Bill Baird
2020-Sep-14 16:11 UTC
[Samba] Private Key Unavailable After Domain Password Change
Hi All! We are currently running one AD DC on 4.11.12 and one on 4.10.17 (scheduled for replacement later this month). Sometimes when a user changes their domain password, we are seeing an issue where the private key is no longer available. Users on Windows 10 v1909 or v2004. This does not happen to all users. We have users connecting to one of our environments using OpenVPN. We have been using the cryptoapicert option in the OpenVPN config and having it reference a certificate/key we import to the user's account using certutil (ex. "certutil -user -importpfx mycertkeypair.p12 NoExport") with the NoExport option (or via mmc). (NoExport is so they can't export private key and move to another system). When the user changes their domain password then tries to connect to the VPN, they get these errors below. If we manually re-import the certificate, everything works properly. Because of this, I don't believe this is an issue with OpenVPN. *- OpenSSL:error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist* *- Cannot load certificate: SUBJ:mycertkeypair" from Microsoft Certificate Store* I found this old bug which looks very similar, but was supposed to be fixed as of 4.2.0? https://bugzilla.samba.org/show_bug.cgi?id=10980 Has anyone else seen this, or have any ideas on how to allow private keys to persist password changes for all users? Thanks! Bill Baird -- -- This electronic message, including its attachments (if any), is CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are not the intended recipient, you are hereby notified that any use, disclosure, copying, or distribution of this message, its attachments, or any of the information included therein, is unauthorized and strictly prohibited. If you have received this message in error, please immediately notify the sender by reply e-mail and permanently delete this message and its attachments, along with any copies thereof.
Andrew Bartlett
2020-Sep-14 21:00 UTC
[Samba] Private Key Unavailable After Domain Password Change
On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote:> Hi All! > > We are currently running one AD DC on 4.11.12 and one on 4.10.17 > (scheduled > for replacement later this month). Sometimes when a user changes > their > domain password, we are seeing an issue where the private key is no > longer > available. Users on Windows 10 v1909 or v2004. This does not happen > to all > users.Where do they change their password? If it isn't locally on the system concerned (where it would re-encrypt the key store), I could see how the machine would have trouble accessing the keys (via backupkey) until the VPN was back up, creating a nasty chicken-and-egg situation. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Bill Baird
2020-Sep-22 20:27 UTC
[Samba] Private Key Unavailable After Domain Password Change
They change it on the same local system that is also connected to the VPN. Since it is a domain account, I don't think it lets them change the password unless they can properly communicate with the domain controller? Are you aware of any workarounds, or logs that might help troubleshoot this issue? Thanks! On Mon, Sep 14, 2020 at 5:00 PM Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote: > > Hi All! > > > > We are currently running one AD DC on 4.11.12 and one on 4.10.17 > > (scheduled > > for replacement later this month). Sometimes when a user changes > > their > > domain password, we are seeing an issue where the private key is no > > longer > > available. Users on Windows 10 v1909 or v2004. This does not happen > > to all > > users. > > Where do they change their password? If it isn't locally on the system > concerned (where it would re-encrypt the key store), I could see how > the machine would have trouble accessing the keys (via backupkey) until > the VPN was back up, creating a nasty chicken-and-egg situation. > > Andrew Bartlett > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > > >-- *Bill Baird* Chief Security Officer Mobile: 203-545-0437 www.phoenixmi.com *To create an IT ticket, please email itsupport at phoenixmi.com <itsupport at phoenixmi.com> or call 845-943-4222.* -- -- This electronic message, including its attachments (if any), is CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are not the intended recipient, you are hereby notified that any use, disclosure, copying, or distribution of this message, its attachments, or any of the information included therein, is unauthorized and strictly prohibited. If you have received this message in error, please immediately notify the sender by reply e-mail and permanently delete this message and its attachments, along with any copies thereof.