[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Christof Schmitt cs at samba.org
Fri Sep 30 22:55:07 UTC 2022

On Fri, Sep 30, 2022 at 10:48:35PM +0000, Jeff McCashland (He/him) wrote:
> Hello Cristof,
> Have you tried issuing the LDAP commands from a Windows client as well as a Samba client? If so, what tool/command line did you use, and what were the results? 

I have not used a Windows client, just a Linux workstation. The Samba
"net ads search" and "ldapsearch" tools both return the same results
from that Linux workstation. I can look whether a Windows client can be
added next week.

> I would like to collect an LSASS TTT trace with a concurrent network capture of the scenario where no results are returned. 
> The LSASS traces can be quite large, but are highly compressible, so please add them to a .zip archive before uploading (file transfer workspace credentials are below). Please log into the workspace and find PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can be staged onto the Windows server in any location (instructions below assume C:\TTD). 
> To collect the needed traces:
> 	1. From a PowerShell prompt, execute: 
> 		C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)
> 	2. Wait for a little window to pop up in top left corner of your screen, titled "lsass01.run"
> 	3. start a network trace using netsh or WireShark, etc. 
> 	4. Repro the attempted operation
> 	5. Stop the network trace and save it
> 	6. CAREFULLY: uncheck the checkbox next to "Tracing" in the small "lsass01.run" window. Do not close or exit the small window or you will need to reboot. 
> 	7. The TTTracer.exe process will generate a trace file, then print out the name and location of the file. 
> Compress the *.run file into a .zip archive before uploading with the matching network trace. It is a good idea to reboot the machine at the next opportunity to restart the lsass process.
> Workspace information:
> Log in as: 2209290040008412_cristof at dtmxfer.onmicrosoft.com
> 1-Time: 9rdh?;3W
> Workspace link: https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiODExZWY4M2QtOTlkYS00NmU0LTg0MGYtNDU4NDk0MDI0ZGMzIiwic3IiOiIyMjA5MjkwMDQwMDA4NDEyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI5NzY4MmM5Ni03OTA4LTQyYzQtODZiYS0zOTNiNDBkM2RjMjQiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NzIzNTM3NTIsIm5iZiI6MTY2NDU3Nzc1Mn0.AmKKRO1ms-YObMcfo9uG0Xzj1Axit8k7LHgCyzH9Ao7obaN6Eujkby_OhA4H7U7oATfGlIfN_s2_8j3B7_oDblAJlP0uBhZdQMI0LlCW5UAlsqq-XeagFxL-5vg3Wjd1GpMOpHvyuS0LMGSg-G5lbwl0iuN2KosEZnjjxtbX8kSXaU97df6ot2eg6VjZWGu6-O6PaOINA3GnzMc2kVTJgtLh1hhE_zPt-e176JG5rhbVw7mgysnHvqAJXJwvEDFZRRzHur42SaDonh1iZinTzhbXCqfrXWiS5-AvrMHq6_2wlHr-dSgGuE9ozrxzCAcR2lrMnuCwBZFZUhKfTGZ6YQ&wid=811ef83d-99da-46e4-840f-458494024dc3

Thank you. I will work on capturing the traces next week.



More information about the cifs-protocol mailing list