[cifs-protocol] [REG:115012312316449] Re: Protocol changes in KB2992611 [115012312316449]

Edgar Olougouna edgaro at microsoft.com
Fri Feb 13 10:22:30 MST 2015 

Andrew,

Just an FYI, I will consider the information you sent to Obaid in my investigation.

He is currently out of office but forwarded me the following message. Your comment appears to intersect with the other case you open regarding ClientWrap and its use case.

== Begin forwarded message ==

From: Andrew Bartlett <abartlet at samba.org>
Date: February 13, 2015 at 10:15:50 AM GMT+5
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: MSSolve Case Email <casemail at microsoft.com>, "cifs-protocol at samba.org" <cifs-protocol at samba.org>
Subject: Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]
On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote:

On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote:
Hi Andrew:
I have a fully patched system, Windows 8.1 enterprise. I verified that
the updates include kb2992611. I joined the machine to Samba domain
before patching though. 

Please do it the other way around.  That would match our steps.  It
certainly appears to be an issue in new profiles, after the patches. 

It may be enough to create a new user after patching, but you suggest
below that this doesn't help.

Have you had any luck doing this where you join the newly built,
patched, machine to Samba, where it has never seen the same domain
before, after doing the patches?

From our side, we have just finished writing the ServerWrap server-side,
and this 'fixes' this issue, but I strong suspect it just works around
it - that the client prefers to do CleintWrap, and this is a fallback.  

As such, I still need to know what changed, and what we are doing wrong
in our ClientWrap server, both in master and after the patch in bug
11097 is applied. 

Thanks,

Andrew Bartlett

== End forwarded message ==

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, February 10, 2015 5:27 PM
To: Edgar Olougouna
Cc: MSSolve Case Email; cifs-protocol at samba.org; Obaid Farooqi
Subject: Re: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]

On Tue, 2015-02-10 at 22:13 +0000, Edgar Olougouna wrote:
> Andrew,
> I will take care of this case while my colleage (Obaid in cc) is out of office.
> Let's me review the issue and narrow the scope. I gather that you want to determine whether there's any protocol effect resulting from KB2992611, and the current lead you have been exploring are protected_storage, MS-BKRP, DPAPI regarding the use of Credential manager connected to Samba's DC.
> Please share any current information that may help me speed up investigation.

In particular, we now see more calls to BACKUPKEY_BACKUP_GUID, that is ServerWrap, vs the ClientWrap that we did have implemented.  In the past, our failure to implement this had no user-visible impact, and happened only once per login, now it prevents operation of credentials manager and is repeated often.  It looks like it has gone from a soft to a hard error in the client code, essentially. 

> I will follow-up as soon as I have an update.
> 
> Regards,
> Edgar
> 
> -----Original Message-----
> From: "Andrew Bartlett" <abartlet at samba.org>
> Sent: Tuesday, February 10, 2015 12:56 AM
> To: "Obaid Farooqi" <obaidf at microsoft.com>
> Cc: "MSSolve Case Email" <casemail at microsoft.com>; 
> "cifs-protocol at samba.org" <cifs-protocol at samba.org>
> Subject: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in 
> KB2992611 [115012312316449]
> 
> On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: 
> > On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: 
> > > Hi Andrew: 
> > > I have a fully patched system, Windows 8.1 enterprise. I verified
> that
> > > the updates include kb2992611. I joined the machine to Samba 
> > > domain before patching though.
> > 
> > Please do it the other way around.  That would match our steps.  It 
> > certainly appears to be an issue in new profiles, after the patches.
> > 
> > It may be enough to create a new user after patching, but you 
> > suggest below that this doesn't help.
> > 
> > > I still do not see the problem. I also created a new user using
> active
> > > directory users and computers from my Windows machine. No issues. 
> > > Logged in as the newly created user and tried credentials manger
> but
> > > still not issues. 
> > > 
> > > Is your setup on hyper-v virtual machines? Maybe you can send me
> both the VHDs and I can just debug on my side to see what is happening?
> 
> > > 
> > > I am not sure if opening credential manager generates any network
> traffic from workstation to DC. I did not see any when I opened credentials manager. 
> 
> > 
> > The issue when reproduced should show protected_storage traffic.  
> > You will see some during the first login in the unpatched case, and 
> > much more of it in the patched case, per the traces I included.
> > 
> > I hope this is enough to help you reproduce.  Otherwise, I'll see
> what
> > we can do. 
> 
> Are you still unable to reproduce, following these directions exactly? 
> 
> Thanks,
> 
> Andrew Bartlett
> 

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list