[Samba] Windows forgets saved passwords after user changes their password

William Ross william.ross at mercedes-benzsouthwest.co.uk
Tue Nov 4 15:34:08 MST 2014

On Mon, Nov 3, 2014 at 13:55 PM, William Ross

> I have a Samba4 domain (4.1.12) running on a CentOS 6 server with Windows
> clients.
> When a user changes their password (CTL-ALT-DEL, Change password) on a
> client it forgets any saved passwords (their Outlook password, any IE
> security certificates etc).

I've done some more research and believe I can ask a more specific question.

My understanding is that the Data Protection API (DPAPI) encrypts the saved
passwords and certificates and keeps them in the user's profile.

The following Microsoft support articles:

say that the Windows 2000 or higher domain controller needs to take part in
the process to maintain a user's DPAPI keys. The second article states that
a user will lose access to stored passwords after a password change if the
domain controller is running NT 4 (exactly the issue I'm experiencing with
my Samba4 domain) - so a Windows 2000 or higher Active Directory domain
controller must be taking part in the process to maintain access to the
user's DPAPI keys.

So my question is, is this functionality implemented in Samba4?
Is something misconfigured in my setup causing the stored passwords to be
lost, or will this not currently work with Samba4 because Samba4 doesn't
participate in maintaining a user's DPAPI keys?

More information about the samba mailing list