query about bnc#11097 and Windows Credential error 0x80090345

Noel Power nopower at suse.com
Thu Aug 20 08:46:36 UTC 2015

On 19/08/15 22:57, Andrew Bartlett wrote:
> On Wed, 2015-08-19 at 15:18 +0100, Noel Power wrote:
>> Hi,
>> With samba 4.2 and samba configured as a PDC with a windows 8.1 
>> client
>> it still errors out with 0x80090345 when raising the credential 
>> manager,
>> the fix for this https://bugzilla.samba.org/show_bug.cgi?id=11097 twe
>> aks
>> the BackupKey Remote Protocol (MS-BKRP) but afaics with Samba in PDC
>> mode the windows client doesn't even try to use this protocol (which
>> MS-BKRP says is for AD anyway)
>> I've pored over the associated logs and network traces for this but 
>> find
>> no errors or details in the conversation with the samba PDC to 
>> explain
>> why this error is triggered. Additionally it seems that users that
>> previously were logged in (prior to install of KB2992611)  to the 
>> win8.1
>> client don't raise the error, however if a user not previously logged 
>> is
>> used bingo attempt to raise the Cred Manager and you get  0x80090345.
>> Does anyone have any more info on this,  is it really the case that 
>> for
>> samba in PDC mode that there is nothing more that can be done  :/
> Thanks for updating the wiki.  The other alternative is to implement
> BackupKey for the NT4 DC.  The code could be put in common, with enough
> effort.
you mean implement MS-BKRP  for samba3 ? thing to note is the client
does not even attempt to use that protocol (doesn't attempt to open the
pipe)  Looking in MS-BKRP section 1.3.1 it says

"Although the BackupKey Remote Protocol could be used between a client
and any server to provide
secret wrapping and unwrapping services, the specific use of this
protocol is between a client and a
Domain Controller (DC). Specifically, every writable DC in an Active
Directory domain is a
BackupKey Remote Protocol server for clients within that domain, and no
other machines support
BackupKey Remote Protocol server functionality."

which seems to suggest this will only work with AD :/

More information about the samba-technical mailing list