samba - Jul 2015 - KB2992611 - backupkey/protected_storage and the Credentials Manager

> (re-send as I don't see this in the archives)
> 
> On Fri, 2015-01-16 at 17:21 +0000, Christopher Roberts wrote:
>> * Version: Samba 4.2.0rc3
>> * Distribution: Ubuntu Server 14.04 LTS
>> * Client: Windows 8.1 Professional
>>> Having installed Samba4 servers at our two sites and ensured that
replication is working correctly, I connected a brand new Windows 8.1
Professional PC to the new AD network as a test.
>>> I immediately encountered two problems:
>>> 1. Web credentials were not being remembered in either Internet
Explorer nor Google Chrome
>>> 2. Microsoft Outlook 2013 was unable to connect to IMAP TLS
encypted mailserver "An Unknown Error has Occurred - 0x8004011c".
>>> These problems were not present on a local account, only on a
domain account.
>>> When accessing Web Credential service an Error 0x80090345 was seen,
which fortunately took me to the following Microsoft Technet thread:
>>> * http://goo.gl/dX7L6C [1] "Credential Manager Problems -
Error 0x80090345"
>>> It is interesting to note that this thread is for a Linux Zentyal
server running Samba 4.
>>> This led me to remove KB2992611, which was pre-installed prior to
the supply of the PC, and instantly both the problems outlined above went away.
>>> I understand that this is related to the Winshock SChannel patch
that hit the headlines a few months ago. My understanding is that it is well
known that Microsoft messed up their patch with the result that TLS connections
were problematic with the patch installed.
>>> Clearly this is a patch that we ought to have and removing it from
every client would seem to be not terribly sensible.
>>> I do appreciate that Samba 4.2.0rc3 is not production ready, but
has anyone else come across this issue and better still found a solution that
leaves KB2992611 in place?
> 
> Just a heads-up that I am looking into this for a client. The protocol
> involved is MS-BKRP, eg the protected_storage pipe serviced by our
> backupkey RPC server in the source4 codebase. 
> 
> At this stage it looks like a case of increased expectations of what the
> server must deliver over this protocol, expectations that we don't
> currently meet. I've already started a thread with Microsoft.
> 
> Failure to meet those seems to cause an almost endless stream of
> requests to Samba to open this pipe, particularly when the credentials
> manager is opened. (Against Windows 2012 AD, it only happens once at
> startup).
> 
> It doesn't seem to actually have anything to do with delegation
> (typically a kerberos concept), but I will continue to investigate. 
> 
> I have already tried the patches from Arvid at univention, but sadly
> they don't seem to help:
> http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP [2]
> 
> I hope to have better news soon, in the meantime if anybody has any
> further clues, please let me know. I have the required test
> environments to compare patched and unpatched Windows versions against
> Samba4 and Windows 2012R2.
Hi Andrew, 

What is your investigation status about this ("Just a heads-up that I am
looking into this for a client.")? 

Can someone confirm if this bug
https://bugzilla.samba.org/show_bug.cgi?id=11097 is related to this?
Which version of samba should work - we are using Ubuntu 14.04 with
4.1.6+dfsg and it is not working, so we have to manually remove both
updates from windows clients (windows server 2012 r2) 

Just to refresh some info: there is thread on windows forum concerning
this case:
https://social.technet.microsoft.com/Forums/en-US/47faab6b-d717-4068-bee4-c694811e0066/credential-manager-problems-error-0x80090345?forum=w8itpronetworking


Thanks 

Pawel 
-- 

Pawe? Orzechowski
pawel.orzechowski at budikom.net
BUDIKOM.NET
ul. Trzy Lipy 3, GPNT, bud. C
80-172 Gda?sk
tel.: +48 58 58 58 708
email: biuro at budikom.net
 

Links:
------
[1] http://goo.gl/dX7L6C
[2] http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP

On Tue, 2015-07-07 at 11:37 +0200, pawel.orzechowski at budikom.net wrote:
> Hi Andrew, 
> 
> What is your investigation status about this ("Just a heads-up that I
am
> looking into this for a client.")? 
> 
> Can someone confirm if this bug
> https://bugzilla.samba.org/show_bug.cgi?id=11097 is related to this?
> Which version of samba should work - we are using Ubuntu 14.04 with
> 4.1.6+dfsg and it is not working, so we have to manually remove both
> updates from windows clients (windows server 2012 r2) 
> 
> Just to refresh some info: there is thread on windows forum concerning
> this case:
>
https://social.technet.microsoft.com/Forums/en-US/47faab6b-d717-4068-bee4-c694811e0066/credential-manager-problems-error-0x80090345?forum=w8itpronetworking
> ------
> [1] http://goo.gl/dX7L6C
> [2] http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
Yes, all these refer to the same issue.  The patch wasn't ever
backported to 4.1, but it does impact that series (and 4.0) as it is a
both a new feature with a dependency on a new library, and a bug fix,
depending on how you look at it.  My hope was that users who were
impacted could upgrade to 4.2.

I do realise that the situation regarding lack of Debian/Ubuntu packages
for 4.2 (related to the close coupling with Heimdal) makes this
difficult all-round.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba