Bill Baird
2020-Sep-22 20:27 UTC
[Samba] Private Key Unavailable After Domain Password Change
They change it on the same local system that is also connected to the VPN. Since it is a domain account, I don't think it lets them change the password unless they can properly communicate with the domain controller? Are you aware of any workarounds, or logs that might help troubleshoot this issue? Thanks! On Mon, Sep 14, 2020 at 5:00 PM Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote: > > Hi All! > > > > We are currently running one AD DC on 4.11.12 and one on 4.10.17 > > (scheduled > > for replacement later this month). Sometimes when a user changes > > their > > domain password, we are seeing an issue where the private key is no > > longer > > available. Users on Windows 10 v1909 or v2004. This does not happen > > to all > > users. > > Where do they change their password? If it isn't locally on the system > concerned (where it would re-encrypt the key store), I could see how > the machine would have trouble accessing the keys (via backupkey) until > the VPN was back up, creating a nasty chicken-and-egg situation. > > Andrew Bartlett > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > > >-- *Bill Baird* Chief Security Officer Mobile: 203-545-0437 www.phoenixmi.com *To create an IT ticket, please email itsupport at phoenixmi.com <itsupport at phoenixmi.com> or call 845-943-4222.* -- -- This electronic message, including its attachments (if any), is CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are not the intended recipient, you are hereby notified that any use, disclosure, copying, or distribution of this message, its attachments, or any of the information included therein, is unauthorized and strictly prohibited. If you have received this message in error, please immediately notify the sender by reply e-mail and permanently delete this message and its attachments, along with any copies thereof.
Bill Baird
2021-Mar-02 18:22 UTC
[Samba] Private Key Unavailable After Domain Password Change
To follow-up on this, in case anyone has the same issue. We finally retired our oldest DC running 4.10.x on Amazon Linux 1 and the issue has been resolved. Current DC's are 4.13.x on Ubuntu 20.04.2 LTS and 4.11.x on Amazon Linux 2. No other changes were needed to fix the issue. Thanks! On Tue, Sep 22, 2020 at 4:27 PM Bill Baird <Bill.Baird at phoenixmi.com> wrote:> They change it on the same local system that is also connected to the VPN. > Since it is a domain account, I don't think it lets them change the > password unless they can properly communicate with the domain controller? > > Are you aware of any workarounds, or logs that might help troubleshoot > this issue? > > Thanks! > > On Mon, Sep 14, 2020 at 5:00 PM Andrew Bartlett <abartlet at samba.org> > wrote: > >> On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote: >> > Hi All! >> > >> > We are currently running one AD DC on 4.11.12 and one on 4.10.17 >> > (scheduled >> > for replacement later this month). Sometimes when a user changes >> > their >> > domain password, we are seeing an issue where the private key is no >> > longer >> > available. Users on Windows 10 v1909 or v2004. This does not happen >> > to all >> > users. >> >> Where do they change their password? If it isn't locally on the system >> concerned (where it would re-encrypt the key store), I could see how >> the machine would have trouble accessing the keys (via backupkey) until >> the VPN was back up, creating a nasty chicken-and-egg situation. >> >> Andrew Bartlett >> -- >> Andrew Bartlett https://samba.org/~abartlet/ >> Authentication Developer, Samba Team https://samba.org >> Samba Developer, Catalyst IT >> https://catalyst.net.nz/services/samba >> >> >> >> > > -- > *Bill Baird* > Chief Security Officer > Mobile: 203-545-0437 > www.phoenixmi.com > > *To create an IT ticket, please email itsupport at phoenixmi.com > <itsupport at phoenixmi.com> or call 845-943-4222.* >-- *Bill Baird* (he/him) Chief Security Officer Mobile: 203-545-0437 www.phoenixmi.com *To create an IT ticket, please email itsupport at phoenixmi.com <itsupport at phoenixmi.com> or call 845-943-4222.* -- -- This electronic message, including its attachments (if any), is CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are not the intended recipient, you are hereby notified that any use, disclosure, copying, or distribution of this message, its attachments, or any of the information included therein, is unauthorized and strictly prohibited. If you have received this message in error, please immediately notify the sender by reply e-mail and permanently delete this message and its attachments, along with any copies thereof.