[cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

[Jeff McCashland (He/him)]

We'll take another look. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org> 
Sent: Tuesday, January 9, 2024 11:53 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Andreas Schneider <asn at samba.org>; cifs-protocol at lists.samba.org
Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

Hi Jeff,

> We have updated [MS-LSAD] for the next release to address this issue:
> 
> 2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure communicates authentication material. The cleartext password data is in the form of a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16). The following structure corresponds to the TrustedDomainAuthInformationInternalAes information class (section 2.2.7.2).
> 
> 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129)
> AuthenticationInformation: A structure containing encrypted LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication information for the trusted domain.
> If the length of cbCipher in AuthenticationInformation is less than (512 + IncomingAuthInfoSize + OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER.

Please note that LSAPR_TRUSTED_DOMAIN_AUTH_BLOB is not strictly correct.

Maybe it would be useful to define a new separate structure for the content of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB.AuthBlob. As that's what is used in LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES.Cipher

metze