[cifs-protocol] Summary of [MS-BKRP] 3.1.4.1.4 BACKUPKEY_RESTORE_GUID issues
Matthieu Patou
mat at samba.org
Wed Sep 29 15:51:46 MDT 2010
On 28/09/2010 22:35, Bryan Burgin wrote:
> Matthieu,
>
> I'm able to step through the traces you provided.
>
> Below I summarized my notes of the three issues you reported and would like you to verify:
>
> Notes:
>
>
> Matt's (Matthieu Patou [mailto:mat at samba.org) [MS-BKRP] 3.1.4.1.4 issues
>
> ISSUE ONE
> ===========
>
> x64 08R2 TTTrace at C:\CustomerFiles\Samba_backupkey\lsass02.run
>
> On third call to Restore GUID (guidRestore = BACKUPKEY_RESTORE_GUID)
> Receiving ERROR_INTERNAL_ERROR 0x54f (1359)
> Instead of ERROR_INVALID_PARAMETER 0x57 (87)
>
Ok this error is when we are send a non flipped buffer to the server, as
the server is not able to decrypt the secret and therefor not able to
validate the magic numbers at the beginning of the buffer I am expecting
the server to always answer ERROR_INVALID_PARAMETER as it should do
(according to the MS-BKRP.pdf).
> ISSUE TWO
> ===========
>
>
> x64 08R2 TTTrace at C:\CustomerFiles\Samba_backupkey\lsass03.run
> Issue: BACKUPKEY_RESTORE_GUID step #1:
>
> "Retrieve the ClientWrap key pair corresponding to the GUID specified by the guidKey field.
> If the key pair cannot be retrieved, the server MUST return an appropriate nonzero error
> code. The error code returned SHOULD be equal to ERROR_FILE_NOT_FOUND (0x2)."
>
> Expecting ERROR_FILE_NOT_FOUND 0x2 (2)
> Receiving ERROR_INVALID_DATA 0xd (14)
Bryan do you remember with which server do we have this ? because today
with a w2k8 server I keep receiving WERR_IO_PENDING (0x000003E5)
It seems to be w2k8r2 (for ERROR_INVALID_DATA). In fact it seems that we
have IO_PENDING up to w2k8 included and then INVALID_DATA.
> ISSUE THREE
> ===========
>
> x86 Server 2003 SP2??? TTTrace at C:\CustomerFiles\Samba_backupkey\lsass01_bis.run
>
> Issue: BACKUPKEY_RESTORE_GUID step #1:
>
> "Retrieve the ClientWrap key pair corresponding to the GUID specified by the guidKey field.
> If the key pair cannot be retrieved, the server MUST return an appropriate nonzero error
> code. The error code returned SHOULD be equal to ERROR_FILE_NOT_FOUND (0x2)."
>
> Receiving 0x80090005 (NTE_BAD_DATA???)
> Instead of ERROR_FILE_NOT_FOUND 0x2 (2)
I'm not able to reproduce this right now.
Also, Last week at SNIA I reported to matthiew (sorry no familly name)
the question related to the "quality" of the randomness of the buffer
specified at "3.2.4.1 Performing Client-Side Wrapping of Secrets" step
6. Construct the AccessCheck structure and then fill the Pad field with
random data.
We have also the behavior of the DC when it's a RODC that need to be
explained
He reported to me that nothing special is needed for this buffer so the
random data can be anything (ie. zeros). Can this information be added
to the ms-bkrp documentation.
Also in what is acted you should had:
* the information about the reversed buffer for the secret
* the information about the reversed bytes for the for the behavior note
<5> attached to Section 2.2.1: "The serialNumber field is identical to
the subjectUniqueID field.", as it is identical but with flipped bytes
* information about the fact that the client should use privacy and
integrity with schannel to transport the message (I would like that you
had also a behavior note that windows up to 2008R2 is not is just also
happy with just integrity).
Cheers Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the cifs-protocol
mailing list