[Samba] Certificates stop working after password change

Andrew Bartlett abartlet at samba.org
Fri Jun 7 17:35:16 MDT 2013

On Thu, 2013-06-06 at 20:41 +0000, Joaquin Cabrera wrote:
> Hi,
> We found the following problem when working with personal certificates.
> We have a system in java using certificates at the time of signing, the certificates stop working when the user performs a password change.
> Customers are connected to the domain Samba4, mainly are pc with windows 7 or vista. This error does not happen with certificates if the equipment is in a workgroup.
> We also found that if the user change back to the previous password can sign correctly.
> Reinstall Cetificates whenever the user changes their password is not an option, because we want to implement a policy requiring change passwords every three months.
> The samba versión is 4.0.3 

That is very odd.  X.509 certificates presented to our KDC for PK-INIT are not checked against a password in any way - it is entirely up to the validity of the certificate.  

Can you show the error shown on the KDC when the certificate is

Or are you referring to some other certificate system?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list