[cifs-protocol] [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect'

Bryan Burgin bburgin at microsoft.com
Sun Mar 22 19:10:31 MDT 2015 

Hi Andrew.

I know you're out of the office hiking around.  We hope you had a wonderful time (assuming you're reading this in a few weeks).

We worked out what is causing this.  We are sending a [MS-SRVS] NetShareGetInfo packet for Level 502 information.  In the response, we're receiving a SECURITY_DESCRIPTOR that has a NULL Owner SID (OffsetOwner).

We can argue if that's permissible or not.  In [MS-DTYP] 2.4.6 SECURITY_DESCRIPTOR it discusses: "OffsetOwner (4 bytes): An unsigned 32-bit integer that specifies the offset to the SID. This SID specifies the owner of the object to which the security descriptor is associated. This must be a valid offset if the OD flag is not set. If this field is set to zero, the OwnerSid field MUST not be present."

Thus, if the OD flag (Owner Defaulted: "Set when the owner was established by default means") is cleared (not set) then the Owner SID must be valid, and NULL is not valid.  That notwithstanding, as for this user interface, it doesn't recognize a NULL Owner SID event even if the OD flag is set.

We are pursuing a fix for this in Windows 8.1/2012R2 and for Windows 10 (in the user-mode code that is behind this user request).  But, I'm holding off on requesting a fix for Windows 8/2012 unless we have a strong business justification to do so.  This can also be mitigated in Samba code by supplying the Owner SID in level 502 queries.

Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Wednesday, March 11, 2015 1:04 PM
To: Andrew Bartlett
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email; Tarun Chopra
Subject: RE: [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect'

Just touching base.
The platforms group is actively working on this.
I’m monitoring their work, but there are no action items for either of us right now.
I will be traveling throughout China the next few weeks for Microsoft.  I will be monitoring this issue in my journeys and will update you if I hear anything.
Thank you for your patience.
Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Tuesday, March 3, 2015 2:28 PM
To: Andrew Bartlett
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email; Tarun Chopra
Subject: RE: [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect'

Andrew:

Today I filed a bug against Windows 8.0/2012 for a QFE (hotfix) for this issue.  We have a similar report and a duplicate hotfix request for Windows 8.1/Server 2012 R2.  I also have another customer reporting this and requesting a fix for 8.0/2012.  For your note, as it relates to the AD/KILE side of the question being handled by Obaid, our previous reproductions of this issue were with non-domain-joined "workgroup" machines.  However, I passed your additional information onto the WinSE engineer working on the fix; it may be useful to him as it provides more insight.

I'll update with status regarding the progress of the fix.  Assume it's on autopilot for now.

Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Monday, March 2, 2015 10:20 PM
To: Andrew Bartlett
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect'

[dochelp on bcc]
[+casemail]

Starting new thread for SR 115030312463820: Windows behavior re  '0x80070057 the parameter is incorrect'.
I'll own this issue for you.

Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Monday, March 2, 2015 10:15 PM
To: 'Andrew Bartlett'
Cc: cifs-protocol at lists.samba.org
Subject: RE: View effective Access - Parameter is incorrect

[Dochelp to bcc]

Hi Andrew,

Thank you for raising this issue.  We're creating two cases to track this: one to chase down the error (which I'll own, potentially a QFE hotfix request) and the second as a [MS-KILE] doc issue (someone from the team will pick up).  Please note that as for the error message itself, we are investigating this and published KB 3041857 to acknowledge it: https://support.microsoft.com/kb/3041857.

SR 115030312463820: Windows behavior re  '0x80070057 the parameter is incorrect'.
SR 115030312463847: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self)

Don't reply to this mail; I'll start a separate thread for each to keep the discussions separate.

[Note: in your mail below, I appended your add-on observation re Windows 8.1 to Windows 2012R2 "in-line"]

Bryan

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, March 2, 2015 6:12 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at lists.samba.org
Subject: View effective Access - Parameter is incorrect

Using a Windows 8, and a Windows 8.1 Pro machine, joined to a Samba domain.

I open up \\$SERVER\sysvol and right-click on one of the files.  I then select properties, security, advanced, effective access.

I select one of the other users in my domain (I logged in as administrator), and then 'view effective access'.  The error I get is
'0x80070057 the parameter is incorrect'.

I can't see anything odd, except that in frame 91-93 the client asks for a TGS-REQ (S4U2Self) for a server of Administrator at REALM as an enterprise principal, perhaps being denied because Administrator is not a server account. 

Samba master gives 'KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (see trace) Samba 4.2 give 'KRB5KDC_ERR_POLICY' (not attached)

Is this the issue, if so, cue my discussion about MS-KILE clarifications :-)

Oddly, when looking at a comparitive trace of Windows 8.1 to Windows 2012R2, I can't even see a S4U2Self request.  

Thanks,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list