On Fri, 2015-02-20 at 17:03 +1300, Andrew Bartlett wrote: > On Thu, 2015-02-19 at 22:25 +0000, Edgar Olougouna wrote: > > Andrew, > > After tracking down the corresponding code fix applied in MS14-066 / > > KB2992611, we observe that this security update simply addresses a > > Schannel code vulnerability, and does not appear to introduce any > > protocol change. > > It does trigger a local error when it detects the specific anomaly, > > i.e. during certificate signature verification check, but as such the > > same error was already returned in many other checks. If this occurs > > on a client, then the calling application will obviously bail out. > > Regarding your observation: “It looks like it has gone from a soft to > > a hard error in the client code, essentially.” > > We are concerned about what you meant by soft vs hard error. Can you > > elaborate in more details? > > The server failure to give a good enough ClientWrap key (assuming that > was/is the underlying issue) or failure to support ServerWrap went from > being ignored, to causing the credentials manager not to open, and other > failures (unable to create new profiles in Outlook, apparently). > > > The Schannel / SSPI error code in question: > > SEC_E_ILLEGAL_MESSAGE > > 0x80090326 > > The message received was unexpected or badly formatted. > > OK. So the next step will be to have you able to reproduce this locally > with Windows 8.1 and credentials manager, or if not possible (which is > still odd, it reproduced first time for us, as long as the updates were > *before* the first ever domain join), then tell me what process to run > ttt on so we can confirm what the failure was. If you can be explicit > about the change, that may also give us clues.
Going back to Obiad's question earlier, I can offer you the disks of the virtual machines. The run under linux KVM (using libvirt drivers), but I'm sure you can work it out. While I have many questions outstanding with dochelp, this issue is the most pressing for me, because while we appear to have a fix, I still don't understand what changed and why, and strongly suspect a larger underlying issue. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
