[cifs-protocol] Protocol changes in KB2992611 [115012312316449]

Andrew Bartlett abartlet at samba.org
Fri Feb 6 03:23:00 MST 2015 

On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> I have a fully patched system, Windows 8.1 enterprise. I verified that
> the updates include kb2992611. I joined the machine to Samba domain
> before patching though. 

Please do it the other way around.  That would match our steps.  It
certainly appears to be an issue in new profiles, after the patches. 

It may be enough to create a new user after patching, but you suggest
below that this doesn't help.

> I still do not see the problem. I also created a new user using active
> directory users and computers from my Windows machine. No issues.
> Logged in as the newly created user and tried credentials manger but
> still not issues.
> 
> Is your setup on hyper-v virtual machines? Maybe you can send me both the VHDs and I can just debug on my side to see what is happening?
> 
> I am not sure if opening credential manager generates any network traffic from workstation to DC. I did not see any when I opened credentials manager. 

The issue when reproduced should show protected_storage traffic.  You
will see some during the first login in the unpatched case, and much
more of it in the patched case, per the traces I included.

I hope this is enough to help you reproduce.  Otherwise, I'll see what
we can do. 

> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
> 
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Tuesday, February 3, 2015 11:47 AM
> To: Obaid Farooqi
> Cc: MSSolve Case Email; cifs-protocol at samba.org
> Subject: Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]
> 
> On Wed, 2015-02-04 at 06:43 +1300, Andrew Bartlett wrote:
> > On Tue, 2015-02-03 at 15:37 +0000, Obaid Farooqi wrote:
> > > Hi Andrew:
> > > I am trying to reproduce the issue. So far I am unsuccessful. 
> > 
> > That is very odd.
> > 
> > > From the posts you mentioned, the credentials manager does not open 
> > > if a windows 8.1 machine is joined to Samba domain and kb2992611 is 
> > > applied? Just want to confirm I got this right.
> > 
> > Strictly, what we tested was all updates or Dec 2014 Update DVD vs no 
> > updates.  The users narrowed it down to this KB however.  This is 
> > Samba as an AD DC.
> 
> Also make sure that after the AD domain join, that you log in as a domain user (we used Administrator). 
> 
> > > I am using Samba 4.1.6 that Ubuntu installs.
> > 
> > We reproduced with git master, but the customer and users reporting 
> > are running sernet-samba-4.1.11-9.el6.x86_64 on CentOS 6.5 and 4.2rc3 
> > respectively.
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> > 
> > > Regards,
> > > Obaid Farooqi
> > > Escalation Engineer | Microsoft
> > > 
> > > Exceeding your expectations is my highest priority.  If you would 
> > > like to provide feedback on your case you may contact my manager at 
> > > nkang at Microsoft dot com
> > > 
> > > -----Original Message-----
> > > From: Andrew Bartlett [mailto:abartlet at samba.org]
> > > Sent: Monday, February 2, 2015 8:42 PM
> > > To: Obaid Farooqi
> > > Cc: MSSolve Case Email; cifs-protocol at samba.org
> > > Subject: Re: [cifs-protocol] Protocol changes in KB2992611 
> > > [115012312316449]
> > > 
> > > On Tue, 2015-01-27 at 15:55 +1300, Andrew Bartlett wrote:
> > > > I've got into our server with the (presumably) failing packet.  
> > > > The client appears to have started requiring that 
> > > > BACKUPKEY_BACKUP_GUID, ie the ServerWrap protocol 
> > > > 7f752b10-178e-11d1-ab8f-00805f14db40
> > > > actually work (we do not implement it yet).
> > > > 
> > > > Before this update, the client is happy for this to fail, now it 
> > > > persists with continuing to contact the server, and having this 
> > > > operation fail.  This repeats and repeats.
> > > > 
> > > > I'm also quite curious as to why an update in 2014 is moving 
> > > > clients to require use of the RC4 based protocol, given all the 
> > > > bad press that cyrpto had got.  This failure is just after a 
> > > > successful call to the ClientWrap protocol, which should be much better.
> > > > 
> > > > I await your thoughts,
> > > 
> > > Any news on this?  I'm planning on making an implementation of the ServerWrap protocol, but it would help to know what actually changed, so I know if this is likely to help.
> > > 
> > > Thanks,
> > > 
> > > Andrew Bartlett
> > > --
> > > Andrew Bartlett
> > > http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team  http://samba.org
> > > Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> 

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list