Bug 35287 - Windows DPAPI fails after repeated user password change
Windows DPAPI fails after repeated user password change
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Arvid Requate
Felix Botner
: 35028 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2014-07-07 19:49 CEST by Arvid Requate
Modified: 2015-08-07 11:27 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Troubleshooting
Max CVSS v3 score:

0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch (2.18 KB, patch)
2014-07-07 19:49 CEST, Arvid Requate
Details | Diff
check_backupkey.sh (1.80 KB, text/plain)
2014-07-10 13:20 CEST, Arvid Requate
check_backupkey.sh (1.80 KB, text/plain)
2014-07-10 13:28 CEST, Arvid Requate
check_backupkey.sh (1.82 KB, application/x-shellscript)
2015-08-06 11:11 CEST, Janis Meybohm
check_backupkey_ucs4.sh (1.97 KB, application/x-shellscript)
2015-08-07 11:27 CEST, Janis Meybohm

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-07-07 19:49:32 CEST
Created attachment 5986 [details]

Ticket#: 2014052821006931

Windows DPAPI fails after repeated user password change. Looks like this is triggered by some issue in the current Samba implemenation of the MS Backupkey protocol. The attached patch seems to fix this. It's one in a series of ten which I posted to samba-technical, this apparently fixing the crucial point.
Comment 1 Stefan Gohmann univentionstaff 2014-07-07 20:17:08 CEST
*** Bug 35028 has been marked as a duplicate of this bug. ***
Comment 2 Arvid Requate univentionstaff 2014-07-09 16:59:30 CEST
Samba has been re-built in errata3.2-2 with the patch.

Advisory: 2014-07-02-samba.yaml
Comment 3 Arvid Requate univentionstaff 2014-07-10 12:45:21 CEST
Note: It was very helpful to enable "Audit DPAPI Activity" in the Windows Event Viewer: http://technet.microsoft.com/de-de/library/dd772743%28v=ws.10%29.aspx
Comment 4 Arvid Requate univentionstaff 2014-07-10 13:20:14 CEST
Created attachment 5989 [details]
Comment 5 Arvid Requate univentionstaff 2014-07-10 13:28:07 CEST
Created attachment 5990 [details]

Fixed a typo..
Comment 6 Felix Botner univentionstaff 2014-07-10 13:36:59 CEST
OK - creating of backupkey certificate - alway 2048 Bits
OK - IE rememberd password for a website (after three password changes)
Comment 7 Moritz Muehlenhoff univentionstaff 2014-07-14 10:50:17 CEST
Comment 8 Janis Meybohm univentionstaff 2015-08-06 11:11:09 CEST
Created attachment 7084 [details]

Use samba4/ldap/base instead of ldap/base:

--- check_backupkey.sh.orig     2015-08-06 11:09:21.101445497 +0200
+++ check_backupkey.sh  2015-08-06 11:09:22.893445425 +0200
@@ -2,7 +2,7 @@
 eval "$(ucr shell)"
-currentValue=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$ldap_base" '(&(objectClass=secret)(CN=BCKUPKEY_PREFERRED Secret))' currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
+currentValue=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$samba4_ldap_base" '(&(objectClass=secret)(CN=BCKUPKEY_PREFERRED Secret))' currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
 if [ -z "$currentValue" ]; then
        echo "No BCKPKEY_PREFERRED found yet. Ok, nothing to do."
@@ -11,7 +11,7 @@
 guid=$(echo "$currentValue" | python -c 'import sys,binascii; from samba.dcerpc.misc import GUID; from samba.ndr import ndr_unpack, ndr_print; print str(ndr_unpack(GUID, binascii.a2b_base64(sys.stdin.read())))')
-currentValue2=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$ldap_base" "(&(objectClass=secret)(CN=BCKUPKEY_$guid Secret))" currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
+currentValue2=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$samba4_ldap_base" "(&(objectClass=secret)(CN=BCKUPKEY_$guid Secret))" currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
 cert=$(echo "$currentValue2" | base64 -d | dd bs=1c skip=1184 | openssl x509 -text -inform DER)
@@ -32,7 +32,7 @@
        echo "A new one will be generated the next time a new user logs on to a freshly bootet windows client."
        read -p "Disable it? [y/n] "
        if [ "${REPLY^^}" = Y ]; then
-               ldbdel -H ldapi:///var/lib/samba/private/ldap_priv/ldapi "CN=BCKUPKEY_PREFERRED Secret,CN=System,$ldap_base"
+               ldbdel -H ldapi:///var/lib/samba/private/ldap_priv/ldapi "CN=BCKUPKEY_PREFERRED Secret,CN=System,$samba4_ldap_base"
        elif [ "${REPLY^^}" != N ]; then
                echo "Invalid answer."
Comment 9 Janis Meybohm univentionstaff 2015-08-07 11:27:47 CEST
Created attachment 7088 [details]

UCS 4 version of the script (output of openssl has changed so number of bits in public key was no longer parsed correctly).

In addition this script prints out the encoded GUID of the "active" ClientWrap key and dumps the current certificate into a file ("$(pwd)/BCKUPKEY_${guid}.XXXXXXXXXX.pem").