Univention Bugzilla – Bug 35287
Windows DPAPI fails after repeated user password change
Last modified: 2015-08-07 11:27:47 CEST
Created attachment 5986 [details] 0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch Ticket#: 2014052821006931 Windows DPAPI fails after repeated user password change. Looks like this is triggered by some issue in the current Samba implemenation of the MS Backupkey protocol. The attached patch seems to fix this. It's one in a series of ten which I posted to samba-technical, this apparently fixing the crucial point.
*** Bug 35028 has been marked as a duplicate of this bug. ***
Samba has been re-built in errata3.2-2 with the patch. Advisory: 2014-07-02-samba.yaml
Note: It was very helpful to enable "Audit DPAPI Activity" in the Windows Event Viewer: http://technet.microsoft.com/de-de/library/dd772743%28v=ws.10%29.aspx
Created attachment 5989 [details] check_backupkey.sh
Created attachment 5990 [details] check_backupkey.sh Fixed a typo..
OK - creating of backupkey certificate - alway 2048 Bits OK - IE rememberd password for a website (after three password changes) OK - YAML
http://errata.univention.de/ucs/3.2/148.html
Created attachment 7084 [details] check_backupkey.sh Use samba4/ldap/base instead of ldap/base: --- check_backupkey.sh.orig 2015-08-06 11:09:21.101445497 +0200 +++ check_backupkey.sh 2015-08-06 11:09:22.893445425 +0200 @@ -2,7 +2,7 @@ eval "$(ucr shell)" -currentValue=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$ldap_base" '(&(objectClass=secret)(CN=BCKUPKEY_PREFERRED Secret))' currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p') +currentValue=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$samba4_ldap_base" '(&(objectClass=secret)(CN=BCKUPKEY_PREFERRED Secret))' currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p') if [ -z "$currentValue" ]; then echo "No BCKPKEY_PREFERRED found yet. Ok, nothing to do." @@ -11,7 +11,7 @@ guid=$(echo "$currentValue" | python -c 'import sys,binascii; from samba.dcerpc.misc import GUID; from samba.ndr import ndr_unpack, ndr_print; print str(ndr_unpack(GUID, binascii.a2b_base64(sys.stdin.read())))') -currentValue2=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$ldap_base" "(&(objectClass=secret)(CN=BCKUPKEY_$guid Secret))" currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p') +currentValue2=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$samba4_ldap_base" "(&(objectClass=secret)(CN=BCKUPKEY_$guid Secret))" currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p') cert=$(echo "$currentValue2" | base64 -d | dd bs=1c skip=1184 | openssl x509 -text -inform DER) @@ -32,7 +32,7 @@ echo "A new one will be generated the next time a new user logs on to a freshly bootet windows client." read -p "Disable it? [y/n] " if [ "${REPLY^^}" = Y ]; then - ldbdel -H ldapi:///var/lib/samba/private/ldap_priv/ldapi "CN=BCKUPKEY_PREFERRED Secret,CN=System,$ldap_base" + ldbdel -H ldapi:///var/lib/samba/private/ldap_priv/ldapi "CN=BCKUPKEY_PREFERRED Secret,CN=System,$samba4_ldap_base" elif [ "${REPLY^^}" != N ]; then echo "Invalid answer." fi
Created attachment 7088 [details] check_backupkey_ucs4.sh UCS 4 version of the script (output of openssl has changed so number of bits in public key was no longer parsed correctly). In addition this script prints out the encoded GUID of the "active" ClientWrap key and dumps the current certificate into a file ("$(pwd)/BCKUPKEY_${guid}.XXXXXXXXXX.pem").