[Samba] KB2992611 - backupkey/protected_storage and the Credentials Manager

pawel.orzechowski at budikom.net pawel.orzechowski at budikom.net
Tue Jul 7 09:37:36 UTC 2015


> (re-send as I don't see this in the archives)
> On Fri, 2015-01-16 at 17:21 +0000, Christopher Roberts wrote:
>> * Version: Samba 4.2.0rc3
>> * Distribution: Ubuntu Server 14.04 LTS
>> * Client: Windows 8.1 Professional
>>> Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test.
>>> I immediately encountered two problems:
>>> 1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome
>>> 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c".
>>> These problems were not present on a local account, only on a domain account.
>>> When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread:
>>> * http://goo.gl/dX7L6C [1] "Credential Manager Problems - Error 0x80090345"
>>> It is interesting to note that this thread is for a Linux Zentyal server running Samba 4.
>>> This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away.
>>> I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed.
>>> Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible.
>>> I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place?
> Just a heads-up that I am looking into this for a client. The protocol
> involved is MS-BKRP, eg the protected_storage pipe serviced by our
> backupkey RPC server in the source4 codebase. 
> At this stage it looks like a case of increased expectations of what the
> server must deliver over this protocol, expectations that we don't
> currently meet. I've already started a thread with Microsoft.
> Failure to meet those seems to cause an almost endless stream of
> requests to Samba to open this pipe, particularly when the credentials
> manager is opened. (Against Windows 2012 AD, it only happens once at
> startup).
> It doesn't seem to actually have anything to do with delegation
> (typically a kerberos concept), but I will continue to investigate. 
> I have already tried the patches from Arvid at univention, but sadly
> they don't seem to help:
> http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP [2]
> I hope to have better news soon, in the meantime if anybody has any
> further clues, please let me know. I have the required test
> environments to compare patched and unpatched Windows versions against
> Samba4 and Windows 2012R2.

Hi Andrew, 

What is your investigation status about this ("Just a heads-up that I am
looking into this for a client.")? 

Can someone confirm if this bug
https://bugzilla.samba.org/show_bug.cgi?id=11097 is related to this?
Which version of samba should work - we are using Ubuntu 14.04 with
4.1.6+dfsg and it is not working, so we have to manually remove both
updates from windows clients (windows server 2012 r2) 

Just to refresh some info: there is thread on windows forum concerning
this case:



Paweł Orzechowski
pawel.orzechowski at budikom.net
ul. Trzy Lipy 3, GPNT, bud. C
80-172 Gdańsk
tel.: +48 58 58 58 708
email: biuro at budikom.net

[1] http://goo.gl/dX7L6C
[2] http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP

More information about the samba mailing list