[cifs-protocol] [REG:115012312316449] Re: Protocol changes in KB2992611 [115012312316449]

Edgar Olougouna edgaro at microsoft.com
Tue Feb 10 15:13:13 MST 2015

I will take care of this case while my colleage (Obaid in cc) is out of office.
Let's me review the issue and narrow the scope. I gather that you want to determine whether there's any protocol effect resulting from KB2992611, and the current lead you have been exploring are protected_storage, MS-BKRP, DPAPI regarding the use of Credential manager connected to Samba's DC.
Please share any current information that may help me speed up investigation.
I will follow-up as soon as I have an update.


-----Original Message-----
From: "Andrew Bartlett" <abartlet at samba.org> 
Sent: Tuesday, February 10, 2015 12:56 AM
To: "Obaid Farooqi" <obaidf at microsoft.com>
Cc: "MSSolve Case Email" <casemail at microsoft.com>; "cifs-protocol at samba.org" <cifs-protocol at samba.org>
Subject: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]

On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: 
> On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: 
> > Hi Andrew: 
> > I have a fully patched system, Windows 8.1 enterprise. I verified
> > the updates include kb2992611. I joined the machine to Samba domain 
> > before patching though.
> Please do it the other way around.  That would match our steps.  It 
> certainly appears to be an issue in new profiles, after the patches.
> It may be enough to create a new user after patching, but you suggest 
> below that this doesn't help.
> > I still do not see the problem. I also created a new user using
> > directory users and computers from my Windows machine. No issues. 
> > Logged in as the newly created user and tried credentials manger
> > still not issues. 
> > 
> > Is your setup on hyper-v virtual machines? Maybe you can send me
both the VHDs and I can just debug on my side to see what is happening?

> > 
> > I am not sure if opening credential manager generates any network
traffic from workstation to DC. I did not see any when I opened credentials manager. 

> The issue when reproduced should show protected_storage traffic.  You 
> will see some during the first login in the unpatched case, and much 
> more of it in the patched case, per the traces I included.
> I hope this is enough to help you reproduce.  Otherwise, I'll see
> we can do. 

Are you still unable to reproduce, following these directions exactly? 


Andrew Bartlett 

Andrew Bartlett                       http://samba.org/~abartlet/ 
Authentication Developer, Samba Team  http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba 

More information about the cifs-protocol mailing list