[Samba] Certificates stop working after password change in legacy domain
Andrew Bartlett
abartlet at samba.org
Fri Mar 13 02:37:24 MDT 2015
On Thu, 2015-03-12 at 13:53 +0100, Roel van Meer wrote:
> Hi list,
>
> we have a problem with users that have personal certificates. When they
> change their password via the Ctrl-Alt-Del prompt, their personal
> certificates can no longer be used to authenticate.
>
> This happens with Windows 7 Professional joined to a Samba legacy domain.
> I've tested Samba 4.0.22 and 4.2.0 and they both show the same behaviour.
>
> When I leave the domain, and try it with the client as standalone system, it
> works like it should.
>
> I found a similar thread here: https://lists.samba.org/archive/samba/2013-June/173816.html
> but the problem there was with a Samba AD.
>
> Is this something that should work with a legacy domain?
I strongly suspect this is because the BackupKey RPC is not implemented
in the Samba classic DC.
> If so, could
> someone give me a few pointers on where to start looking for a cause?
Take a test system, and on an isolated network upgrade to a Samba AD DC.
If you use Samba 4.2.0, this should then allow password changes.
We have just completed a great deal of work on BackupKey, implementing
both of the subprotocols, but while it could (I suppose, with
non-trivial effort) be made to work in the Samba classic DC, with the
secret keys stored in LDAP, that hasn't been done so far, and an AD
upgrade will be easier and more reliable.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list