[cifs-protocol] [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
Jeff McCashland (He/him)
jeffm at microsoft.com
Wed Dec 13 17:45:25 UTC 2023
Hi Andreas,
I found that the cause of the INVALID_PARAMETER error is that cbCipher is too small in the PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure included in the request.
The value sent is 0xD0 (208), while we were expecting at least 520 (0x208). Is there some significance that the correct hex value matches the passed decimal value?
Please let me know if this doesn't fully answer your question.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Monday, December 11, 2023 9:28 AM
To: Andreas Schneider <asn at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol <cifs-protocol at lists.samba.org>
Subject: RE: [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
Hi Andrew,
Thank you for the information. I will let you know what I find.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Monday, December 11, 2023 6:23 AM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol <cifs-protocol at lists.samba.org>
Subject: Re: [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
On Thursday, 7 December 2023 20:43:05 CET Jeff McCashland (He/him) wrote:
> Hi Andreas,
Hi Jeff,
> I was not able to find an INVALID_PARAMETER failure in the provided
> network trace. Is this the network trace that was collected at the
> same time as the TTT trace?
I've compiled wireshark from the git master branch. This has support for decoding the new lsa calls correctly. I opened the wireshark trace I sent you with it and the first LsarCreateTrustedDomainEx3 request is frame 76. Frame 77 is the corresponding response which returns INVALID_PARAMETER (screenshot attached).
I hope that helps. Thanks for your help.
Best regards
Andreas
> I see the INVALID_PARAMETER error in your smbtorture logs, but I don't
> know which packet in the network trace that relates to.
>
> Could you clarify?
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://suppo/
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638379014130155860%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=QJVmNP2krXHQDVe%2B1OQnuwGDsK2yfgH6hyezrqzjaQY%3D&reserved=0 |
> Extension
> 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Wednesday, December 6, 2023 7:53 AM
> To: Andreas Schneider <asn at samba.org>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> <cifs-protocol at lists.samba.org> Subject: RE: [EXTERNAL] [MS-LSAD] Need
> help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
>
> Hi Andreas,
>
> Hopefully the LSASS TTT will tell us which parameter it is. I will let
> you know.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://suppo/
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638379014130166111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=YozjfDZHR1hYS4F9VW4bWyBSwETo0h5MzsNIKienQP4%3D&reserved=0 |
> Extension
> 1138300
>
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Wednesday, December 6, 2023 1:41 AM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> <cifs-protocol at lists.samba.org> Subject: Re: [EXTERNAL] [MS-LSAD] Need
> help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372 On
> Tuesday, 5 December 2023 23:40:12 CET Jeff McCashland (He/him) wrote:
> > Hi Andreas,
>
> Hi Jeff,
>
> > I would like to collect LSASS TTT traces to troubleshoot the failure.
>
> Thank you very much for your help!
>
> I've uploaded lsass03.zip to the workspace. It includes the TimeTrace,
> the network trace and smbtorture debug log.
>
> Günther just added support for LsarCreateTrustedDomainEx3 to Wireshark
> two weeks ago [1]. I don't think the code is in a release yet. You
> wont see the calls nicely unmarshalled yet. However I attached
> smbtorture debug log. You can see the NDR printout there.
>
> The question is which input paramter LsarCreateTrustedDomainEx3 thinks
> is invalid. Once I know that, I can fix hopefully the test :-)
>
>
> Thank you very much for your assistance! This is much appreciated.
>
>
> Best regards
>
>
> Andreas
>
>
> [1]
> https://gitl/
> ab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F13370&data=05%7C
> 02%7Cjeffm%40microsoft.com%7C57e7e1341d7243e6808108dbfa54bc29%7C72f988
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C638379014130172902%7CUnknown%7CTW
> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%3D%7C3000%7C%7C%7C&sdata=8V1KVQz858RkWskCVF8lfnHCfaVT35PmtTZXNoTOd
> Ds%3D&reserved=0
>
> > The LSASS traces can be quite large, but are highly compressible, so
> > please add them to a .zip archive before uploading (file transfer
> > workspace credentials are below). Please log into the workspace and
> > find PartnerTTDRecorder_x86_x64.zip available for download. The x64
> > tool can be staged onto the Windows server in any location
> > (instructions below assume C:\TTD).
> >
> > To collect the needed traces:
> > 1. From a PowerShell prompt, execute:
> > C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME
> >
> > lsass | Format-Wide -Property
> > ID).formatEntryInfo.formatPropertyField.propertyValue) 2. Wait for a
> > little window to pop up in top left corner of your screen, titled
> > "lsass01.run" 3. start a network trace using netsh or WireShark, etc.
> >
> > 4. Repro the attempted operation
> > 5. Stop the network trace and save it
> > 6. CAREFULLY: uncheck the checkbox next to "Tracing" in the
> >
> > small "lsass01.run" window. Do not close or exit the small window or
> > you will need to reboot. 7. The TTTracer.exe process will generate a
> > trace file, then print out the name and location of the file.
> > Compress the *.run file into a .zip archive before uploading with
> > the matching network trace. It is a good idea to reboot the machine
> > at the next opportunity to restart the lsass process.
> >
> > Workspace credentials:
> > Log in as: 2312050040012372_andreas at dtmxfer.onmicrosoft.com
> > 1-Time: 3fjE7C5Q
> >
> > Workspace link:
> > https://supp/
> > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> > U&
> > data=05%7C02%7Cjeffm%40microsoft.com%7C54e1a37f1c1443631fff08dbf63f7
> > 00
> > f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638374524565853145%7C
> > Un
> > known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> > aW
> > wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dzdf2v%2BshYAg5YkvoUpsI%2BiM2
> > f1
> > FuLIaxMoDK1zJanU%3D&reserved=0
> > zI1NiJ9.eyJ3c2lkIjoiMmFkNGE3MjEtZDBjMS00YzFkLTlhMzItY2ZlMGE1YmI0MWJm
> > Ii
> > wic3Ii
> > OiIyMzEyMDUwMDQwMDEyMzcyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUz
> > OC
> > 1lYTNi
> > ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI0YzNmODcy
> > OS
> > 1iZGY3
> > LTQ5MzUtYjE3My02ZGVmY2Q5ODY3ZTAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1
> > bG
> > EubWlj
> > cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MDk1OTE2NjQsIm5i
> > Zi
> > I6MTcw
> > MTgxNTY2NH0.aoqsUChbv4ldUIHza-JNdUpjPPE6iosBaQpCZ49SyHTSanGlhty-H-f_
> > 2t
> > lGEFYq
> > PmDkt5SsQ9_fyOTERFuxtCYbfNeFZSVyWyI_AW_mLy06ymrLISZamM0GObMwd8xkSJrl
> > 6s
> > MHiQd6
> > pBtoQ4tIaA3yebDax4mrbJbSjgolCVFcXhwMVOdSocmTwwV5jnC4gKalHF6H-UKMHkZb
> > Kn
> > Aqyui2
> > Eg4tAT9sNTlrUDaxznIMuA1s0Z2YT2X6jVGMugeJHf5NiO0N6DOlEcQOyeCSXsWoLxJo
> > F6
> > CT3Q1e
> > o5otojkQv3QD-IrpZU2RHpPTpWcH9TAcus-fH2KdDD-670wxHw&wid=2ad4a721-d0c1
> > -4
> > c1d-9a
> > 32-cfe0a5bb41bf
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://suppo/
> > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > m%
> > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db4
> > 7%
> > 7C1%7C0%7C638374524565858700%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > wM
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > at
> > a=EQOmU95wBWcFuv2c56sDxW8YHrBn2%2FCnX34U4igxtow%3D&reserved=0 |
> > Extension
> > 1138300
> >
> > -----Original Message-----
> > From: Jeff McCashland (He/him)
> > Sent: Tuesday, December 5, 2023 11:50 AM
> > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > <supportmail at microsoft.com>
> > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > LsarCreateTrustedDomainEx3
> > - TrackingID#2312050040012372
> >
> > [Michael to BCC]
> >
> > Hi Andreas,
> >
> > I will dig into your question and let you know what I find.
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://suppo/
> > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > m%
> > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db4
> > 7%
> > 7C1%7C0%7C638374524565862806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > wM
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > at
> > a=X2E1OH%2FlPSBqIUii84PAHkxyXw5B5GNlk22G5AzwWk4%3D&reserved=0 |
> > Extension
> > 1138300
> >
> > -----Original Message-----
> > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > Sent: Tuesday, December 5, 2023 11:25 AM
> > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > <supportmail at microsoft.com>
> > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > LsarCreateTrustedDomainEx3
> > - TrackingID#2312050040012372
> >
> > [DocHelp to BCC]
> > Hi Andreas,
> >
> > Thank you for your question about MS-LSAD. Case number
> > 2312050040012372 has been created to track this issue, one of our
> > engineers will contact you soon.
> >
> > Best regards,
> > Mike Bowen
> > Escalation Engineer - Microsoft Open Specifications
> >
> > -----Original Message-----
> > From: Andreas Schneider <asn at samba.org>
> > Sent: Tuesday, December 5, 2023 5:34 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>;
> > cifs-protocol <cifs-protocol at lists.samba.org> Subject: [EXTERNAL]
> > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
> >
> > Hi Dochelp Team!
> >
> > I'm currently trying to write an smbtorture test for
> > LsarCreateTrustedDomainEx3. My test doesn't work against Windows
> > Server 2022.
> >
> > lsa_CreateTrustedDomainEx3: struct lsa_CreateTrustedDomainEx3
> >
> > out: struct lsa_CreateTrustedDomainEx3
> >
> > trustdom_handle : *
> >
> > trustdom_handle: struct policy_handle
> >
> > handle_type : 0x00000000 (0)
> >
> > uuid :
> > 00000000-0000-0000-0000-000000000000
> >
> > result : NT_STATUS_INVALID_PARAMETER
> >
> > The test is more or less the same as we have for
> > LsarCreateTrustedDomainEx2, but it fails for
> > LsarCreateTrustedDomainEx3 with NT_STATUS_INVALID_PARAMETER. Another
> > Samba Team member did check the code I wrote and could find anything
> > wrong.
> >
> > I've tried to turn on debug logging for the netlogon service on
> > windows, but it doesn't log anything useful. So I'm not able to
> > figure out what value the server thinks is invalid.
> >
> > Could someone of the Dochelp Team help me if I create a Time Trace
> > and figure out on which input value the server chokes?
> >
> >
> > Thanks for your help.
> >
> >
> > Best regards
> >
> > Andreas Schneider
> >
> > --
> > Andreas Schneider asn at samba.org
> > Samba Team http://www.samba.org/
> > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
> --
> Andreas Schneider asn at samba.org
> Samba Team http://www.samba.org/
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider asn at samba.org
Samba Team http://www.samba.org/
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list