Bug 9628 - Smart card credentials not following through to login.
Summary: Smart card credentials not following through to login.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 11441
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-03 05:34 UTC by Ken Allan
Modified: 2016-08-18 14:35 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ken Allan 2013-02-03 05:34:09 UTC
I have setup a new AD DC setup and configured smart card login to the domain, with Feitian ePass2003 USB smart card token using the wiki.samba.org/index.php/Samba4/Smart_Card_Login instructions, and logging in from a Windows 7 machine hooked up to the domain.

We're using version 4.1.0pre1-GIT-4990080 currently.

Everything is working great, except that every time I go to access a share, it seemingly forgets who I am and I have to reauthenticate using the smart card again in order to continue.

It sounds very similar to what's happening here:
https://lists.samba.org/archive/samba-technical/2013-January/090059.html

I have the debug logs enabled and the following is what I'm getting at the start of the session (when loginng in):

dreplsrv_notify_schedule(5) scheduled for: Sun Feb  3 14:51:20 2013 EST
Kerberos: AS-REQ k.allan\@bca.office@BCA.OFFICE from ipv4:10.1.1.146:53953 for krbtgt/BCA.OFFICE@BCA.OFFICE
Kerberos: Client sent patypes: PK-INIT(win2k), OCSP, 132, 128
Kerberos: Looking for PKINIT pa-data -- k.allan\@bca.office@BCA.OFFICE
Kerberos: PK-INIT request of type PK-INIT-Win2k
Kerberos: Trying to authorize PK-INIT subject DN emailAddress=k.allan@******.com.au,CN=Ken Allan,OU=Certs,O=******,L=******,S=Queensland,C=AU
Kerberos: found MS UPN SAN: k.allan@bca.office
Kerberos: Found matching MS UPN SAN in certificate
Kerberos: PKINIT pre-authentication succeeded -- k.allan\@bca.office@BCA.OFFICE using emailAddress=k.allan@******.com.au,CN=Ken Allan,OU=Certs,O=******,L=******,S=Queensland,C=AU
authsam_account_ok: Checking SMB password for user k.allan\@bca.office@BCA.OFFICE
logon_hours_ok: No hours restrictions for user k.allan\@bca.office@BCA.OFFICE
Kerberos: AS-REQ authtime: 2013-02-03T14:51:18 starttime: unset endtime: 2013-02-04T00:51:18 renew till: 2013-02-10T14:51:18
Kerberos: Client supported enctypes: 12, 15, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using aes256-cts-hmac-sha1-96/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.3246.39
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ k.allan@BCA.OFFICE from ipv4:10.1.1.146:53954 for host/guarana.bca.office@BCA.OFFICE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2013-02-03T14:51:18 starttime: 2013-02-03T14:51:18 endtime: 2013-02-04T00:51:18 renew till: 2013-02-10T14:51:18
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.3246.39
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

Then later on when trying to access the shares we're seeing things like:

cldap netlogon query domain=bca.office. host=GUARANA user=(null) version=536870934 guid=a26184a9-5b1f-4803-bd92-b8c92eb6958e
...
Got user=[] domain=[] workstation=[GUARANA] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[GUARANA]
map_user_info_cracknames: Mapping user []\[] from workstation [GUARANA]
auth_check_password_send: mapped user is: [BCA]\[]@[GUARANA]
auth_get_challenge: returning previous challenge by module random (normal)
[0000] 79 44 2B D6 C6 0B 3D 56                            yD+...=V 
auth_check_password_recv: anonymous authentication for user [NT AUTHORITY\ANONYMOUS LOGON] succeeded
...
Client unknown requested to decrypt a client side wrapped secret
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.3240.45
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Comment 1 Stefan Metzmacher 2016-08-18 14:35:32 UTC
Please retry with 4.5.0rc1 or later and reopen if the problem still exist.