Bug 9612 - Samba DC allowed user to logon using revoked certificate on smart card
Summary: Samba DC allowed user to logon using revoked certificate on smart card
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: 4.3
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: https://lists.samba.org/archive/samba...
Depends on:
Reported: 2013-01-29 12:55 UTC by raphaelsk
Modified: 2022-11-17 16:23 UTC (History)
5 users (show)

See Also:

Debug level 10 log covering successful smart card logon using a revoked certificate (3.53 MB, text/plain)
2013-01-29 12:55 UTC, raphaelsk
no flags Details
Level 10 debug log of Samba server, with 'pkinit_revoke' set, permitting login using revoked certificate (4.31 MB, text/plain)
2013-01-30 07:20 UTC, raphaelsk
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description raphaelsk 2013-01-29 12:55:09 UTC
Created attachment 8515 [details]
Debug level 10 log covering successful smart card logon using a revoked certificate

After revoking a certificate used to successfully logon to the Samba 4 domain I built for the Samba4/Smart Card logon HOWTO and installing the new CRL to the distribution point and the Samba server, the Samba 4 domain controller continued to permit a user who presented that certificate as their logon credential to successfully logon to the domain. 

The server setup is described in the Samba/Smart Card HOWTO on the Samba Wiki. I later created a new Windows client named Ontario, and created a new user, 'oldschool@greatlakes.example.com'. I issued the user a certificate, and successfully logged into the domain via Ontario using that certificate (stored on a smart card). 

I then revoked that certificate, generated a new CRL, and then gradually introduced the new CRL progressively further into the domain infrastructure. After each step in this process, I was still able to log in to the domain using the now-revoked certificate:

First, I placed the new CRL at the configured CRL distribution point. 
Second, I rebooted the Windows client. 
Third, I installed the new CRL into the 'tls' subdirectory of the Samba provision, replacing the older CRL which was there and which was referenced in the Samba configuration file. 
Fourth, I restarted the Samba 4 server. 
Fifth, I again rebooted the Windows client.

I later re-tried to logon with the revoked certificate after setting the debug level on the Samba DC to 10. The logon again completed successfully, and the log from that run is attached. 

The Windows client never recognized that the certificate was revoked either, however, I never directly installed any CRL on the machine.

I used the openssl verify command on the Samba server to confirm that the CRL did identify the revoked certificate as revoked. (It found an unrevoked certificate to be ok.)

According to an MS AD blog post from December 2008 (http://blogs.technet.com/b/instan/archive/2008/12/08/requiring-smart-cards-for-logon-avoiding-the-outage-caused-by-expired-crl-s.aspx), the domain controller is responsible for verifying that the logon certificate it is presented with during a smart card logon attempt is valid. At the same time, the Windows client must verify that the domain controller's certificate is still valid.
Comment 1 raphaelsk 2013-01-30 07:12:57 UTC
Looking at the almost duplicative crypto item configurations in the Samba configuration file and the KDC configuration file, I figured that, since the Samba config allows me to specify a CRL, there might be an analogous parameter for the KDC configuration. Looking at the Heimdal source code in the Samba source tree, I found the config file parameter pkinit_revoke, the values of which get read in via the function krb5_config_get_strings and get stored as an array of char*.

Adding "pkinit_revoke = FILE:[location of CRL]" to the KDC section of the KDC configuration file resulted in the error "Kerberos: PKINIT: : Failed load revoke list: ASN.1 unexpected field number" (and the resulting disabling of PKINIT). I then made a DER-formatted version of the CRL (which was in PEM format) and pointed "pkinit_revoke" at that version. That resulted in a clean Samba startup.

Unfortunately, even with this setting in place, I was still able to logon to the domain using the revoked certificate. I have attached a debug-level 10 log of the Samba server during that event (same machine names and users as earlier).

It's very possible I'm not using the pkinit_revoke parameter correctly, or that it doesn't do what I think it does; unfortunately, I didn't see any documentation about what kind of input this parameter is expecting. I believe it can be added multiple times; for all I know, it's expecting a thumbprint of a revoked certificate.
Comment 2 raphaelsk 2013-01-30 07:20:59 UTC
Created attachment 8520 [details]
Level 10 debug log of Samba server, with 'pkinit_revoke' set, permitting login using revoked certificate

During the lifetime of this log, the Samba server on Niagra started up, the Windows client Ontario started up, the user oldschool@greatlakes.example.com logged in using the revoked certificate on a smart card, Ontario shut down, and then the Samba server was stopped.
Comment 3 Karolin Seeger 2014-11-27 10:52:37 UTC
Is this a showstopper for 4.2.0?
Comment 4 Stefan Metzmacher 2014-11-29 10:16:13 UTC
This is no 4.2.0 blocker.
Comment 5 Andrew Bartlett 2015-06-10 08:03:04 UTC
This needs to be resolved in upstream Heimdal.  The only part Samba probably needs to do is force in the right CRL if we have 'tls crlfile' set, because having two config items for the same kind of thing is really silly.
Comment 6 Łukasz Matyja 2016-04-01 08:57:38 UTC
Hi ,

I really wanted to address this topic because I want to implement in my login via SmartCard and I was able to improve to partially revoked certificates were rejected . I have yet to test the solution on the weekend and possibly improve but it works. I tested yesterday and quickly rejects the Windows certificates revoked .
Interested , of course, I share the source files for the substitution .

Łukasz Matyja
Comment 7 Prohor Roman 2019-04-08 07:37:55 UTC
Good day!
Does anyone have a solution to the problem of authorization on the revocation certificate in the samba domain? I deployed a test environment in which the samba dc server, web server apache and Windows client are installed. Authorization for revoked certificates on the web server does not occur, indicating that the certificate has been revoked. But authorization in Windows on the revoked certificate is still going on. I deleted the cached сrl on Windows, but still authorization occurs. Just waiting for the end of life crl. After Windows updated crl, authorization still worked.
Comment 8 Sergey Korchak 2019-06-27 09:36:17 UTC
I have fixed this bug. Very soon AstraLinux company will publish the patch in samba technical mailing list.
Comment 9 Andrew Bartlett 2021-03-19 00:01:27 UTC
(In reply to Sergey Korchak from comment #8)
Did the patch ever get anywhere?

Can you update this bug with some references if it did?
Comment 10 Andrew Bartlett 2021-03-19 00:03:01 UTC
Sorry, missed the URL link.

The patches need to go to upstream Heimdal and then we can backport them.
Comment 11 Andrew Bartlett 2022-04-06 01:12:31 UTC
This looks like it might be fixed thanks to our Heimdal upgrade in Samba 4.16.  

Certainly there is a call of hx509_revoke_add_crl() in the setup, so I hope this is working now.

It would be useful if someone could add a test for this for us.
Comment 12 Kacper 2022-04-29 14:07:09 UTC
(In reply to Andrew Bartlett from comment #11)

I've tested smart card revocation with the latest 4.16 build and I can confirm the  latest Heimdal upgrade did not resolve the issue. 

"hx509_revoke_add_crl" is indeed referenced in the Heimdal source but not in the pkinit.c file for the kdc (kdc/pkinit.c). I've tested out the AstraLinux patch and while it works it segfaults when no pkinit_revoke is configured, minior issue probably as it most likely is missing some check if the revocation check should be activated.

The AstraLinux patch haven't landed in upstream Heimdal, I don't know if Sergey Korchak gave up on the idea or if it was rejected upstream. While I'm would be willing to spend some time on this, I'm pretty sure it would require some kind of test submitted along with the patch and Heimdal has a steep learning curve.
Comment 13 Andrew Bartlett 2022-05-03 03:11:54 UTC
Thanks Kacper for testing that.

I'm sorry to hear this isn't fixed in the meantime.  

I do see all the Heimdal MRs so I'm pretty sure it wasn't sent to Heimdal.

I would encourage submitting a patch, with tests, upstream, as that really is the only way to get this fixed.
Comment 14 Kacper 2022-05-05 11:13:07 UTC
(In reply to Andrew Bartlett from comment #13)

Submitted https://github.com/heimdal/heimdal/pull/992. Hopefully we can close this bug once it gets accepted upstream.
Comment 15 Denis Cardon 2022-11-17 16:23:57 UTC
I cannot vouch for the coding itself, but the patch does work as expected on Samba 4.16. It is a must have in Samba-AD with smartcard deployment.