Univention Bugzilla – Full Text Bug Listing |
Summary: | Windows DPAPI fails after repeated user password change | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | jmm, petersen |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://lists.samba.org/archive/samba-technical/2014-December/104560.html | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Troubleshooting | |
Max CVSS v3 score: | |||
Attachments: |
0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch
check_backupkey.sh check_backupkey.sh check_backupkey.sh check_backupkey_ucs4.sh |
*** Bug 35028 has been marked as a duplicate of this bug. *** Samba has been re-built in errata3.2-2 with the patch. Advisory: 2014-07-02-samba.yaml Note: It was very helpful to enable "Audit DPAPI Activity" in the Windows Event Viewer: http://technet.microsoft.com/de-de/library/dd772743%28v=ws.10%29.aspx Created attachment 5989 [details]
check_backupkey.sh
Created attachment 5990 [details]
check_backupkey.sh
Fixed a typo..
OK - creating of backupkey certificate - alway 2048 Bits OK - IE rememberd password for a website (after three password changes) OK - YAML Created attachment 7084 [details]
check_backupkey.sh
Use samba4/ldap/base instead of ldap/base:
--- check_backupkey.sh.orig 2015-08-06 11:09:21.101445497 +0200
+++ check_backupkey.sh 2015-08-06 11:09:22.893445425 +0200
@@ -2,7 +2,7 @@
eval "$(ucr shell)"
-currentValue=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$ldap_base" '(&(objectClass=secret)(CN=BCKUPKEY_PREFERRED Secret))' currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
+currentValue=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$samba4_ldap_base" '(&(objectClass=secret)(CN=BCKUPKEY_PREFERRED Secret))' currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
if [ -z "$currentValue" ]; then
echo "No BCKPKEY_PREFERRED found yet. Ok, nothing to do."
@@ -11,7 +11,7 @@
guid=$(echo "$currentValue" | python -c 'import sys,binascii; from samba.dcerpc.misc import GUID; from samba.ndr import ndr_unpack, ndr_print; print str(ndr_unpack(GUID, binascii.a2b_base64(sys.stdin.read())))')
-currentValue2=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$ldap_base" "(&(objectClass=secret)(CN=BCKUPKEY_$guid Secret))" currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
+currentValue2=$(ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi -b "CN=System,$samba4_ldap_base" "(&(objectClass=secret)(CN=BCKUPKEY_$guid Secret))" currentValue | ldapsearch-wrapper | sed -n 's/^currentValue:: //p')
cert=$(echo "$currentValue2" | base64 -d | dd bs=1c skip=1184 | openssl x509 -text -inform DER)
@@ -32,7 +32,7 @@
echo "A new one will be generated the next time a new user logs on to a freshly bootet windows client."
read -p "Disable it? [y/n] "
if [ "${REPLY^^}" = Y ]; then
- ldbdel -H ldapi:///var/lib/samba/private/ldap_priv/ldapi "CN=BCKUPKEY_PREFERRED Secret,CN=System,$ldap_base"
+ ldbdel -H ldapi:///var/lib/samba/private/ldap_priv/ldapi "CN=BCKUPKEY_PREFERRED Secret,CN=System,$samba4_ldap_base"
elif [ "${REPLY^^}" != N ]; then
echo "Invalid answer."
fi
Created attachment 7088 [details]
check_backupkey_ucs4.sh
UCS 4 version of the script (output of openssl has changed so number of bits in public key was no longer parsed correctly).
In addition this script prints out the encoded GUID of the "active" ClientWrap key and dumps the current certificate into a file ("$(pwd)/BCKUPKEY_${guid}.XXXXXXXXXX.pem").
|
Created attachment 5986 [details] 0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch Ticket#: 2014052821006931 Windows DPAPI fails after repeated user password change. Looks like this is triggered by some issue in the current Samba implemenation of the MS Backupkey protocol. The attached patch seems to fix this. It's one in a series of ten which I posted to samba-technical, this apparently fixing the crucial point.