(re-send as I don't see this in the archives)
Just a heads-up that I am looking into this for a client. The protocol
involved is MS-BKRP, eg the protected_storage pipe serviced by our
backupkey RPC server in the source4 codebase.
At this stage it looks like a case of increased expectations of what the
server must deliver over this protocol, expectations that we don't
currently meet. I've already started a thread with Microsoft.
Failure to meet those seems to cause an almost endless stream of
requests to Samba to open this pipe, particularly when the credentials
manager is opened. (Against Windows 2012 AD, it only happens once at
startup).
It doesn't seem to actually have anything to do with delegation
(typically a kerberos concept), but I will continue to investigate.
I have already tried the patches from Arvid at univention, but sadly
they don't seem to help:
http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
I hope to have better news soon, in the meantime if anybody has any
further clues, please let me know. I have the required test
environments to compare patched and unpatched Windows versions against
Samba4 and Windows 2012R2.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team
http://samba.org
Samba Developer, Catalyst IT
http://catalyst.net.nz/services/samba