Joaquin Cabrera
2013-Jun-06 20:41 UTC
[Samba] Certificates stop working after password change
Hi, We found the following problem when working with personal certificates. We have a system in java using certificates at the time of signing, the certificates stop working when the user performs a password change. Customers are connected to the domain Samba4, mainly are pc with windows 7 or vista. This error does not happen with certificates if the equipment is in a workgroup. We also found that if the user change back to the previous password can sign correctly. Reinstall Cetificates whenever the user changes their password is not an option, because we want to implement a policy requiring change passwords every three months. The samba versi?n is 4.0.3 samba4:~ # uname -a Linux samba4 3.0.42-0.7-default #1 SMP Tue Oct 9 11:58:45 UTC 2012 (a8dc443) x86_64 x86_64 x86_64 GNU/Linux samba4:~ # cat /etc/*-release SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 2 So far the only problem we have found. Any idea is welcome.
Andrew Bartlett
2013-Jun-07 23:35 UTC
[Samba] Certificates stop working after password change
On Thu, 2013-06-06 at 20:41 +0000, Joaquin Cabrera wrote:> Hi, > > > We found the following problem when working with personal certificates. > > We have a system in java using certificates at the time of signing, the certificates stop working when the user performs a password change. > > Customers are connected to the domain Samba4, mainly are pc with windows 7 or vista. This error does not happen with certificates if the equipment is in a workgroup. > > We also found that if the user change back to the previous password can sign correctly. > > Reinstall Cetificates whenever the user changes their password is not an option, because we want to implement a policy requiring change passwords every three months. > > The samba versi?n is 4.0.3That is very odd. X.509 certificates presented to our KDC for PK-INIT are not checked against a password in any way - it is entirely up to the validity of the certificate. Can you show the error shown on the KDC when the certificate is rejected? Or are you referring to some other certificate system? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org