info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] KB2992611
116 views
Skip to first unread message
Christopher Roberts
Jan 16, 2015, 12:30:03 PM1/16/15
to
* Version: Samba 4.2.0rc3
* Distribution: Ubuntu Server 14.04 LTS
* Client: Windows 8.1 Professional
Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test.
I immediately encountered two problems:
1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome
2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c".
These problems were not present on a local account, only on a domain account.
When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread:
* http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345"
It is interesting to note that this thread is for a Linux Zentyal server running Samba 4.
This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away.
I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed.
Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible.
I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place?
Thanks!
Chris.
--
Chris Roberts
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
Jan 16, 2015, 2:20:04 PM1/16/15
to
the problem is when KB2992611 is installed ?
Chris Roberts
Jan 17, 2015, 8:30:04 AM1/17/15
to
On 2015-01-16 19:19, Jeremy Allison wrote:
> Do you have any logs from the Samba side showing what
> the problem is when KB2992611 is installed ?
The only errors that I ever have in my samba logs are:
> Do you have any logs from the Samba side showing what
> the problem is when KB2992611 is installed ?
[2015/01/15 22:02:35.852722, 0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_IO_TIMEOUT
This starts about 20 seconds after samba start-up and every 10 minutes
after that.
There were no different errors with KB2992611 installed on the client.
I had thought that I'd managed to eradicate these errors or I would have
mentioned them. I am able to do nslookup on the Windows clients,
including checking SRV records, I am able to add DNS records with
samba-tool and query from the server with host command. In short I
cannot see any DNS problems and yet this error persists.
Chris.
--
Chris Roberts
Carlo
Jan 19, 2015, 6:00:03 PM1/19/15
to
Il 16/01/15 18:21, Christopher Roberts ha scritto:
I've see this issue on win8.1 pro on a 4.2rc2
i see another problem, ie 11 is slow down and when try to open a new tab it
freeze for about 3-5 sec then open a new tab and write in textbox sometime you
can write sometimes not
remove the
*KB2992611* and *KB3000850*
remove the problem
Charles
i see another problem, ie 11 is slow down and when try to open a new tab it
freeze for about 3-5 sec then open a new tab and write in textbox sometime you
can write sometimes not
remove the
*KB2992611* and *KB3000850*
remove the problem
Charles
Daniel Müller
Jan 20, 2015, 2:10:03 AM1/20/15
to
This is not a samba4 issue. This proplem exist also if you are running
server 2012.
This is aproblem with windows 8.1
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Carlo
Gesendet: Montag, 19. Januar 2015 23:50
An: sa...@lists.samba.org
Betreff: Re: [Samba] KB2992611
server 2012.
This is aproblem with windows 8.1
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Carlo
Gesendet: Montag, 19. Januar 2015 23:50
An: sa...@lists.samba.org
Betreff: Re: [Samba] KB2992611
Christopher Roberts
Jan 20, 2015, 4:10:02 AM1/20/15
to
Daniel
> This is not a samba4 issue. This proplem exist also if you are running
> server 2012.
> This is aproblem with windows 8.1
That's extraordinary to hear. I am no fan of Microsoft, but even I cannot
help but be astonished that a patch could have been published in November
that prevents using Windows 8.1 as a domain client and it still hasn't been
fixed.
I suppose the good news is that, that being the case, sooner or later it
will be fixed!
Chris.
> This is not a samba4 issue. This proplem exist also if you are running
> server 2012.
> This is aproblem with windows 8.1
help but be astonished that a patch could have been published in November
that prevents using Windows 8.1 as a domain client and it still hasn't been
fixed.
I suppose the good news is that, that being the case, sooner or later it
will be fixed!
Chris.
Christopher Roberts
Jan 20, 2015, 4:10:03 AM1/20/15
to
Carlo wrote;
> i see another problem, ie 11 is slow down and when try to open a new tab
> it freeze for about 3-5 sec then open a new tab and write in textbox
> sometime you can write sometimes not
Yes, I have this problem as well, I hadn't related it to the previous issue.
> remove the
> *KB2992611* and *KB3000850*
I didn't have the latter installed.
But surely these are important patches? Also, I can't find a way of
excluding them, so it means having to switch off automatic updating on all
clients and update each manually.
If anyone has a better solution I'd be delighted to hear it!
Thanks,
Chris.
> I've see this issue on win8.1 pro on a 4.2rc2
Great to hear that I'm not alone!
> i see another problem, ie 11 is slow down and when try to open a new tab
> it freeze for about 3-5 sec then open a new tab and write in textbox
> sometime you can write sometimes not
> remove the
> *KB2992611* and *KB3000850*
But surely these are important patches? Also, I can't find a way of
excluding them, so it means having to switch off automatic updating on all
clients and update each manually.
If anyone has a better solution I'd be delighted to hear it!
Thanks,
Chris.
Carlo
Jan 20, 2015, 4:50:03 AM1/20/15
to
Il 20/01/15 10:02, Christopher Roberts ha scritto:
uninstall *KB2992611* and *KB3000850* reboot, then check for update again on
windows update, then *KB2992611* is marked installable right click and hide this
update; , you can do it again on kb3000850
i think now win 8.1 will not install anymore *KB2992611*; *KB3000850* still be
in optional and will not be installed
> Carlo wrote;
>> I've see this issue on win8.1 pro on a 4.2rc2
> Great to hear that I'm not alone!
>
>> i see another problem, ie 11 is slow down and when try to open a new tab
>> it freeze for about 3-5 sec then open a new tab and write in textbox
>> sometime you can write sometimes not
> Yes, I have this problem as well, I hadn't related it to the previous issue.
>
>> remove the
>> *KB2992611* and *KB3000850*
> I didn't have the latter installed.
>
> But surely these are important patches? Also, I can't find a way of
> excluding them, so it means having to switch off automatic updating on all
> clients and update each manually.
i have done that
>> I've see this issue on win8.1 pro on a 4.2rc2
> Great to hear that I'm not alone!
>
>> i see another problem, ie 11 is slow down and when try to open a new tab
>> it freeze for about 3-5 sec then open a new tab and write in textbox
>> sometime you can write sometimes not
> Yes, I have this problem as well, I hadn't related it to the previous issue.
>
>> remove the
>> *KB2992611* and *KB3000850*
> I didn't have the latter installed.
>
> But surely these are important patches? Also, I can't find a way of
> excluding them, so it means having to switch off automatic updating on all
> clients and update each manually.
uninstall *KB2992611* and *KB3000850* reboot, then check for update again on
windows update, then *KB2992611* is marked installable right click and hide this
update; , you can do it again on kb3000850
i think now win 8.1 will not install anymore *KB2992611*; *KB3000850* still be
in optional and will not be installed
Andrew Bartlett
Jan 31, 2015, 3:40:03 PM1/31/15
to
(re-send as I don't see this in the archives)
Just a heads-up that I am looking into this for a client. The protocol
involved is MS-BKRP, eg the protected_storage pipe serviced by our
backupkey RPC server in the source4 codebase.
At this stage it looks like a case of increased expectations of what the
server must deliver over this protocol, expectations that we don't
currently meet. I've already started a thread with Microsoft.
Failure to meet those seems to cause an almost endless stream of
requests to Samba to open this pipe, particularly when the credentials
manager is opened. (Against Windows 2012 AD, it only happens once at
startup).
It doesn't seem to actually have anything to do with delegation
(typically a kerberos concept), but I will continue to investigate.
I have already tried the patches from Arvid at univention, but sadly
they don't seem to help:
http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
I hope to have better news soon, in the meantime if anybody has any
further clues, please let me know. I have the required test
environments to compare patched and unpatched Windows versions against
Samba4 and Windows 2012R2.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
involved is MS-BKRP, eg the protected_storage pipe serviced by our
backupkey RPC server in the source4 codebase.
At this stage it looks like a case of increased expectations of what the
server must deliver over this protocol, expectations that we don't
currently meet. I've already started a thread with Microsoft.
Failure to meet those seems to cause an almost endless stream of
requests to Samba to open this pipe, particularly when the credentials
manager is opened. (Against Windows 2012 AD, it only happens once at
startup).
It doesn't seem to actually have anything to do with delegation
(typically a kerberos concept), but I will continue to investigate.
I have already tried the patches from Arvid at univention, but sadly
they don't seem to help:
http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
I hope to have better news soon, in the meantime if anybody has any
further clues, please let me know. I have the required test
environments to compare patched and unpatched Windows versions against
Samba4 and Windows 2012R2.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
0 new messages