[Samba] Private Key Unavailable After Domain Password Change

Bill Baird Bill.Baird at phoenixmi.com
Tue Mar 2 18:22:24 UTC 2021 

To follow-up on this, in case anyone has the same issue. We finally retired
our oldest DC running 4.10.x on  Amazon Linux 1 and the issue has been
resolved. Current DC's are 4.13.x on Ubuntu 20.04.2 LTS and 4.11.x on
Amazon Linux 2. No other changes were needed to fix the issue.

Thanks!

On Tue, Sep 22, 2020 at 4:27 PM Bill Baird <Bill.Baird at phoenixmi.com> wrote:

> They change it on the same local system that is also connected to the VPN.
> Since it is a domain account, I don't think it lets them change the
> password unless they can properly communicate with the domain controller?
>
> Are you aware of any workarounds, or logs that might help troubleshoot
> this issue?
>
> Thanks!
>
> On Mon, Sep 14, 2020 at 5:00 PM Andrew Bartlett <abartlet at samba.org>
> wrote:
>
>> On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote:
>> > Hi All!
>> >
>> > We are currently running one AD DC on 4.11.12 and one on 4.10.17
>> > (scheduled
>> > for replacement later this month). Sometimes when a user changes
>> > their
>> > domain password, we are seeing an issue where the private key is no
>> > longer
>> > available.  Users on Windows 10 v1909 or v2004. This does not happen
>> > to all
>> > users.
>>
>> Where do they change their password?  If it isn't locally on the system
>> concerned (where it would re-encrypt the key store), I could see how
>> the machine would have trouble accessing the keys (via backupkey) until
>> the VPN was back up, creating a nasty chicken-and-egg situation.
>>
>> Andrew Bartlett
>> --
>> Andrew Bartlett                       https://samba.org/~abartlet/
>> Authentication Developer, Samba Team  https://samba.org
>> Samba Developer, Catalyst IT
>> https://catalyst.net.nz/services/samba
>>
>>
>>
>>
>
> --
> *Bill Baird*
> Chief Security Officer
> Mobile: 203-545-0437
> www.phoenixmi.com
>
> *To create an IT ticket, please email itsupport at phoenixmi.com
> <itsupport at phoenixmi.com> or call 845-943-4222.*
>


-- 
*Bill Baird* (he/him)
Chief Security Officer
Mobile: 203-545-0437
www.phoenixmi.com

*To create an IT ticket, please email itsupport at phoenixmi.com
<itsupport at phoenixmi.com> or call 845-943-4222.*

-- 
--
This electronic message, including its attachments (if any), is 
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.

More information about the samba mailing list