Roel van Meer
2015-Mar-12 12:53 UTC
[Samba] Certificates stop working after password change in legacy domain
Hi list, we have a problem with users that have personal certificates. When they change their password via the Ctrl-Alt-Del prompt, their personal certificates can no longer be used to authenticate. This happens with Windows 7 Professional joined to a Samba legacy domain. I've tested Samba 4.0.22 and 4.2.0 and they both show the same behaviour. When I leave the domain, and try it with the client as standalone system, it works like it should. I found a similar thread here: https://lists.samba.org/archive/samba/2013-June/173816.html but the problem there was with a Samba AD. Is this something that should work with a legacy domain? If so, could someone give me a few pointers on where to start looking for a cause? Thanks a lot, Roel
Andrew Bartlett
2015-Mar-13 08:37 UTC
[Samba] Certificates stop working after password change in legacy domain
On Thu, 2015-03-12 at 13:53 +0100, Roel van Meer wrote:> Hi list, > > we have a problem with users that have personal certificates. When they > change their password via the Ctrl-Alt-Del prompt, their personal > certificates can no longer be used to authenticate. > > This happens with Windows 7 Professional joined to a Samba legacy domain. > I've tested Samba 4.0.22 and 4.2.0 and they both show the same behaviour. > > When I leave the domain, and try it with the client as standalone system, it > works like it should. > > I found a similar thread here: https://lists.samba.org/archive/samba/2013-June/173816.html > but the problem there was with a Samba AD. > > Is this something that should work with a legacy domain?I strongly suspect this is because the BackupKey RPC is not implemented in the Samba classic DC.> If so, could > someone give me a few pointers on where to start looking for a cause?Take a test system, and on an isolated network upgrade to a Samba AD DC. If you use Samba 4.2.0, this should then allow password changes. We have just completed a great deal of work on BackupKey, implementing both of the subprotocols, but while it could (I suppose, with non-trivial effort) be made to work in the Samba classic DC, with the secret keys stored in LDAP, that hasn't been done so far, and an AD upgrade will be easier and more reliable. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Roel van Meer
2015-Mar-16 13:15 UTC
[Samba] Certificates stop working after password change in legacy domain
Andrew Bartlett writes:> > we have a problem with users that have personal certificates. When they > > change their password via the Ctrl-Alt-Del prompt, their personal > > certificates can no longer be used to authenticate. > > I strongly suspect this is because the BackupKey RPC is not implemented > in the Samba classic DC. > > > If so, could > > someone give me a few pointers on where to start looking for a cause? > > Take a test system, and on an isolated network upgrade to a Samba AD DC. > If you use Samba 4.2.0, this should then allow password changes.An upgrade to Samba AD DC is scheduled for later this year. I'll postpone this until then. Thanks for your answer! Roel