[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Jeff McCashland (He/him) jeffm at microsoft.com
Fri Sep 30 22:48:35 UTC 2022 

Hello Cristof,

Have you tried issuing the LDAP commands from a Windows client as well as a Samba client? If so, what tool/command line did you use, and what were the results? 

I would like to collect an LSASS TTT trace with a concurrent network capture of the scenario where no results are returned. 

The LSASS traces can be quite large, but are highly compressible, so please add them to a .zip archive before uploading (file transfer workspace credentials are below). Please log into the workspace and find PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can be staged onto the Windows server in any location (instructions below assume C:\TTD). 

To collect the needed traces:
	1. From a PowerShell prompt, execute: 
		C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)
	2. Wait for a little window to pop up in top left corner of your screen, titled "lsass01.run"
	3. start a network trace using netsh or WireShark, etc. 
	4. Repro the attempted operation
	5. Stop the network trace and save it
	6. CAREFULLY: uncheck the checkbox next to "Tracing" in the small "lsass01.run" window. Do not close or exit the small window or you will need to reboot. 
	7. The TTTracer.exe process will generate a trace file, then print out the name and location of the file. 
Compress the *.run file into a .zip archive before uploading with the matching network trace. It is a good idea to reboot the machine at the next opportunity to restart the lsass process.

Workspace information:
Log in as: 2209290040008412_cristof at dtmxfer.onmicrosoft.com
1-Time: 9rdh?;3W

Workspace link: https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiODExZWY4M2QtOTlkYS00NmU0LTg0MGYtNDU4NDk0MDI0ZGMzIiwic3IiOiIyMjA5MjkwMDQwMDA4NDEyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI5NzY4MmM5Ni03OTA4LTQyYzQtODZiYS0zOTNiNDBkM2RjMjQiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NzIzNTM3NTIsIm5iZiI6MTY2NDU3Nzc1Mn0.AmKKRO1ms-YObMcfo9uG0Xzj1Axit8k7LHgCyzH9Ao7obaN6Eujkby_OhA4H7U7oATfGlIfN_s2_8j3B7_oDblAJlP0uBhZdQMI0LlCW5UAlsqq-XeagFxL-5vg3Wjd1GpMOpHvyuS0LMGSg-G5lbwl0iuN2KosEZnjjxtbX8kSXaU97df6ot2eg6VjZWGu6-O6PaOINA3GnzMc2kVTJgtLh1hhE_zPt-e176JG5rhbVw7mgysnHvqAJXJwvEDFZRRzHur42SaDonh1iZinTzhbXCqfrXWiS5-AvrMHq6_2wlHr-dSgGuE9ozrxzCAcR2lrMnuCwBZFZUhKfTGZ6YQ&wid=811ef83d-99da-46e4-840f-458494024dc3

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Christof Schmitt <cs at samba.org> 
Sent: Thursday, September 29, 2022 4:32 PM
To: Andrew Bartlett <abartlet at samba.org>
Cc: Jeff McCashland (He/him) <jeffm at microsoft.com>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

[You don't often get email from cs at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Fri, Sep 30, 2022 at 12:07:33PM +1300, Andrew Bartlett wrote:
>    Christof,
>    Is the behaviour different on the Global Catalog port?  Are both servers
>    GC instances?

protocol9 was created first, so that should be a GC instance. And a query to port 3268 returns the same result:

# ldapsearch -H ldap://adprotocol9.com:3268 -x -W -D "administrator at adprotocol9.com" -b "dc=adprotocol9,dc=com" "(member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=adprotocol9,dc=com> with scope subtree # filter: (member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Regards,

Christof

More information about the cifs-protocol mailing list