I'm setting up a small dental office with smartcard authentication for their computers for convenience, security, and meet HIPAA requirements for tracking logins. I'm using a samba Active Directory setup because at this point, spending $1000 on a copy of the latest Windows Server isn't an option. I'm am currently on my 4th attempt at it. Previously, I was compiling it from source on Ubuntu, but for this next attempt I'm going with a Univention VMware image instead to hopefully make it go a little faster.
So, basically, every time, the Active Directory system seems to work fine. The domain exists, I can log into it, and can access it through RSAT... at least for those functions that exist in a Samba setup, anyway. Where I'm running into a roadblock is with the certificates. I've set up my own CA, been slogging through this (https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) verbatim (other than changing the necessary stuff to make it for my domain, obviously)... and when I go to login, it doesn't work. The best I can tell, it recognizes the certificate I've put on the card, it recognizes the root CA certificate, but it can't find the DC certificate. That is what certutil -dcinfo kicks back anyway: "KDC Certificate not found". I've tried publishing the DC certificate. I've tried manually putting it into the enterprise stores. I've tried putting it into the group policy system. I've tried fiddling with the auto-enrollment system (turning it on... turning it off). Nothing works. I am completely out of ideas here.