[cifs-protocol] Protocol changes in KB2992611 [115012312316449]

Andrew Bartlett abartlet at samba.org
Mon Jan 26 15:27:30 MST 2015

On Mon, 2015-01-26 at 20:01 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> This is kind of an open ended question.

Indeed, and I realise that.  I'm not sure if you got my previous mail (I
cancelled sending it after realising what size attachments I was trying
to send). 

However, I'm presuming you have access to some more detailed notes on
what was changed in KB2992611 than is public so far, and was hoping you
could look into the intersection of that and protected_storage.  

>From the widespread impact noted elsewhere, it looks like a large
upgrade to the X.509 cryptographic subssystem, which is clearly used by
the protected_storage module, but if it was more limited, perhaps we
could understand what additional requirements were in the design

> Can you please let me know the specific scenario that is failing after the application of this kb with supporting network trace? I need that to repro the scenario, debug, file bug etc.

- Samba GIT master (probably all versions of Samba 4.x) as an AD DC
- Join Windows 8.1 with the 2014-12 update .iso, or a totally updated
Windows 8.1
- Log in as administrator
- open credentials manager

We know our BKRP server is insufficient, so I also tried with the
patches from:
git://repo.or.cz/Samba/reqa.git BKRP

Attached is a tar.xz (try 7zip to open it) with the captures against
various versions of Windows client, and Samba master, Samba master with
the BKRP patches mentioned above, and Windows 2012R2. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: windows8.1-KB2992611.tar.xz
Type: application/x-xz-compressed-tar
Size: 2055892 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20150127/284e7916/attachment-0001.bin>

More information about the cifs-protocol mailing list