[cifs-protocol] Summary of [MS-BKRP] 3.1.4.1.4 BACKUPKEY_RESTORE_GUID issues

Matthieu Patou mat at samba.org
Wed Sep 29 15:51:46 MDT 2010


  On 28/09/2010 22:35, Bryan Burgin wrote:
> Matthieu,
>
> I'm able to step through the traces you provided.
>
> Below I summarized my notes of the three issues you reported and would like you to verify:
>
> Notes:
>
>
> Matt's (Matthieu Patou [mailto:mat at samba.org) [MS-BKRP] 3.1.4.1.4 issues
>
> ISSUE ONE
> ===========
>
> x64 08R2 TTTrace at C:\CustomerFiles\Samba_backupkey\lsass02.run
>
> On third call to Restore GUID (guidRestore = BACKUPKEY_RESTORE_GUID)
> Receiving ERROR_INTERNAL_ERROR 0x54f (1359)
> Instead of ERROR_INVALID_PARAMETER 0x57 (87)
>
Ok this error is when we are send a non flipped buffer to the server, as 
the server is not able to decrypt the secret and therefor not able to 
validate the magic numbers at the beginning of the buffer I am expecting 
the server to always answer ERROR_INVALID_PARAMETER as it should do 
(according to the MS-BKRP.pdf).


> ISSUE TWO
> ===========
>
>
> x64 08R2 TTTrace at C:\CustomerFiles\Samba_backupkey\lsass03.run
> Issue: BACKUPKEY_RESTORE_GUID step #1:
>
>      "Retrieve the ClientWrap key pair corresponding to the GUID specified by the guidKey field.
>      If the key pair cannot be retrieved, the server MUST return an appropriate nonzero error
>      code. The error code returned SHOULD be equal to ERROR_FILE_NOT_FOUND (0x2)."
>
> Expecting ERROR_FILE_NOT_FOUND 0x2 (2)
> Receiving ERROR_INVALID_DATA 0xd (14)
Bryan do you remember with which server do we have this ? because today 
with a w2k8 server I keep receiving WERR_IO_PENDING (0x000003E5)
It seems to be w2k8r2 (for ERROR_INVALID_DATA). In fact it seems that we 
have IO_PENDING up to w2k8 included and then INVALID_DATA.



> ISSUE THREE
> ===========
>
> x86 Server 2003 SP2??? TTTrace at C:\CustomerFiles\Samba_backupkey\lsass01_bis.run
>
> Issue: BACKUPKEY_RESTORE_GUID step #1:
>
>      "Retrieve the ClientWrap key pair corresponding to the GUID specified by the guidKey field.
>      If the key pair cannot be retrieved, the server MUST return an appropriate nonzero error
>      code. The error code returned SHOULD be equal to ERROR_FILE_NOT_FOUND (0x2)."
>
> Receiving 0x80090005 (NTE_BAD_DATA???)
> Instead of ERROR_FILE_NOT_FOUND 0x2 (2)

I'm not able to reproduce this right now.

Also, Last week at SNIA I reported to matthiew (sorry no familly name) 
the question related to the "quality" of the randomness of the buffer 
specified at "3.2.4.1 Performing Client-Side Wrapping of Secrets"  step 
6. Construct the AccessCheck structure and then fill the Pad field with 
random data.

We have also the behavior of the DC when it's a RODC that need to be 
explained

He reported to me that nothing special is needed for this buffer so the 
random data can be anything (ie. zeros). Can this information be added 
to the ms-bkrp documentation.

Also in what is acted you should had:
* the information about the reversed buffer for the secret
* the information about the reversed bytes for the for the behavior note 
<5> attached to Section 2.2.1: "The serialNumber field is identical to 
the subjectUniqueID field.", as it is identical but with flipped bytes
* information about the fact that the client should use privacy and 
integrity with schannel to transport the message (I would like that you 
had also a behavior note that windows up to 2008R2 is not is just also 
happy with just integrity).




Cheers Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org



More information about the cifs-protocol mailing list