Web lists-archives.com

Re: [Samba] Revocation with CRL doesn't work for smartcards

On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> Hi,
> I have a smartcard which is revoked in the Certificate Revocation List
> (CRL) but I can still login. Seams like the CRL check is not performed. Any
> known bug around this?
> Server setup:
> - Samba 4.4 on Debian as AD DC
> - Created domain MYDOM
> - smb.conf (extract):
>     tls enabled = yes
>     tls crlfile = tls/mycrl.pem (default is to look under private/ folder)

> CRL:
> - In file system:
> ..../private/tls/mycrl.pem
> > mycrl.pem
> - Contains serial number 0x12ab

The Heimdal code doing the SmartCard stuff doens't know about the
smb.conf, you need to configure this in krb5.conf.

Something like:

 pkinit_revoke = FILE:..../private/tls/mycrl.pem

(Sadly this isn't used in our test scripts, so please test carefully
and research the exact syntax further).


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba