[cifs-protocol] Protocol changes in KB2992611 [115012312316449]

Obaid Farooqi obaidf at microsoft.com
Mon Jan 26 15:52:27 MST 2015

Hi Andrew:
I got both of your emails. Looking into it.

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, January 26, 2015 4:28 PM
To: Obaid Farooqi
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]

On Mon, 2015-01-26 at 20:01 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> This is kind of an open ended question.

Indeed, and I realise that.  I'm not sure if you got my previous mail (I cancelled sending it after realising what size attachments I was trying to send). 

However, I'm presuming you have access to some more detailed notes on what was changed in KB2992611 than is public so far, and was hoping you could look into the intersection of that and protected_storage.  

From the widespread impact noted elsewhere, it looks like a large upgrade to the X.509 cryptographic subssystem, which is clearly used by the protected_storage module, but if it was more limited, perhaps we could understand what additional requirements were in the design intent. 

> Can you please let me know the specific scenario that is failing after the application of this kb with supporting network trace? I need that to repro the scenario, debug, file bug etc.

- Samba GIT master (probably all versions of Samba 4.x) as an AD DC
- Join Windows 8.1 with the 2014-12 update .iso, or a totally updated Windows 8.1
- Log in as administrator
- open credentials manager

We know our BKRP server is insufficient, so I also tried with the patches from:
git://repo.or.cz/Samba/reqa.git BKRP

Attached is a tar.xz (try 7zip to open it) with the captures against various versions of Windows client, and Samba master, Samba master with the BKRP patches mentioned above, and Windows 2012R2. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list