On Thu, 2015-02-19 at 22:25 +0000, Edgar Olougouna wrote: > Andrew, > After tracking down the corresponding code fix applied in MS14-066 / > KB2992611, we observe that this security update simply addresses a > Schannel code vulnerability, and does not appear to introduce any > protocol change. > It does trigger a local error when it detects the specific anomaly, > i.e. during certificate signature verification check, but as such the > same error was already returned in many other checks. If this occurs > on a client, then the calling application will obviously bail out. > Regarding your observation: “It looks like it has gone from a soft to > a hard error in the client code, essentially.” > We are concerned about what you meant by soft vs hard error. Can you > elaborate in more details?
The server failure to give a good enough ClientWrap key (assuming that was/is the underlying issue) or failure to support ServerWrap went from being ignored, to causing the credentials manager not to open, and other failures (unable to create new profiles in Outlook, apparently). > The Schannel / SSPI error code in question: > SEC_E_ILLEGAL_MESSAGE > 0x80090326 > The message received was unexpected or badly formatted. OK. So the next step will be to have you able to reproduce this locally with Windows 8.1 and credentials manager, or if not possible (which is still odd, it reproduced first time for us, as long as the updates were *before* the first ever domain join), then tell me what process to run ttt on so we can confirm what the failure was. If you can be explicit about the change, that may also give us clues. Thanks, > Regards, > Edgar > > -----Original Message----- > From: Edgar Olougouna > Sent: Friday, February 13, 2015 11:22 AM > To: 'Andrew Bartlett' > Cc: MSSolve Case Email; [email protected]; Obaid Farooqi > Subject: RE: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in > KB2992611 [115012312316449] > > Andrew, > > Just an FYI, I will consider the information you sent to Obaid in my > investigation. > > He is currently out of office but forwarded me the following message. Your > comment appears to intersect with the other case you open regarding > ClientWrap and its use case. > > == Begin forwarded message == > > From: Andrew Bartlett <[email protected]> > Date: February 13, 2015 at 10:15:50 AM GMT+5 > To: Obaid Farooqi <[email protected]> > Cc: MSSolve Case Email <[email protected]>, "[email protected]" > <[email protected]> > Subject: Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449] > On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: > > On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: > Hi Andrew: > I have a fully patched system, Windows 8.1 enterprise. I verified that the > updates include kb2992611. I joined the machine to Samba domain before > patching though. > > Please do it the other way around. That would match our steps. It certainly > appears to be an issue in new profiles, after the patches. > > It may be enough to create a new user after patching, but you suggest below > that this doesn't help. > > Have you had any luck doing this where you join the newly built, patched, > machine to Samba, where it has never seen the same domain before, after doing > the patches? > > From our side, we have just finished writing the ServerWrap server-side, and > this 'fixes' this issue, but I strong suspect it just works around it - that > the client prefers to do CleintWrap, and this is a fallback. > > As such, I still need to know what changed, and what we are doing wrong in > our ClientWrap server, both in master and after the patch in bug > 11097 is applied. > > Thanks, > > Andrew Bartlett > > == End forwarded message == > > -----Original Message----- > From: Andrew Bartlett [mailto:[email protected]] > Sent: Tuesday, February 10, 2015 5:27 PM > To: Edgar Olougouna > Cc: MSSolve Case Email; [email protected]; Obaid Farooqi > Subject: Re: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in > KB2992611 [115012312316449] > > On Tue, 2015-02-10 at 22:13 +0000, Edgar Olougouna wrote: > > Andrew, > > I will take care of this case while my colleage (Obaid in cc) is out of > > office. > > Let's me review the issue and narrow the scope. I gather that you want to > > determine whether there's any protocol effect resulting from KB2992611, and > > the current lead you have been exploring are protected_storage, MS-BKRP, > > DPAPI regarding the use of Credential manager connected to Samba's DC. > > Please share any current information that may help me speed up > > investigation. > > In particular, we now see more calls to BACKUPKEY_BACKUP_GUID, that is > ServerWrap, vs the ClientWrap that we did have implemented. In the past, our > failure to implement this had no user-visible impact, and happened only once > per login, now it prevents operation of credentials manager and is repeated > often. It looks like it has gone from a soft to a hard error in the client > code, essentially. > > > I will follow-up as soon as I have an update. > > > > Regards, > > Edgar > > > > -----Original Message----- > > From: "Andrew Bartlett" <[email protected]> > > Sent: Tuesday, February 10, 2015 12:56 AM > > To: "Obaid Farooqi" <[email protected]> > > Cc: "MSSolve Case Email" <[email protected]>; > > "[email protected]" <[email protected]> > > Subject: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in > > KB2992611 [115012312316449] > > > > On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: > > > On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: > > > > Hi Andrew: > > > > I have a fully patched system, Windows 8.1 enterprise. I verified > > that > > > > the updates include kb2992611. I joined the machine to Samba > > > > domain before patching though. > > > > > > Please do it the other way around. That would match our steps. It > > > certainly appears to be an issue in new profiles, after the patches. > > > > > > It may be enough to create a new user after patching, but you > > > suggest below that this doesn't help. > > > > > > > I still do not see the problem. I also created a new user using > > active > > > > directory users and computers from my Windows machine. No issues. > > > > Logged in as the newly created user and tried credentials manger > > but > > > > still not issues. > > > > > > > > Is your setup on hyper-v virtual machines? Maybe you can send me > > both the VHDs and I can just debug on my side to see what is happening? > > > > > > > > > > I am not sure if opening credential manager generates any network > > traffic from workstation to DC. I did not see any when I opened credentials > > manager. > > > > > > > > The issue when reproduced should show protected_storage traffic. > > > You will see some during the first login in the unpatched case, and > > > much more of it in the patched case, per the traces I included. > > > > > > I hope this is enough to help you reproduce. Otherwise, I'll see > > what > > > we can do. > > > > Are you still unable to reproduce, following these directions exactly? > > > > Thanks, > > > > Andrew Bartlett > > > > -- > Andrew Bartlett > http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > > -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
