On Mon, 2013-06-10 at 21:49 +0000, Joaquin Cabrera wrote: > Hi Andrew, thanks for replying. > > Certificates are X.509 for personal signatures but have no interaction > with the KDC I think, only used to sign on the java application. > > I'm not aware of what changes are made in the windows clients when we > join them to Samba4, but once joined, the user can not change his > password without make the certificate unusable. > > As I mentioned before, if you change the user's password back to the > old one, the certificate works correctly. > > Any idea is welcome. And sorry for my english...
My guess is that the certificates are encrypted with the user's local password, and any password change (enforced or otherwise) is not being captured by the java application to decrypt and re-encrypt the certificate. Do your users change their password at the login screen or with ctrl-alt-del? You could prove it isn't a Samba issue by changing the local windows password on a standalone workstation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
