Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Samba4 AD DC w/ Windows SM login


  • Please log in to reply
8 replies to this topic

#1 Restemayer

Restemayer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 16 August 2016 - 01:21 PM

I'm setting up a small dental office with smartcard authentication for their computers for convenience, security, and meet HIPAA requirements for tracking logins.  I'm using a samba Active Directory setup because at this point, spending $1000 on a copy of the latest Windows Server isn't an option.  I'm am currently on my 4th attempt at it.  Previously, I was compiling it from source on Ubuntu, but for this next attempt I'm going with a Univention VMware image instead to hopefully make it go a little faster.  

 

So, basically, every time, the Active Directory system seems to work fine.  The domain exists, I can log into it, and can access it through RSAT... at least for those functions that exist in a Samba setup, anyway.  Where I'm running into a roadblock is with the certificates.  I've set up my own CA, been slogging through this (https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) verbatim (other than changing the necessary stuff to make it for my domain, obviously)... and when I go to login, it doesn't work.  The best I can tell, it recognizes the certificate I've put on the card, it recognizes the root CA certificate, but it can't find the DC certificate.  That is what certutil -dcinfo kicks back anyway: "KDC Certificate not found".  I've tried publishing the DC certificate.  I've tried manually putting it into the enterprise stores.  I've tried putting it into the group policy system.  I've tried fiddling with the auto-enrollment system (turning it on... turning it off).  Nothing works.  I am completely out of ideas here.

 

Any thoughts?



BC AdBot (Login to Remove)

 


#2 Restemayer

Restemayer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 16 August 2016 - 04:19 PM

Well, that was quick.

 

Install Univention, add new user, try to login... and it demands a new password.

 

That's weird.  I didn't set "change password on login" when I created the user.  Oh well... change password.

 

ERROR ERROR FAIL AUTHENTICATION FAIL UNKNOWN ERROR FAIL FAIL FAIL

 

... and f- that... delete the POS.

 

On to attempt number 5 with something else.  I'm not going waste my time trying to hammer bugs out of a function as basic as "create user".

 

Seriously... any input.  Anything at all.  It'd be great.



#3 Restemayer

Restemayer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 16 August 2016 - 05:20 PM

Tried a TurnKey AD setup.  Winbindd immediately failed on load.  Deleted.  On to attempt 6.

 

I'm finding the furthest progress I've made was when I've built it myself from source.

 

Still floundering here.



#4 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:04:14 PM

Posted 17 August 2016 - 08:57 AM

Hey there Restemayer! Welcome to BC!

 

Unfortunately I have about zero experience with what you are trying to do. I have a simple samba setup at my home for my personal network, but have never attempted anything you are trying. So I won't be a whole lot of help.

 

About all I have is some google searches. Though my bet is you have seen these already. Here they are though, maybe they will help.

 

http://marc.info/?l=samba&m=134813710400504

https://support.microsoft.com/en-us/kb/281245

 

Maybe some useful info in this one? Very last post on the bottom mentions " but there is a field in the PAC that literally contains the user's hashed password.  We don't fill that in, but without it NTLMSSP authentication just can't work." Might be a bit of info that is helpful.

http://samba.2283325.n4.nabble.com/Experience-Report-Smart-Card-Login-to-Samba-4-domain-td4643085.html


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#5 Restemayer

Restemayer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 17 August 2016 - 09:18 AM

Actually, I have not seen those yet. Thanks! I'll take a look through those to see if I get some insight into what is going on with it.

Yeah, this is probably not the best place to ask really technically specific questions like these... but it's the only place, unfortunately. My first choice was on Samba's forums... but they don't have any forums. They have a mailing list and IRC, which is par for the course with Linux I find. Yeah, between spam and viruses, I wasn't doing that. Not to rant (ok, maybe a little) <rant>... but for all the advantages of open source software, this infatuation with 30 year old obsolete technology is one of the myriad of reasons why it never actually gains traction. I consider myself an advanced user and it drives me up a wall. No new user is going to want to figure out IRC or deal with a mailing list to get community support. I just don't get it. </rant>

#6 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:04:14 PM

Posted 17 August 2016 - 09:28 AM

I agree. Doesn't make much sense not to have a forum these days. IRC and email options are fine, but for open source you might has well have a easily accessible forum that users can search.

 

You might want to try posing your question over on some of the bigger Linux forums. Ubuntu has a giant community and someone may be of help there.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#7 DodoIso

DodoIso

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 23 August 2016 - 02:08 AM

I don't know all the distributions out there, but I would recommend that you go with one that already provides a Samba package, that is, the maintainers already built/optimized/patched the thing for that specific OS.  Then, you only have to deal with the config file (which is not easy either).

 

I myself use it under FreeBSD (could be PC-BSD for easier overall installation too), and got Samba 4.4 to run, although not as a Domain Controller as you want to have, but I could have it as well if I (really) wanted it.  Many are already using it this way, so you know it's possible.


Edited by DodoIso, 23 August 2016 - 02:10 AM.


#8 Restemayer

Restemayer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 23 August 2016 - 08:23 AM

Under normal conditions I'd agree with you; I have several file servers that run it fine... However for what I'm using it for, building from source makes sense. I have to watch for the version of Kerberos I'm using; Heimdal Kerberos works for what I'm using it for... MIT Kerberos, which comes with some distributions, doesn't. There are also some build configuration flags I need set that may or may not be included in the distribution's build. It just ends up being easier to build it myself than try to find a specific distro package that has everything I need. Besides, best I can tell, Samba appears to be running fine. The AD implementation works. I can create domain users, log into the domain, and do basically everything that the active directory system allows. Where it falls apart is the certificates for smart card login specifically. The KDC cert is either not being found or is not being recognized as valid. I have to build the certificates myself. I'm either missing something in the configuration for the certificates when I build them, I'm putting them in the wrong place so they can't be found, my permissions are messed up so it won't share the certs, or there is something wonky with how I have Kerberos configured. I just am having a hard time figuring out which one it is. All of those are independent of the Samba build; I could screw those up regardless of whether it's a distro package or built from source.

#9 Maba

Maba

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 06 September 2016 - 07:08 AM

I'm setting up a small dental office with smartcard authentication for their computers for convenience, security, and meet HIPAA requirements for tracking logins.  I'm using a samba Active Directory setup because at this point, spending $1000 on a copy of the latest Windows Server isn't an option.  I'm am currently on my 4th attempt at it.  Previously, I was compiling it from source on Ubuntu, but for this next attempt I'm going with a Univention VMware image instead to hopefully make it go a little faster.  

 

So, basically, every time, the Active Directory system seems to work fine.  The domain exists, I can log into it, and can access it through RSAT... at least for those functions that exist in a Samba setup, anyway.  Where I'm running into a roadblock is with the certificates.  I've set up my own CA, been slogging through this (https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) verbatim (other than changing the necessary stuff to make it for my domain, obviously)... and when I go to login, it doesn't work.  The best I can tell, it recognizes the certificate I've put on the card, it recognizes the root CA certificate, but it can't find the DC certificate.  That is what certutil -dcinfo kicks back anyway: "KDC Certificate not found".  I've tried publishing the DC certificate.  I've tried manually putting it into the enterprise stores.  I've tried putting it into the group policy system.  I've tried fiddling with the auto-enrollment system (turning it on... turning it off).  Nothing works.  I am completely out of ideas here.

 

Any thoughts?

If you still need advise on Univention Corporate Server visit their forum at http://forum.univention.de/
to get professional help on this.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users