* Version: Samba 4.2.0rc3 * Distribution: Ubuntu Server 14.04 LTS * Client: Windows 8.1 Professional Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test. I immediately encountered two problems: 1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c". These problems were not present on a local account, only on a domain account. When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread: * http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345" It is interesting to note that this thread is for a Linux Zentyal server running Samba 4. This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away. I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed. Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible. I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place? Thanks! Chris. -- Chris Roberts
On Fri, Jan 16, 2015 at 05:21:51PM +0000, Christopher Roberts wrote:> > * Version: Samba 4.2.0rc3 > * Distribution: Ubuntu Server 14.04 LTS > * Client: Windows 8.1 Professional > > Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test. > > I immediately encountered two problems: > > 1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome > > 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c". > > These problems were not present on a local account, only on a domain account. > > When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread: > > * http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345" > > It is interesting to note that this thread is for a Linux Zentyal server running Samba 4. > > This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away. > > I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed. > > Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible. > > I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place?Do you have any logs from the Samba side showing what the problem is when KB2992611 is installed ?
On 2015-01-16 19:19, Jeremy Allison wrote:> Do you have any logs from the Samba side showing what > the problem is when KB2992611 is installed ?The only errors that I ever have in my samba logs are: [2015/01/15 22:02:35.852722, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT This starts about 20 seconds after samba start-up and every 10 minutes after that. There were no different errors with KB2992611 installed on the client. I had thought that I'd managed to eradicate these errors or I would have mentioned them. I am able to do nslookup on the Windows clients, including checking SRV records, I am able to add DNS records with samba-tool and query from the server with host command. In short I cannot see any DNS problems and yet this error persists. Chris. -- Chris Roberts
Il 16/01/15 18:21, Christopher Roberts ha scritto:> * Version: Samba 4.2.0rc3 > * Distribution: Ubuntu Server 14.04 LTS > * Client: Windows 8.1 Professional > > Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test. > > I immediately encountered two problems: > > 1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome > > 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c". > > These problems were not present on a local account, only on a domain account. > > When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread: > > * http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345" > > It is interesting to note that this thread is for a Linux Zentyal server running Samba 4. > > This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away. > > I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed. > > Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible. > > I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place? > > Thanks! > > Chris.I've see this issue on win8.1 pro on a 4.2rc2 i see another problem, ie 11 is slow down and when try to open a new tab it freeze for about 3-5 sec then open a new tab and write in textbox sometime you can write sometimes not remove the *KB2992611* and *KB3000850* remove the problem Charles
This is not a samba4 issue. This proplem exist also if you are running server 2012. This is aproblem with windows 8.1 Daniel EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Carlo Gesendet: Montag, 19. Januar 2015 23:50 An: samba at lists.samba.org Betreff: Re: [Samba] KB2992611 Il 16/01/15 18:21, Christopher Roberts ha scritto:> * Version: Samba 4.2.0rc3 > * Distribution: Ubuntu Server 14.04 LTS > * Client: Windows 8.1 Professional > > Having installed Samba4 servers at our two sites and ensured thatreplication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test.> > I immediately encountered two problems: > > 1. Web credentials were not being remembered in either Internet > Explorer nor Google Chrome > > 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encyptedmailserver "An Unknown Error has Occurred - 0x8004011c".> > These problems were not present on a local account, only on a domainaccount.> > When accessing Web Credential service an Error 0x80090345 was seen, whichfortunately took me to the following Microsoft Technet thread:> > * http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345" > > It is interesting to note that this thread is for a Linux Zentyal serverrunning Samba 4.> > This led me to remove KB2992611, which was pre-installed prior to thesupply of the PC, and instantly both the problems outlined above went away.> > I understand that this is related to the Winshock SChannel patch that hitthe headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed.> > Clearly this is a patch that we ought to have and removing it from everyclient would seem to be not terribly sensible.> > I do appreciate that Samba 4.2.0rc3 is not production ready, but hasanyone else come across this issue and better still found a solution that leaves KB2992611 in place?> > Thanks! > > Chris.I've see this issue on win8.1 pro on a 4.2rc2 i see another problem, ie 11 is slow down and when try to open a new tab it freeze for about 3-5 sec then open a new tab and write in textbox sometime you can write sometimes not remove the *KB2992611* and *KB3000850* remove the problem Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Carlo wrote;> I've see this issue on win8.1 pro on a 4.2rc2Great to hear that I'm not alone!> i see another problem, ie 11 is slow down and when try to open a new tab > it freeze for about 3-5 sec then open a new tab and write in textbox > sometime you can write sometimes notYes, I have this problem as well, I hadn't related it to the previous issue.> remove the > *KB2992611* and *KB3000850*I didn't have the latter installed. But surely these are important patches? Also, I can't find a way of excluding them, so it means having to switch off automatic updating on all clients and update each manually. If anyone has a better solution I'd be delighted to hear it! Thanks, Chris.
Andrew Bartlett
2015-Jan-31 20:39 UTC
[Samba] KB2992611 - backupkey/protected_storage and the Credentials Manager
(re-send as I don't see this in the archives) On Fri, 2015-01-16 at 17:21 +0000, Christopher Roberts wrote:> * Version: Samba 4.2.0rc3 > * Distribution: Ubuntu Server 14.04 LTS > * Client: Windows 8.1 Professional > > Having installed Samba4 servers at our two sites and ensured that replication is working correctly, I connected a brand new Windows 8.1 Professional PC to the new AD network as a test. > > I immediately encountered two problems: > > 1. Web credentials were not being remembered in either Internet Explorer nor Google Chrome > > 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS encypted mailserver "An Unknown Error has Occurred - 0x8004011c". > > These problems were not present on a local account, only on a domain account. > > When accessing Web Credential service an Error 0x80090345 was seen, which fortunately took me to the following Microsoft Technet thread: > > * http://goo.gl/dX7L6C "Credential Manager Problems - Error 0x80090345" > > It is interesting to note that this thread is for a Linux Zentyal server running Samba 4. > > This led me to remove KB2992611, which was pre-installed prior to the supply of the PC, and instantly both the problems outlined above went away. > > I understand that this is related to the Winshock SChannel patch that hit the headlines a few months ago. My understanding is that it is well known that Microsoft messed up their patch with the result that TLS connections were problematic with the patch installed. > > Clearly this is a patch that we ought to have and removing it from every client would seem to be not terribly sensible. > > I do appreciate that Samba 4.2.0rc3 is not production ready, but has anyone else come across this issue and better still found a solution that leaves KB2992611 in place?Just a heads-up that I am looking into this for a client. The protocol involved is MS-BKRP, eg the protected_storage pipe serviced by our backupkey RPC server in the source4 codebase. At this stage it looks like a case of increased expectations of what the server must deliver over this protocol, expectations that we don't currently meet. I've already started a thread with Microsoft. Failure to meet those seems to cause an almost endless stream of requests to Samba to open this pipe, particularly when the credentials manager is opened. (Against Windows 2012 AD, it only happens once at startup). It doesn't seem to actually have anything to do with delegation (typically a kerberos concept), but I will continue to investigate. I have already tried the patches from Arvid at univention, but sadly they don't seem to help: http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP I hope to have better news soon, in the meantime if anybody has any further clues, please let me know. I have the required test environments to compare patched and unpatched Windows versions against Samba4 and Windows 2012R2. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba