Bug 11097 - Win8.1 Credentials Manager issue after KB2992611 on Samba domain due to missing ServerWrap in BackupKey
Summary: Win8.1 Credentials Manager issue after KB2992611 on Samba domain due to missi...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.11
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 10980 11538 11754 (view as bug list)
Depends on: 11416
Blocks: 10077 10980 11135
  Show dependency treegraph
 
Reported: 2015-02-13 05:00 UTC by Garming Sam
Modified: 2017-01-19 04:37 UTC (History)
8 users (show)

See Also:


Attachments
Patch to impelement ServerWrap in BackupKey (135.55 KB, patch)
2015-02-13 05:06 UTC, Garming Sam
kseeger: review? (abartlet)
Details
4.2 patch cherry-picked from master (142.34 KB, patch)
2015-03-02 23:29 UTC, Andrew Bartlett
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Garming Sam 2015-02-13 05:00:56 UTC
As described in 
https://social.technet.microsoft.com/Forums/windows/en-US/47faab6b-d717-4068-bee4-c694811e0066/credential-manager-problems-error-0x80090345?forum=w8itpronetworking
and
https://lists.samba.org/archive/samba/2015-January/188388.html

Since KB2992611 clients appear to now be using the ClientWrap part of the protocol, which was unimplemented.
Comment 1 Garming Sam 2015-02-13 05:06:25 UTC
Created attachment 10721 [details]
Patch to impelement ServerWrap in BackupKey
Comment 2 Andrew Bartlett 2015-03-02 23:29:19 UTC
Created attachment 10808 [details]
4.2 patch cherry-picked from master

The attached patch has the cherry-pick markers.
Comment 3 Andrew Bartlett 2015-03-02 23:32:06 UTC
Additionally, this issue describes Active Directory Users and Computers failing to add objects to a Samba AD DC after this KB has been applied.  Both issues are resolved by implementing the ServerWrap protocol in BackupKey.
Comment 4 Karolin Seeger 2015-03-03 21:07:07 UTC
Pushed to autobuild-v4-2-test.
Comment 5 Karolin Seeger 2015-03-04 10:35:39 UTC
Pushed to v4-2-test.
Closing out bug report.

Thanks!
Comment 6 Björn Jacke 2015-03-04 21:45:34 UTC
*** Bug 10980 has been marked as a duplicate of this bug. ***
Comment 7 Stefan Tollkühn 2015-05-18 16:10:33 UTC
Working with Sernet Packages (Samba 4.2) and Windows 8.1 as domain member, I can not confirm that this issue is fixed. We still are not able to use the Credential Manager via the Control Panel.

Am I missing something?

Regards

Stefan
Comment 8 Stefan Tollkühn 2015-05-18 17:49:09 UTC
The problem does not occur on Windows 7 devices.

Error messages is 0x80090345 when starting Credential Manager on Windows 8.1.

Regards

Stefan
Comment 9 Andrew Bartlett 2015-05-18 20:11:44 UTC
(In reply to Stefan Tollkühn from comment #8)

Are you using Samba as an AD DC, or as a classic DC?
Comment 10 Stefan Tollkühn 2015-05-19 07:08:40 UTC
Hi Andrew,

thanks for replying. I wasn't sure if opening a new bug would be better. Anyway, we deployed a Samba4 AD DC with 3 DCs over 2 Sites (2 DCs on our main site, 1 DC at our other office). All three were upgraded from 4.1 (latest packages from SerNet). We raised the forrest and the domain level from a 2k3 to 2k8R2. We are using no Windows Servers (neither as member or DC) just Windows Clients (7 Pro/Ultimate and 8.1 Pro). I first noticed the problem yesterday, when we were running still Samba 4.1.x. After digging through search for 0x80090345 I found this bug report and immediately updated to 4.2.1-7.

I can provide you the configs and logs if needed.

Thanks and regards

Stefan
Comment 11 Marc Jaschke 2015-05-20 18:36:26 UTC
(In reply to Stefan Tollkühn from comment #10)

Hi Stefan,
this fixed it for me:
https://lists.samba.org/archive/samba/2014-November/187205.html

I'd guess i got a bad RSA Key stored in there.

Regards,
 Marc
Comment 12 Andrew Bartlett 2015-05-20 21:37:04 UTC
(In reply to Marc Jaschke from comment #11)
Can you please file a new bug asking for this to be detected with dbcheck.  That would be the appropriate way to fix it (it would then do the same).  Bonus points if you provide a dbcheck patch :-)
Comment 13 Stefan Tollkühn 2015-05-21 09:17:12 UTC
Hi Marc,

thank you, this did the trick. But instead of using ldbdel I used AD Explorer from sysinternals.

Thank you very much.

Regards

Stefan
Comment 14 Andrew Bartlett 2015-10-07 02:10:44 UTC
*** Bug 11538 has been marked as a duplicate of this bug. ***
Comment 15 Andrew Bartlett 2016-04-07 07:44:11 UTC
*** Bug 11754 has been marked as a duplicate of this bug. ***