Re: [Samba] Revocation with CRL doesn't work for smartcards
- Date: Thu, 21 Sep 2017 22:08:51 +0200
- From: Peter L via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Revocation with CRL doesn't work for smartcards
Thanks but I've actually tried that too. Not sure I put it in [kdc] section
though, I can try again.
Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet@xxxxxxxxx>:
> On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > Hi,
> > I have a smartcard which is revoked in the Certificate Revocation List
> > (CRL) but I can still login. Seams like the CRL check is not performed.
> > known bug around this?
> > Server setup:
> > - Samba 4.4 on Debian as AD DC
> > - Created domain MYDOM
> > - smb.conf (extract):
> > tls enabled = yes
> > tls crlfile = tls/mycrl.pem (default is to look under private/
> > CRL:
> > - In file system:
> > ..../private/tls/mycrl.pem
> > > mycrl.pem
> > - Contains serial number 0x12ab
> The Heimdal code doing the SmartCard stuff doens't know about the
> smb.conf, you need to configure this in krb5.conf.
> Something like:
> pkinit_revoke = FILE:..../private/tls/mycrl.pem
> (Sadly this isn't used in our test scripts, so please test carefully
> and research the exact syntax further).
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/
To unsubscribe from this list go to the following URL and read the