Andrew, After tracking down the corresponding code fix applied in MS14-066 / KB2992611, we observe that this security update simply addresses a Schannel code vulnerability, and does not appear to introduce any protocol change. It does trigger a local error when it detects the specific anomaly, i.e. during certificate signature verification check, but as such the same error was already returned in many other checks. If this occurs on a client, then the calling application will obviously bail out. Regarding your observation: “It looks like it has gone from a soft to a hard error in the client code, essentially.” We are concerned about what you meant by soft vs hard error. Can you elaborate in more details? The Schannel / SSPI error code in question: SEC_E_ILLEGAL_MESSAGE 0x80090326 The message received was unexpected or badly formatted.
Regards, Edgar -----Original Message----- From: Edgar Olougouna Sent: Friday, February 13, 2015 11:22 AM To: 'Andrew Bartlett' Cc: MSSolve Case Email; [email protected]; Obaid Farooqi Subject: RE: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449] Andrew, Just an FYI, I will consider the information you sent to Obaid in my investigation. He is currently out of office but forwarded me the following message. Your comment appears to intersect with the other case you open regarding ClientWrap and its use case. == Begin forwarded message == From: Andrew Bartlett <[email protected]> Date: February 13, 2015 at 10:15:50 AM GMT+5 To: Obaid Farooqi <[email protected]> Cc: MSSolve Case Email <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449] On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: Hi Andrew: I have a fully patched system, Windows 8.1 enterprise. I verified that the updates include kb2992611. I joined the machine to Samba domain before patching though. Please do it the other way around. That would match our steps. It certainly appears to be an issue in new profiles, after the patches. It may be enough to create a new user after patching, but you suggest below that this doesn't help. Have you had any luck doing this where you join the newly built, patched, machine to Samba, where it has never seen the same domain before, after doing the patches? From our side, we have just finished writing the ServerWrap server-side, and this 'fixes' this issue, but I strong suspect it just works around it - that the client prefers to do CleintWrap, and this is a fallback. As such, I still need to know what changed, and what we are doing wrong in our ClientWrap server, both in master and after the patch in bug 11097 is applied. Thanks, Andrew Bartlett == End forwarded message == -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Tuesday, February 10, 2015 5:27 PM To: Edgar Olougouna Cc: MSSolve Case Email; [email protected]; Obaid Farooqi Subject: Re: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449] On Tue, 2015-02-10 at 22:13 +0000, Edgar Olougouna wrote: > Andrew, > I will take care of this case while my colleage (Obaid in cc) is out of > office. > Let's me review the issue and narrow the scope. I gather that you want to > determine whether there's any protocol effect resulting from KB2992611, and > the current lead you have been exploring are protected_storage, MS-BKRP, > DPAPI regarding the use of Credential manager connected to Samba's DC. > Please share any current information that may help me speed up investigation. In particular, we now see more calls to BACKUPKEY_BACKUP_GUID, that is ServerWrap, vs the ClientWrap that we did have implemented. In the past, our failure to implement this had no user-visible impact, and happened only once per login, now it prevents operation of credentials manager and is repeated often. It looks like it has gone from a soft to a hard error in the client code, essentially. > I will follow-up as soon as I have an update. > > Regards, > Edgar > > -----Original Message----- > From: "Andrew Bartlett" <[email protected]> > Sent: Tuesday, February 10, 2015 12:56 AM > To: "Obaid Farooqi" <[email protected]> > Cc: "MSSolve Case Email" <[email protected]>; > "[email protected]" <[email protected]> > Subject: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in > KB2992611 [115012312316449] > > On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: > > On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: > > > Hi Andrew: > > > I have a fully patched system, Windows 8.1 enterprise. I verified > that > > > the updates include kb2992611. I joined the machine to Samba > > > domain before patching though. > > > > Please do it the other way around. That would match our steps. It > > certainly appears to be an issue in new profiles, after the patches. > > > > It may be enough to create a new user after patching, but you > > suggest below that this doesn't help. > > > > > I still do not see the problem. I also created a new user using > active > > > directory users and computers from my Windows machine. No issues. > > > Logged in as the newly created user and tried credentials manger > but > > > still not issues. > > > > > > Is your setup on hyper-v virtual machines? Maybe you can send me > both the VHDs and I can just debug on my side to see what is happening? > > > > > > > I am not sure if opening credential manager generates any network > traffic from workstation to DC. I did not see any when I opened credentials > manager. > > > > > The issue when reproduced should show protected_storage traffic. > > You will see some during the first login in the unpatched case, and > > much more of it in the patched case, per the traces I included. > > > > I hope this is enough to help you reproduce. Otherwise, I'll see > what > > we can do. > > Are you still unable to reproduce, following these directions exactly? > > Thanks, > > Andrew Bartlett > -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
