Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Samba] KB2992611 - backupkey/protected_storage and the Credentials Manager

7 views
Skip to first unread message

pawel.or...@budikom.net

unread,
Jul 7, 2015, 5:50:03 AM7/7/15
to

> (re-send as I don't see this in the archives)
>
> On Fri, 2015-01-16 at 17:21 +0000, Christopher Roberts wrote:
>> * Version: Samba 4.2.0rc3
>> * Distribution: Ubuntu Server 14.04 LTS
>> * Client: Windows 8.1 Professional
>>> Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test.
>>> I immediately encountered two problems:
>>> 1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome
>>> 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c".
>>> These problems were not present on a local account, only on a domain account.
>>> When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread:
>>> * http://goo.gl/dX7L6C [1] "Credential Manager Problems - Error 0x80090345"
>>> It is interesting to note that this thread is for a Linux Zentyal server running Samba 4.
>>> This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away.
>>> I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed.
>>> Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible.
>>> I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place?
>
> Just a heads-up that I am looking into this for a client. The protocol
> involved is MS-BKRP, eg the protected_storage pipe serviced by our
> backupkey RPC server in the source4 codebase.
>
> At this stage it looks like a case of increased expectations of what the
> server must deliver over this protocol, expectations that we don't
> currently meet. I've already started a thread with Microsoft.
>
> Failure to meet those seems to cause an almost endless stream of
> requests to Samba to open this pipe, particularly when the credentials
> manager is opened. (Against Windows 2012 AD, it only happens once at
> startup).
>
> It doesn't seem to actually have anything to do with delegation
> (typically a kerberos concept), but I will continue to investigate.
>
> I have already tried the patches from Arvid at univention, but sadly
> they don't seem to help:
> http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP [2]
>
> I hope to have better news soon, in the meantime if anybody has any
> further clues, please let me know. I have the required test
> environments to compare patched and unpatched Windows versions against
> Samba4 and Windows 2012R2.

Hi Andrew,

What is your investigation status about this ("Just a heads-up that I am
looking into this for a client.")?

Can someone confirm if this bug
https://bugzilla.samba.org/show_bug.cgi?id=11097 is related to this?
Which version of samba should work - we are using Ubuntu 14.04 with
4.1.6+dfsg and it is not working, so we have to manually remove both
updates from windows clients (windows server 2012 r2)

Just to refresh some info: there is thread on windows forum concerning
this case:
https://social.technet.microsoft.com/Forums/en-US/47faab6b-d717-4068-bee4-c694811e0066/credential-manager-problems-error-0x80090345?forum=w8itpronetworking


Thanks

Pawel
--

Paweł Orzechowski
pawel.or...@budikom.net
BUDIKOM.NET
ul. Trzy Lipy 3, GPNT, bud. C
80-172 Gdańsk
tel.: +48 58 58 58 708
email: bi...@budikom.net

Links:
------
[1] http://goo.gl/dX7L6C
[2] http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett

unread,
Jul 10, 2015, 6:10:04 AM7/10/15
to
On Tue, 2015-07-07 at 11:37 +0200, pawel.or...@budikom.net wrote:

> Hi Andrew,
>
> What is your investigation status about this ("Just a heads-up that I am
> looking into this for a client.")?
>
> Can someone confirm if this bug
> https://bugzilla.samba.org/show_bug.cgi?id=11097 is related to this?
> Which version of samba should work - we are using Ubuntu 14.04 with
> 4.1.6+dfsg and it is not working, so we have to manually remove both
> updates from windows clients (windows server 2012 r2)
>
> Just to refresh some info: there is thread on windows forum concerning
> this case:
> https://social.technet.microsoft.com/Forums/en-US/47faab6b-d717-4068-bee4-c694811e0066/credential-manager-problems-error-0x80090345?forum=w8itpronetworking

> ------


> [1] http://goo.gl/dX7L6C
> [2] http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP

Yes, all these refer to the same issue. The patch wasn't ever
backported to 4.1, but it does impact that series (and 4.0) as it is a
both a new feature with a dependency on a new library, and a bug fix,
depending on how you look at it. My hope was that users who were
impacted could upgrade to 4.2.

I do realise that the situation regarding lack of Debian/Ubuntu packages
for 4.2 (related to the close coupling with Heimdal) makes this
difficult all-round.

Thanks,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

0 new messages