[Samba] User's DPAPI/backupkey protected data lost when changing domain password

William Ross william.ross at mercedes-benzsouthwest.co.uk
Fri Nov 28 07:49:37 MST 2014

On 24/11/14 10:36, Roberto Suárez Soto wrote:
> El 10/11/14 a las 15:48, William Ross escribió:
> > After a user changes their password (CTRL-ALT-DEL) in our Samba 4 
> > domain
> > (4.1.12) they lose access to any stored passwords on their Windows PC.
>      This happens to us too, using Sernet Samba 4.1.13. I've seen there's
>      a patch to address this issue for Univention > Corporate Server,
>      which bundles Samba 4:
>      https://forge.univention.org/bugzilla/show_bug.cgi?id=35287
>      Would this be applicable to "vanilla" Samba 4?

I've applied the patch to 4.1.13, updated our four domain controllers, run:

ldbdel -H ldapi:///usr/local/samba/private/ldap_priv/ldapi

and the issue is now fixed (I've just changed a users domain password four
times running, log entries now show audit success for the DPAPI change and
the user's IE passwords are remembered).

My understanding is still lacking, however I think that the patch might not
be essential.
If you have this issue, try running the ldbdel command to remove the 'bad'
random secret your domain has generated. That should force it to generate a
new one the next time a client invokes the DPAPI/backupkey system. With the
patch that secret is 'guaranteed' to work, without it its (I think) random
chance whether the secret will work or not, so keep testing until it starts

More information about the samba mailing list