Am 2016-03-22 um 10:45 schrieb Garming Sam:> Hi, > > As you should know, 3.x is out of support. Assuming this is related to > the KB2992611 MS update, basically the bar was raised for clients in > response to a security issue, and caused havoc for people on Windows as > well. In order to fix 3.x, a good chunk of the infrastructure written > for Samba 4 (AD) would likely have to be moved across because the bar > really just has been raised unfortunately. There really isn't any > trivial fix, besides uninstalling the KB2992611 but I wouldn't really > recommend it as it probably exposes you to a serious security > vulnerability.Thanks for pointing this out. To keep the momentary changes as small as possible I consider upgrading to samba-4.x at first, without touching the NT4-style domain for now. gentoo linux provides samba-4.2.9 as unstable package, I assume this would run OK as well for our rather simple use case. Would the move to 4.2.9 help around that specific bug as well? thanks for helping, Stefan
On Tue, 2016-03-22 at 14:07 +0100, Stefan G. Weichinger wrote:> Am 2016-03-22 um 10:45 schrieb Garming Sam: > > > > Hi, > > > > As you should know, 3.x is out of support. Assuming this is related > > to > > the KB2992611 MS update, basically the bar was raised for clients > > in > > response to a security issue, and caused havoc for people on > > Windows as > > well. In order to fix 3.x, a good chunk of the infrastructure > > written > > for Samba 4 (AD) would likely have to be moved across because the > > bar > > really just has been raised unfortunately. There really isn't any > > trivial fix, besides uninstalling the KB2992611 but I wouldn't > > really > > recommend it as it probably exposes you to a serious security > > vulnerability. > Thanks for pointing this out. > > To keep the momentary changes as small as possible I consider > upgrading > to samba-4.x at first, without touching the NT4-style domain for now.My understanding is that this issue not only requires a current codebae (and Samba 4.2), but also an AD DC.> gentoo linux provides samba-4.2.9 as unstable package, I assume this > would run OK as well for our rather simple use case. Would the move > to > 4.2.9 help around that specific bug as well? > > thanks for helping, StefanThere is a way to tell windows not to use BackupKey, see https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domain s#Windows_8.1:_Encountering_Error_code_0x80090345_launching_Windows_Cre dential_Manager This will avoid windows attempting to store a backup of the user password store master key remotely. That means if you change the user's password on the DC, saved passwords will become inaccessible, which may or may not matter. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Am 2016-03-23 um 01:44 schrieb Andrew Bartlett:> There is a way to tell windows not to use BackupKey, see > > https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domain > s#Windows_8.1:_Encountering_Error_code_0x80090345_launching_Windows_Cre > dential_Manager > > This will avoid windows attempting to store a backup of the user > password store master key remotely. That means if you change the > user's password on the DC, saved passwords will become inaccessible, > which may or may not matter.I will try this setting later today, thanks.
Am 2016-03-23 um 01:44 schrieb Andrew Bartlett:>> To keep the momentary changes as small as possible I consider >> upgrading >> to samba-4.x at first, without touching the NT4-style domain for now. > > My understanding is that this issue not only requires a current codebae > (and Samba 4.2), but also an AD DC.The patch, yes. But even without any AD in the domain I get that Error Code 0x8004011c there.
Did you also remove : KB2992611 ?> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G. > Weichinger > Verzonden: woensdag 23 maart 2016 9:49 > Aan: Andrew Bartlett; Garming Sam; samba at lists.samba.org > Onderwerp: Re: [Samba] Office 365, Windows 10 and Samba AD > > Am 2016-03-23 um 01:44 schrieb Andrew Bartlett: > > >> To keep the momentary changes as small as possible I consider > >> upgrading > >> to samba-4.x at first, without touching the NT4-style domain for now. > > > > My understanding is that this issue not only requires a current codebae > > (and Samba 4.2), but also an AD DC. > > The patch, yes. But even without any AD in the domain I get that Error > Code 0x8004011c there. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba