[cifs-protocol] [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372

Jeff McCashland (He/him) jeffm at microsoft.com
Thu Dec 7 19:43:05 UTC 2023 

Hi Andreas,

I was not able to find an INVALID_PARAMETER failure in the provided network trace. Is this the network trace that was collected at the same time as the TTT trace?

I see the INVALID_PARAMETER error in your smbtorture logs, but I don't know which packet in the network trace that relates to.

Could you clarify?

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Wednesday, December 6, 2023 7:53 AM
To: Andreas Schneider <asn at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol <cifs-protocol at lists.samba.org>
Subject: RE: [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372

Hi Andreas,

Hopefully the LSASS TTT will tell us which parameter it is. I will let you know.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Wednesday, December 6, 2023 1:41 AM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol <cifs-protocol at lists.samba.org>
Subject: Re: [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372

On Tuesday, 5 December 2023 23:40:12 CET Jeff McCashland (He/him) wrote:
> Hi Andreas,

Hi Jeff,

> I would like to collect LSASS TTT traces to troubleshoot the failure.

Thank you very much for your help!

I've uploaded lsass03.zip to the workspace. It includes the TimeTrace, the network trace and smbtorture debug log.

Günther just added support for LsarCreateTrustedDomainEx3 to Wireshark two weeks ago [1]. I don't think the code is in a release yet. You wont see the calls nicely unmarshalled yet. However I attached smbtorture debug log. You can see the NDR printout there.

The question is which input paramter LsarCreateTrustedDomainEx3 thinks is invalid. Once I know that, I can fix hopefully the test :-)


Thank you very much for your assistance! This is much appreciated.


Best regards


        Andreas


[1] https://gitlab.com/wireshark/wireshark/-/merge_requests/13370

> The LSASS traces can be quite large, but are highly compressible, so
> please add them to a .zip archive before uploading (file transfer
> workspace credentials are below). Please log into the workspace and
> find PartnerTTDRecorder_x86_x64.zip available for download. The x64
> tool can be staged onto the Windows server in any location
> (instructions below assume C:\TTD).
>
> To collect the needed traces:
>         1. From a PowerShell prompt, execute:
>                 C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME
> lsass | Format-Wide -Property
> ID).formatEntryInfo.formatPropertyField.propertyValue) 2. Wait for a
> little window to pop up in top left corner of your screen, titled "lsass01.run" 3.
> start a network trace using netsh or WireShark, etc.
>         4. Repro the attempted operation
>         5. Stop the network trace and save it
>         6. CAREFULLY: uncheck the checkbox next to "Tracing" in the
> small "lsass01.run" window. Do not close or exit the small window or
> you will need to reboot. 7. The TTTracer.exe process will generate a
> trace file, then print out the name and location of the file. Compress
> the *.run file into a .zip archive before uploading with the matching
> network trace. It is a good idea to reboot the machine at the next
> opportunity to restart the lsass process.
>
> Workspace credentials:
> Log in as: 2312050040012372_andreas at dtmxfer.onmicrosoft.com
> 1-Time: 3fjE7C5Q
>
> Workspace link:
> https://supp/
> ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU&
> data=05%7C02%7Cjeffm%40microsoft.com%7C54e1a37f1c1443631fff08dbf63f700
> f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638374524565853145%7CUn
> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dzdf2v%2BshYAg5YkvoUpsI%2BiM2f1
> FuLIaxMoDK1zJanU%3D&reserved=0
> zI1NiJ9.eyJ3c2lkIjoiMmFkNGE3MjEtZDBjMS00YzFkLTlhMzItY2ZlMGE1YmI0MWJmIi
> wic3Ii
> OiIyMzEyMDUwMDQwMDEyMzcyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC
> 1lYTNi
> ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI0YzNmODcyOS
> 1iZGY3
> LTQ5MzUtYjE3My02ZGVmY2Q5ODY3ZTAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bG
> EubWlj
> cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MDk1OTE2NjQsIm5iZi
> I6MTcw
> MTgxNTY2NH0.aoqsUChbv4ldUIHza-JNdUpjPPE6iosBaQpCZ49SyHTSanGlhty-H-f_2t
> lGEFYq
> PmDkt5SsQ9_fyOTERFuxtCYbfNeFZSVyWyI_AW_mLy06ymrLISZamM0GObMwd8xkSJrl6s
> MHiQd6
> pBtoQ4tIaA3yebDax4mrbJbSjgolCVFcXhwMVOdSocmTwwV5jnC4gKalHF6H-UKMHkZbKn
> Aqyui2
> Eg4tAT9sNTlrUDaxznIMuA1s0Z2YT2X6jVGMugeJHf5NiO0N6DOlEcQOyeCSXsWoLxJoF6
> CT3Q1e
> o5otojkQv3QD-IrpZU2RHpPTpWcH9TAcus-fH2KdDD-670wxHw&wid=2ad4a721-d0c1-4
> c1d-9a
> 32-cfe0a5bb41bf
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://suppo/
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638374524565858700%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=EQOmU95wBWcFuv2c56sDxW8YHrBn2%2FCnX34U4igxtow%3D&reserved=0 |
> Extension
> 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Tuesday, December 5, 2023 11:50 AM
> To: Andreas Schneider <asn at samba.org>; cifs-protocol
> <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> LsarCreateTrustedDomainEx3
> - TrackingID#2312050040012372
>
> [Michael to BCC]
>
> Hi Andreas,
>
> I will dig into your question and let you know what I find.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://suppo/
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638374524565862806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=X2E1OH%2FlPSBqIUii84PAHkxyXw5B5GNlk22G5AzwWk4%3D&reserved=0 |
> Extension
> 1138300
>
> -----Original Message-----
> From: Michael Bowen <Mike.Bowen at microsoft.com>
> Sent: Tuesday, December 5, 2023 11:25 AM
> To: Andreas Schneider <asn at samba.org>; cifs-protocol
> <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> LsarCreateTrustedDomainEx3
> - TrackingID#2312050040012372
>
> [DocHelp to BCC]
> Hi Andreas,
>
> Thank you for your question about MS-LSAD. Case number
> 2312050040012372 has been created to track this issue, one of our
> engineers will contact you soon.
>
> Best regards,
> Mike Bowen
> Escalation Engineer - Microsoft Open Specifications
>
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Tuesday, December 5, 2023 5:34 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>;
> cifs-protocol <cifs-protocol at lists.samba.org> Subject: [EXTERNAL]
> [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
>
> Hi Dochelp Team!
>
> I'm currently trying to write an smbtorture test for
> LsarCreateTrustedDomainEx3. My test doesn't work against Windows
> Server 2022.
>
>      lsa_CreateTrustedDomainEx3: struct lsa_CreateTrustedDomainEx3
>         out: struct lsa_CreateTrustedDomainEx3
>             trustdom_handle          : *
>                 trustdom_handle: struct policy_handle
>                     handle_type              : 0x00000000 (0)
>                     uuid                     :
> 00000000-0000-0000-0000-000000000000
>             result                   : NT_STATUS_INVALID_PARAMETER
>
> The test is more or less the same as we have for
> LsarCreateTrustedDomainEx2, but it fails for
> LsarCreateTrustedDomainEx3 with NT_STATUS_INVALID_PARAMETER. Another
> Samba Team member did check the code I wrote and could find anything wrong.
>
> I've tried to turn on debug logging for the netlogon service on
> windows, but it doesn't log anything useful. So I'm not able to figure
> out what value the server thinks is invalid.
>
> Could someone of the Dochelp Team help me if I create a Time Trace and
> figure out on which input value the server chokes?
>
>
> Thanks for your help.
>
>
> Best regards
>
>
>         Andreas Schneider
>
> --
> Andreas Schneider                      asn at samba.org
> Samba Team                             http://www.samba.org/
> GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D


--
Andreas Schneider                      asn at samba.org
Samba Team                             http://www.samba.org/
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list