[Samba] Certificates stop working after password change

Joaquin Cabrera joca_323 at hotmail.com
Wed Jun 12 12:01:50 MDT 2013

No, I tested it with computers in a standalone workgroup and this does not happen.

Users change their password with alt + ctrl + del and also we have tried to make the change from an administrator user.

The java application does not change anything in the certificates. They are the same type that are used to sign emails.

As additional data, after making the password change can not export the certificate with the private key.

> Subject: Re: [Samba] Certificates stop working after password change
> From: abartlet at samba.org
> To: joca_323 at hotmail.com
> CC: samba at lists.samba.org
> Date: Tue, 11 Jun 2013 07:56:50 +1000
> On Mon, 2013-06-10 at 21:49 +0000, Joaquin Cabrera wrote:
> > Hi Andrew, thanks for replying.
> > 
> > Certificates are X.509 for personal signatures but have no interaction
> > with the KDC I think, only used to sign on the java application.
> > 
> > I'm not aware of what changes are made in the windows clients when we
> > join them to Samba4, but once joined, the user can not change his
> > password without make the certificate unusable.
> > 
> > As I mentioned before, if you change the user's password back to the
> > old one, the certificate works correctly.
> > 
> > Any idea is welcome. And sorry for my english...
> My guess is that the certificates are encrypted with the user's local
> password, and any password change (enforced or otherwise) is not being
> captured by the java application to decrypt and re-encrypt the
> certificate. 
> Do your users change their password at the login screen or with
> ctrl-alt-del?
> You could prove it isn't a Samba issue by changing the local windows
> password on a standalone workstation. 
> Andrew Bartlett
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list