[Samba] Private Key Unavailable After Domain Password Change

Andrew Bartlett abartlet at samba.org
Tue Mar 2 18:58:27 UTC 2021 

Thanks for the information Bill.

I'm not aware of a specific fix here, so like I asked on another
thread, it would be awesome if someone could figure out what git commit
fixed it.  I realise that is probably a lot of work.

The ovbious change would be:

commit 52b91cb33c281aeecc6270824cadac6cefbcb136
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 31 16:13:38 2019 +1200

    s4-rpc_server: Remove Heimdal-based BackupKey server
    
    We rely on a modern GnuTLS now.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

which removed the original BackupKey implementation (replacing with a
new one that changed to using GnuTLS), but they were meant to be
identical in behaviour.  Perhaps GnuTLS is less fussy on some
certificate detail.

Andrew Bartlett

On Tue, 2021-03-02 at 13:22 -0500, Bill Baird wrote:
> To follow-up on this, in case anyone has the same issue. We finally
> retired our oldest DC running 4.10.x on  Amazon Linux 1 and the issue
> has been resolved. Current DC's are 4.13.x on Ubuntu 20.04.2 LTS and
> 4.11.x on Amazon Linux 2. No other changes were needed to fix the
> issue.
> 
> Thanks!
> 
> On Tue, Sep 22, 2020 at 4:27 PM Bill Baird <Bill.Baird at phoenixmi.com>
> wrote:
> > They change it on the same local system that is also connected to
> > the VPN. Since it is a domain account, I don't think it lets them
> > change the password unless they can properly communicate with the
> > domain controller? 
> > 
> > Are you aware of any workarounds, or logs that might help
> > troubleshoot this issue?
> > 
> > Thanks!
> > 
> > On Mon, Sep 14, 2020 at 5:00 PM Andrew Bartlett <abartlet at samba.org
> > > wrote:
> > > On Mon, 2020-09-14 at 12:11 -0400, Bill Baird via samba wrote:
> > > > Hi All!
> > > > 
> > > > We are currently running one AD DC on 4.11.12 and one on
> > > 4.10.17
> > > > (scheduled
> > > > for replacement later this month). Sometimes when a user
> > > changes
> > > > their
> > > > domain password, we are seeing an issue where the private key
> > > is no
> > > > longer
> > > > available.  Users on Windows 10 v1909 or v2004. This does not
> > > happen
> > > > to all
> > > > users.
> > > 
> > > Where do they change their password?  If it isn't locally on the
> > > system
> > > concerned (where it would re-encrypt the key store), I could see
> > > how
> > > the machine would have trouble accessing the keys (via backupkey)
> > > until
> > > the VPN was back up, creating a nasty chicken-and-egg situation.
> > > 
> > > Andrew Bartlett
> > > -- 
> > > Andrew Bartlett                       
> > > https://samba.org/~abartlet/
> > > Authentication Developer, Samba Team  https://samba.org
> > > Samba Developer, Catalyst IT          
> > > https://catalyst.net.nz/services/samba
> > > 
> > > 
> > > 
> > 
> > 
> > -- 
> > Bill Baird
> > Chief Security Officer
> > Mobile: 203-545-0437
> > www.phoenixmi.com
> > 
> > To create an IT ticket, please email itsupport at phoenixmi.com or
> > call 845-943-4222.
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list