[Samba] Certificates stop working after password change
Joaquin Cabrera
joca_323 at hotmail.com
Mon Jun 10 15:49:15 MDT 2013
Hi Andrew, thanks for replying.
Certificates are X.509 for personal signatures but have no interaction with the KDC I think, only used to sign on the java application.
I'm not aware of what changes are made in the windows clients when we join them to Samba4, but once joined, the user can not change his password without make the certificate unusable.
As I mentioned before, if you change the user's password back to the old one, the certificate works correctly.
Any idea is welcome. And sorry for my english...
Joaquín Cabrera
> Subject: Re: [Samba] Certificates stop working after password change
> From: abartlet at samba.org
> To: joca_323 at hotmail.com
> CC: samba at lists.samba.org
> Date: Sat, 8 Jun 2013 09:35:16 +1000
>
> On Thu, 2013-06-06 at 20:41 +0000, Joaquin Cabrera wrote:
> > Hi,
> >
> >
> > We found the following problem when working with personal certificates.
> >
> > We have a system in java using certificates at the time of signing, the certificates stop working when the user performs a password change.
> >
> > Customers are connected to the domain Samba4, mainly are pc with windows 7 or vista. This error does not happen with certificates if the equipment is in a workgroup.
> >
> > We also found that if the user change back to the previous password can sign correctly.
> >
> > Reinstall Cetificates whenever the user changes their password is not an option, because we want to implement a policy requiring change passwords every three months.
> >
> > The samba versión is 4.0.3
>
> That is very odd. X.509 certificates presented to our KDC for PK-INIT are not checked against a password in any way - it is entirely up to the validity of the certificate.
>
> Can you show the error shown on the KDC when the certificate is
> rejected?
>
> Or are you referring to some other certificate system?
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
More information about the samba
mailing list