Web lists-archives.com

Re: [Samba] Revocation with CRL doesn't work for smartcards




Ah, thank you, obviously this is a bug. Last comment (Łukasz Matyja
2016-04-01) says to have a fix, but how do I know if it has been added to
bitbucket/samba? And if so, in which version? Or does the problem remain
since the bugzilla case is still there? (Status: New)

On Thu, Sep 21, 2017 at 10:52 PM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Thu, 21 Sep 2017 22:08:51 +0200
> Peter L via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Thanks but I've actually tried that too. Not sure I put it in [kdc]
> > section though, I can try again.
> >
> > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet@xxxxxxxxx>:
> >
> > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > > > Hi,
> > > > I have a smartcard which is revoked in the Certificate Revocation
> > > > List (CRL) but I can still login. Seams like the CRL check is not
> > > > performed.
> > > Any
> > > > known bug around this?
> > > >
> > > > Server setup:
> > > > - Samba 4.4 on Debian as AD DC
> > > > - Created domain MYDOM
> > > > - smb.conf (extract):
> > > >     tls enabled = yes
> > > >     tls crlfile = tls/mycrl.pem (default is to look under private/
> > > folder)
> > >
> > > > CRL:
> > > > - In file system:
> > > > ..../private/tls/mycrl.pem
> > > > > mycrl.pem
> > > > - Contains serial number 0x12ab
> > >
> > > The Heimdal code doing the SmartCard stuff doens't know about the
> > > smb.conf, you need to configure this in krb5.conf.
> > >
> > > Something like:
> > >
> > > [kdc]
> > >  pkinit_revoke = FILE:..../private/tls/mycrl.pem
> > >
> > > (Sadly this isn't used in our test scripts, so please test carefully
> > > and research the exact syntax further).
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett                       http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team  http://samba.org
> > > Samba Developer, Catalyst IT          http://catalyst.net.nz/
> > > services/samba
> > >
> > >
>
> This jogged something in my memory, so I went and did some digging and
> found this:
>
> https://bugzilla.samba.org/show_bug.cgi?id=9612
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba