[Samba] Certificates stop working after password change

Andrew Bartlett abartlet at samba.org
Mon Jun 10 15:56:50 MDT 2013

On Mon, 2013-06-10 at 21:49 +0000, Joaquin Cabrera wrote:
> Hi Andrew, thanks for replying.
> Certificates are X.509 for personal signatures but have no interaction
> with the KDC I think, only used to sign on the java application.
> I'm not aware of what changes are made in the windows clients when we
> join them to Samba4, but once joined, the user can not change his
> password without make the certificate unusable.
> As I mentioned before, if you change the user's password back to the
> old one, the certificate works correctly.
> Any idea is welcome. And sorry for my english...

My guess is that the certificates are encrypted with the user's local
password, and any password change (enforced or otherwise) is not being
captured by the java application to decrypt and re-encrypt the

Do your users change their password at the login screen or with

You could prove it isn't a Samba issue by changing the local windows
password on a standalone workstation. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list