samba - Sep 2020 - Private Key Unavailable After Domain Password Change

Hi All!

We are currently running one AD DC on 4.11.12 and one on 4.10.17 (scheduled
for replacement later this month). Sometimes when a user changes their
domain password, we are seeing an issue where the private key is no longer
available.  Users on Windows 10 v1909 or v2004. This does not happen to all
users.

We have users connecting to one of our environments using OpenVPN. We have
been using the cryptoapicert option in the OpenVPN config and having it
reference a certificate/key we import to the user's account using certutil
(ex. "certutil -user -importpfx mycertkeypair.p12 NoExport") with the
NoExport option (or via mmc). (NoExport is so they can't export private key
and move to another system).

When the user changes their domain password then tries to connect to the
VPN, they get these errors below. If we manually re-import the certificate,
everything works properly. Because of this, I don't believe this is an
issue with OpenVPN.

*- OpenSSL:error:C5066064:microsoft
cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist*
*- Cannot load certificate: SUBJ:mycertkeypair" from Microsoft Certificate
Store*

I found this old bug which looks very similar, but was supposed to be fixed
as of 4.2.0?

https://bugzilla.samba.org/show_bug.cgi?id=10980

Has anyone else seen this, or have any ideas on how to allow private keys
to persist password changes for all users?

Thanks!

Bill Baird

-- 
--
This electronic message, including its attachments (if any), is 
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.

On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba
wrote:
> Hi All!
> 
> We are currently running one AD DC on 4.11.12 and one on 4.10.17
> (scheduled
> for replacement later this month). Sometimes when a user changes
> their
> domain password, we are seeing an issue where the private key is no
> longer
> available.  Users on Windows 10 v1909 or v2004. This does not happen
> to all
> users.
Where do they change their password?  If it isn't locally on the system
concerned (where it would re-encrypt the key store), I could see how
the machine would have trouble accessing the keys (via backupkey) until
the VPN was back up, creating a nasty chicken-and-egg situation.

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

They change it on the same local system that is also connected to the VPN.
Since it is a domain account, I don't think it lets them change the
password unless they can properly communicate with the domain controller?

Are you aware of any workarounds, or logs that might help troubleshoot this
issue?

Thanks!

On Mon, Sep 14, 2020 at 5:00 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote:
> > Hi All!
> >
> > We are currently running one AD DC on 4.11.12 and one on 4.10.17
> > (scheduled
> > for replacement later this month). Sometimes when a user changes
> > their
> > domain password, we are seeing an issue where the private key is no
> > longer
> > available.  Users on Windows 10 v1909 or v2004. This does not happen
> > to all
> > users.
>
> Where do they change their password?  If it isn't locally on the system
> concerned (where it would re-encrypt the key store), I could see how
> the machine would have trouble accessing the keys (via backupkey) until
> the VPN was back up, creating a nasty chicken-and-egg situation.
>
> Andrew Bartlett
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
-- 
*Bill Baird*
Chief Security Officer
Mobile: 203-545-0437
www.phoenixmi.com

*To create an IT ticket, please email itsupport at phoenixmi.com
<itsupport at phoenixmi.com> or call 845-943-4222.*

-- 
--
This electronic message, including its attachments (if any), is 
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.