[cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

[Jeff McCashland (He/him)]

Hi Stefan,

We have updated [MS-LSAD] for the next release: 

3.1.4.7.10 LsarCreateTrustedDomainEx2 (Opnum 59)

AuthenticationInformation: A structure containing an encrypted LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) which specifies the authentication information for the trusted domain. The server first MUST decrypt this data structure using an algorithm (as specified in section 5.1.1) with the key being the session key negotiated by the transport.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Wednesday, January 10, 2024 9:12 AM
To: Stefan Metzmacher <metze at samba.org>; Andreas Schneider <asn at samba.org>; cifs-protocol at lists.samba.org
Subject: RE: [cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

We'll take another look. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org> 
Sent: Tuesday, January 9, 2024 11:53 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Andreas Schneider <asn at samba.org>; cifs-protocol at lists.samba.org
Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

Hi Jeff,

> We have updated [MS-LSAD] for the next release to address this issue:
> 
> 2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure communicates authentication material. The cleartext password data is in the form of a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16). The following structure corresponds to the TrustedDomainAuthInformationInternalAes information class (section 2.2.7.2).
> 
> 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129)
> AuthenticationInformation: A structure containing encrypted LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication information for the trusted domain.
> If the length of cbCipher in AuthenticationInformation is less than (512 + IncomingAuthInfoSize + OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER.

Please note that LSAPR_TRUSTED_DOMAIN_AUTH_BLOB is not strictly correct.

Maybe it would be useful to define a new separate structure for the content of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB.AuthBlob. As that's what is used in LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES.Cipher

metze