query about bnc#11097 and Windows Credential error 0x80090345

Andrew Bartlett abartlet at samba.org
Thu Aug 20 09:11:16 UTC 2015 

On Thu, 2015-08-20 at 09:46 +0100, Noel Power wrote:
> On 19/08/15 22:57, Andrew Bartlett wrote:
> > On Wed, 2015-08-19 at 15:18 +0100, Noel Power wrote:
> > > Hi,
> > > 
> > > With samba 4.2 and samba configured as a PDC with a windows 8.1 
> > > client
> > > it still errors out with 0x80090345 when raising the credential 
> > > manager,
> > > the fix for this https://bugzilla.samba.org/show_bug.cgi?id=11097
> > >  twe
> > > aks
> > > the BackupKey Remote Protocol (MS-BKRP) but afaics with Samba in 
> > > PDC
> > > mode the windows client doesn't even try to use this protocol 
> > > (which
> > > MS-BKRP says is for AD anyway)
> > > I've pored over the associated logs and network traces for this 
> > > but 
> > > find
> > > no errors or details in the conversation with the samba PDC to 
> > > explain
> > > why this error is triggered. Additionally it seems that users 
> > > that
> > > previously were logged in (prior to install of KB2992611)  to the 
> > > win8.1
> > > client don't raise the error, however if a user not previously 
> > > logged 
> > > is
> > > used bingo attempt to raise the Cred Manager and you get 
> > >  0x80090345.
> > > Does anyone have any more info on this,  is it really the case 
> > > that 
> > > for
> > > samba in PDC mode that there is nothing more that can be done  :/
> > Thanks for updating the wiki.  The other alternative is to 
> > implement
> > BackupKey for the NT4 DC.  The code could be put in common, with 
> > enough
> > effort.
> you mean implement MS-BKRP  for samba3 ? thing to note is the client
> does not even attempt to use that protocol (doesn't attempt to open 
> the
> pipe) 

OK.  Another good reason to use Samba as an AD DC.  Our time as a
classic DC really is up! :-)

>  Looking in MS-BKRP section 1.3.1 it says
> 
> "Although the BackupKey Remote Protocol could be used between a 
> client
> and any server to provide
> secret wrapping and unwrapping services, the specific use of this
> protocol is between a client and a
> Domain Controller (DC). Specifically, every writable DC in an Active
> Directory domain is a
> BackupKey Remote Protocol server for clients within that domain, and 
> no
> other machines support
> BackupKey Remote Protocol server functionality."
> 
> which seems to suggest this will only work with AD :/

I would never read the documents so literally.  The things that still
work against Samba Classic domains are almost entirely by accident and
history, and that our Samba Classic domains have many properties of AD
domains (modern crypto, SMB2 etc).  

There have been far more misleading statements than this in that doc,
but if it never opens the pipe, then there isn't much we can do. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list