "librpc/gen_ndr/ndr_netlogon.c".
    > In the logon-level function, there is not "case 4".
    > I copied "case 6" part to "case 4" part, but it did not work well.
    >
    > Would you please give me some advice?


    So, looking at the Microsoft WSPP docs, this looks quite sane to manage.

    (The WSPP docs are at
    http://msdn.microsoft.com/en-us/library/cc197979.aspx)

    Implementing the IDL is the easy part. See MS-NRPC section 2.2.1.4.2.

    However, this is just a wrapper (see MS-APDS), so you need to implement
    MS-RCMP. None of these protocols look particularly difficult. Indeed
    if this is the main task, then getting Samba4 to accept smart card login
    may be quite simple.

    I suggest using Heimdal's X.509 library to parse the certificate, if
    possible.

    I'm really keen to see this happen, so please let me know how you would
    like to work on this - would you like to have a go, or does the above
    look just a bit too complex?

    Is there a file-based certificate system for windows, that I can use for
    testing?

    Thanks!

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIYaGmz4A8Wyi0NrsRAkL8AJ9EhMIoHvH/ZJ+AdvFCZplTK9vQVQCgjLUZ
    iM/ylYm8P4/dLGmGGlH69t8=
    =5nGw
    -----END PGP SIGNATURE-----


  3. RE: Samba4: SamLogonWithFlags on RPCNetlogon

    Dear Andrew,

    > So, looking at the Microsoft WSPP docs, this looks quite sane to manage.
    > (The WSPP docs are at
    > http://msdn.microsoft.com/en-us/library/cc197979.aspx)
    >
    > Implementing the IDL is the easy part. See MS-NRPC section 2.2.1.4.2.
    >
    > However, this is just a wrapper (see MS-APDS), so you need to implement
    > MS-RCMP. None of these protocols look particularly difficult. Indeed
    > if this is the main task, then getting Samba4 to accept smart card login
    > may be quite simple.

    Thank you very much for your advice.
    I wanted to know this information.

    > I'm really keen to see this happen, so please let me know how you would
    > like to work on this - would you like to have a go, or does the above
    > look just a bit too complex?

    It looks a bit complex for me, but very interesting.
    So I have a go at this implementation.
    If I bump into a problem while at work or get a good result, I'll e-mail this list.

    > Is there a file-based certificate system for windows, that I can use for
    > testing?

    I'm sorry but I have no public system because of my company's policy.

    Thanks,

    Takeshi Higashizaki


  4. RE: Samba4: SamLogonWithFlags on RPCNetlogon

    On Wed, 2008-06-25 at 11:52 +0900, 西崎 隆志 wrote:
    > Dear Andrew,
    >
    > > So, looking at the Microsoft WSPP docs, this looks quite sane to manage..
    > > (The WSPP docs are at
    > > http://msdn.microsoft.com/en-us/library/cc197979.aspx)
    > >
    > > Implementing the IDL is the easy part. See MS-NRPC section 2.2.1.4.2.
    > >
    > > However, this is just a wrapper (see MS-APDS), so you need to implement
    > > MS-RCMP. None of these protocols look particularly difficult. Indeed
    > > if this is the main task, then getting Samba4 to accept smart card login
    > > may be quite simple.

    > Thank you very much for your advice.
    > I wanted to know this information.
    >
    > > I'm really keen to see this happen, so please let me know how you would
    > > like to work on this - would you like to have a go, or does the above
    > > look just a bit too complex?

    > It looks a bit complex for me, but very interesting.
    > So I have a go at this implementation.
    > If I bump into a problem while at work or get a good result, I'll e-mail this list.


    Please do. I am very willing to help - I don't mind doing all the work,
    if that is what it takes to get this feature, but naturally this means I
    can't get as many other things done. Without knowing you, it is hard to
    know what your skills are.

    > > Is there a file-based certificate system for windows, that I can use for
    > > testing?

    > I'm sorry but I have no public system because of my company's policy.


    You miss-understand me, and I was unclear. I would love to set up
    Samba4 in a similar way, and while I can use physical tokens and the
    dogtag software from pki.fedoraproject.org, these might be painful to
    use in a Virtual Machine. If you have any hints on how I might be able
    to test without using hardware tokens, I would appreciate it.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIYbafz4A8Wyi0NrsRAnUnAJ0STOMR+WLr0ub6D7flcr b2bfXaHACff7G3
    zZTyJ9vLM1cAZjqaWZ2g6Vw=
    =LYKV
    -----END PGP SIGNATURE-----


  5. RE: Samba4: SamLogonWithFlags on RPCNetlogon

    Dear Andrew,

    > You miss-understand me, and I was unclear. I would love to set up
    > Samba4 in a similar way, and while I can use physical tokens and the
    > dogtag software from pki.fedoraproject.org, these might be painful to
    > use in a Virtual Machine. If you have any hints on how I might be
    > able to test without using hardware tokens, I would appreciate it.

    I'm sorry but I cannot give you any hints.
    I use physical tokens with the software by the token vendor, and my experimental client machine is a real machine.
    During the experiment, I insert the token to the machine iteratively.

    Takeshi Higashizaki


  6. RE: Samba4: SamLogonWithFlags on RPCNetlogon

    On Wed, 2008-06-25 at 12:45 +0900, 西崎 隆志 wrote:
    > Dear Andrew,
    >
    > > You miss-understand me, and I was unclear. I would love to set up
    > > Samba4 in a similar way, and while I can use physical tokens and the
    > > dogtag software from pki.fedoraproject.org, these might be painful to
    > > use in a Virtual Machine. If you have any hints on how I might be
    > > able to test without using hardware tokens, I would appreciate it.

    > I'm sorry but I cannot give you any hints.
    > I use physical tokens with the software by the token vendor, and my experimental client machine is a real machine.
    > During the experiment, I insert the token to the machine iteratively.


    No worries.

    Would it be possible for you to write a wiki page on wiki.samba.org
    listing the steps you took? That will help me and others trying to
    replicate this.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIYci5z4A8Wyi0NrsRAqv3AJ4qj4jWQehG27P6wtvcc1 yQIuZcAwCffyXJ
    CdIqxgtxrcXQ0VkMA5CzwXQ=
    =ErWw
    -----END PGP SIGNATURE-----


  7. RE: Samba4: SamLogonWithFlags on RPCNetlogon

    Dear Andrew,

    > Would it be possible for you to write a wiki page on wiki.samba.org
    > listing the steps you took? That will help me and others trying to
    > replicate this.

    Of course I will!
    I registered my account, and I'll write my steps on the following page.
    http://wiki.samba.org/index.php/User...hi_Higashizaki
    Or Should I edit another page?

    Thanks,

    Takeshi Higashizaki


  8. RE: Samba4: SamLogonWithFlags on RPCNetlogon

    On Wed, 2008-06-25 at 14:07 +0900, 西崎 隆志 wrote:
    > Dear Andrew,
    >
    > > Would it be possible for you to write a wiki page on wiki.samba.org
    > > listing the steps you took? That will help me and others trying to
    > > replicate this.

    > Of course I will!
    > I registered my account, and I'll write my steps on the following page.
    > http://wiki.samba.org/index.php/User...hi_Higashizaki
    > Or Should I edit another page?


    Please put it here:

    http://wiki.samba.org/index.php/Samba4/Smart_Card_Login

    Andrew Bartlett
    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIYds4z4A8Wyi0NrsRAsgCAKCbQ6Fcq26/fZeCcr8Mn28WOGXDMQCgnHCg
    jdz5SCp++pnMRyLMVYEjjrI=
    =W+Sd
    -----END PGP SIGNATURE-----


+ Reply to Thread