[Samba] Office 365, Windows 10 and Samba AD

[Andrew Bartlett]

On Tue, 2016-03-22 at 14:07 +0100, Stefan G. Weichinger wrote:
> Am 2016-03-22 um 10:45 schrieb Garming Sam:
> > 
> > Hi,
> > 
> > As you should know, 3.x is out of support. Assuming this is related
> > to
> > the KB2992611 MS update, basically the bar was raised for clients
> > in
> > response to a security issue, and caused havoc for people on
> > Windows as
> > well. In order to fix 3.x, a good chunk of the infrastructure
> > written
> > for Samba 4 (AD) would likely have to be moved across because the
> > bar
> > really just has been raised unfortunately. There really isn't any
> > trivial fix, besides uninstalling the KB2992611 but I wouldn't
> > really
> > recommend it as it probably exposes you to a serious security
> > vulnerability.
> Thanks for pointing this out.
> 
> To keep the momentary changes as small as possible I consider
> upgrading
> to samba-4.x at first, without touching the NT4-style domain for now.

My understanding is that this issue not only requires a current codebae
(and Samba 4.2), but also an AD DC.

> gentoo linux provides samba-4.2.9 as unstable package, I assume this
> would run OK as well for our rather simple use case. Would the move
> to
> 4.2.9 help around that specific bug as well?
> 
> thanks for helping, Stefan

There is a way to tell windows not to use BackupKey, see 

https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domain
s#Windows_8.1:_Encountering_Error_code_0x80090345_launching_Windows_Cre
dential_Manager

This will avoid windows attempting to store a backup of the user
password store master key remotely.  That means if you change the
user's password on the DC, saved passwords will become inaccessible,
which may or may not matter.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba