[cifs-protocol] Protocol changes in KB2992611 
abartlet at samba.org
Mon Jan 26 19:55:15 MST 2015
I've got into our server with the (presumably) failing packet. The
client appears to have started requiring that BACKUPKEY_BACKUP_GUID, ie
the ServerWrap protocol 7f752b10-178e-11d1-ab8f-00805f14db40 actually
work (we do not implement it yet).
Before this update, the client is happy for this to fail, now it
persists with continuing to contact the server, and having this
operation fail. This repeats and repeats.
I'm also quite curious as to why an update in 2014 is moving clients to
require use of the RC4 based protocol, given all the bad press that
cyrpto had got. This failure is just after a successful call to the
ClientWrap protocol, which should be much better.
I await your thoughts,
On Mon, 2015-01-26 at 22:52 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> I got both of your emails. Looking into it.
> Obaid Farooqi
> Escalation Engineer | Microsoft
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Monday, January 26, 2015 4:28 PM
> To: Obaid Farooqi
> Cc: MSSolve Case Email; cifs-protocol at samba.org
> Subject: Re: [cifs-protocol] Protocol changes in KB2992611 
> On Mon, 2015-01-26 at 20:01 +0000, Obaid Farooqi wrote:
> > Hi Andrew:
> > This is kind of an open ended question.
> Indeed, and I realise that. I'm not sure if you got my previous mail (I cancelled sending it after realising what size attachments I was trying to send).
> However, I'm presuming you have access to some more detailed notes on what was changed in KB2992611 than is public so far, and was hoping you could look into the intersection of that and protected_storage.
> From the widespread impact noted elsewhere, it looks like a large upgrade to the X.509 cryptographic subssystem, which is clearly used by the protected_storage module, but if it was more limited, perhaps we could understand what additional requirements were in the design intent.
> > Can you please let me know the specific scenario that is failing after the application of this kb with supporting network trace? I need that to repro the scenario, debug, file bug etc.
> - Samba GIT master (probably all versions of Samba 4.x) as an AD DC
> - Join Windows 8.1 with the 2014-12 update .iso, or a totally updated Windows 8.1
> - Log in as administrator
> - open credentials manager
> We know our BKRP server is insufficient, so I also tried with the patches from:
> git://repo.or.cz/Samba/reqa.git BKRP
> Attached is a tar.xz (try 7zip to open it) with the captures against various versions of Windows client, and Samba master, Samba master with the BKRP patches mentioned above, and Windows 2012R2.
> Andrew Bartlett
> Andrew Bartlett
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol