[Samba] KB2992611 - backupkey/protected_storage and the Credentials Manager

Andrew Bartlett abartlet at samba.org
Sat Jan 31 13:39:04 MST 2015


(re-send as I don't see this in the archives)

On Fri, 2015-01-16 at 17:21 +0000, Christopher Roberts wrote:
>  * Version: Samba 4.2.0rc3
>  * Distribution: Ubuntu Server 14.04 LTS
>  * Client: Windows 8.1 Professional
> 
> Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test.
> 
> I immediately encountered two problems:
> 
>  1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome
> 
>  2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c".
> 
> These problems were not present on a local account, only on a domain account.
> 
> When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread:
> 
>  * http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345"
> 
> It is interesting to note that this thread is for a Linux Zentyal server running Samba 4.
> 
> This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away.
> 
> I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed.
> 
> Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible.
> 
> I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place?

Just a heads-up that I am looking into this for a client.  The protocol
involved is MS-BKRP, eg the protected_storage pipe serviced by our
backupkey RPC server in the source4 codebase. 

At this stage it looks like a case of increased expectations of what the
server must deliver over this protocol, expectations that we don't
currently meet.  I've already started a thread with Microsoft.

Failure to meet those seems to cause an almost endless stream of
requests to Samba to open this pipe, particularly when the credentials
manager is opened.  (Against Windows 2012 AD, it only happens once at
startup).

It doesn't seem to actually have anything to do with delegation
(typically a kerberos concept), but I will continue to investigate. 

I have already tried the patches from Arvid at univention, but sadly
they don't seem to help:
http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP

I hope to have better news soon, in the meantime if anybody has any
further clues, please let me know.  I have the required test
environments to compare patched and unpatched Windows versions against
Samba4 and Windows 2012R2. 

Thanks,

Andrew Bartlett


-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list