[cifs-protocol] [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
Andreas Schneider
asn at samba.org
Wed Dec 13 21:55:54 UTC 2023
On Wednesday, 13 December 2023 18:45:25 CET Jeff McCashland (He/him) wrote:
> Hi Andreas,
Hi Jeff,
> I found that the cause of the INVALID_PARAMETER error is that cbCipher is
> too small in the PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> structure included in the request.
>
> The value sent is 0xD0 (208), while we were expecting at least 520 (0x208).
> Is there some significance that the correct hex value matches the passed
> decimal value?
thank you very much for taking a look.
I think the value is more a coincidence. It is strange that you expect at
least 520 bytes in size. This is either because of some password length
requirement or you need to use a buffers for passwords and fill it up with
random data if too short, like we have for the *Buffer* in [MS-SAMR] 2.2.6.32.
That's done in MS-SAMR to avoid guessing the password length.
I can test if using longer passwords fixes the issue.
> Please let me know if this doesn't fully answer your question.
Now the question is why does the cipher need to be bigger than 520 bytes? I
don't see anything in the documentation about it. There is just an upper limit
in the docs:
#define MAX_AUTHBLOB_SIZE ( 64 * 1024 )
Best regards
Andreas
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Monday, December 11, 2023 9:28 AM
> To: Andreas Schneider <asn at samba.org>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> <cifs-protocol at lists.samba.org> Subject: RE: [EXTERNAL] [MS-LSAD] Need help
> with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
>
> Hi Andrew,
>
> Thank you for the information. I will let you know what I find.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300
>
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Monday, December 11, 2023 6:23 AM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> <cifs-protocol at lists.samba.org> Subject: Re: [EXTERNAL] [MS-LSAD] Need help
> with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
> On Thursday, 7 December 2023 20:43:05 CET Jeff McCashland (He/him) wrote:
> > Hi Andreas,
>
> Hi Jeff,
>
> > I was not able to find an INVALID_PARAMETER failure in the provided
> > network trace. Is this the network trace that was collected at the
> > same time as the TTT trace?
>
> I've compiled wireshark from the git master branch. This has support for
> decoding the new lsa calls correctly. I opened the wireshark trace I sent
> you with it and the first LsarCreateTrustedDomainEx3 request is frame 76.
> Frame 77 is the corresponding response which returns INVALID_PARAMETER
> (screenshot attached).
>
> I hope that helps. Thanks for your help.
>
>
> Best regards
>
>
> Andreas
>
> > I see the INVALID_PARAMETER error in your smbtorture logs, but I don't
> > know which packet in the network trace that relates to.
> >
> > Could you clarify?
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://suppo/
> > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7cd011db47%
> > 7C1%7C0%7C638379014130155860%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > a=QJVmNP2krXHQDVe%2B1OQnuwGDsK2yfgH6hyezrqzjaQY%3D&reserved=0 |
> > Extension
> > 1138300
> >
> > -----Original Message-----
> > From: Jeff McCashland (He/him)
> > Sent: Wednesday, December 6, 2023 7:53 AM
> > To: Andreas Schneider <asn at samba.org>
> > Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> > <cifs-protocol at lists.samba.org> Subject: RE: [EXTERNAL] [MS-LSAD] Need
> > help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
> >
> > Hi Andreas,
> >
> > Hopefully the LSASS TTT will tell us which parameter it is. I will let
> > you know.
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://suppo/
> > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7cd011db47%
> > 7C1%7C0%7C638379014130166111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > a=YozjfDZHR1hYS4F9VW4bWyBSwETo0h5MzsNIKienQP4%3D&reserved=0 |
> > Extension
> > 1138300
> >
> > -----Original Message-----
> > From: Andreas Schneider <asn at samba.org>
> > Sent: Wednesday, December 6, 2023 1:41 AM
> > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> > <cifs-protocol at lists.samba.org> Subject: Re: [EXTERNAL] [MS-LSAD] Need
> > help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372 On
> >
> > Tuesday, 5 December 2023 23:40:12 CET Jeff McCashland (He/him) wrote:
> > > Hi Andreas,
> >
> > Hi Jeff,
> >
> > > I would like to collect LSASS TTT traces to troubleshoot the failure.
> >
> > Thank you very much for your help!
> >
> > I've uploaded lsass03.zip to the workspace. It includes the TimeTrace,
> > the network trace and smbtorture debug log.
> >
> > Günther just added support for LsarCreateTrustedDomainEx3 to Wireshark
> > two weeks ago [1]. I don't think the code is in a release yet. You
> > wont see the calls nicely unmarshalled yet. However I attached
> > smbtorture debug log. You can see the NDR printout there.
> >
> > The question is which input paramter LsarCreateTrustedDomainEx3 thinks
> > is invalid. Once I know that, I can fix hopefully the test :-)
> >
> >
> > Thank you very much for your assistance! This is much appreciated.
> >
> >
> > Best regards
> >
> > Andreas
> >
> > [1]
> > https://gitl/
> > ab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F13370&data=05%7C
> > 02%7Cjeffm%40microsoft.com%7C57e7e1341d7243e6808108dbfa54bc29%7C72f988
> > bf86f141af91ab2d7cd011db47%7C1%7C0%7C638379014130172902%7CUnknown%7CTW
> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> > Mn0%3D%7C3000%7C%7C%7C&sdata=8V1KVQz858RkWskCVF8lfnHCfaVT35PmtTZXNoTOd
> > Ds%3D&reserved=0
> >
> > > The LSASS traces can be quite large, but are highly compressible, so
> > > please add them to a .zip archive before uploading (file transfer
> > > workspace credentials are below). Please log into the workspace and
> > > find PartnerTTDRecorder_x86_x64.zip available for download. The x64
> > > tool can be staged onto the Windows server in any location
> > > (instructions below assume C:\TTD).
> > >
> > > To collect the needed traces:
> > > 1. From a PowerShell prompt, execute:
> > > C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME
> > >
> > > lsass | Format-Wide -Property
> > > ID).formatEntryInfo.formatPropertyField.propertyValue) 2. Wait for a
> > > little window to pop up in top left corner of your screen, titled
> > > "lsass01.run" 3. start a network trace using netsh or WireShark, etc.
> > >
> > > 4. Repro the attempted operation
> > > 5. Stop the network trace and save it
> > > 6. CAREFULLY: uncheck the checkbox next to "Tracing" in the
> > >
> > > small "lsass01.run" window. Do not close or exit the small window or
> > > you will need to reboot. 7. The TTTracer.exe process will generate a
> > > trace file, then print out the name and location of the file.
> > > Compress the *.run file into a .zip archive before uploading with
> > > the matching network trace. It is a good idea to reboot the machine
> > > at the next opportunity to restart the lsass process.
> > >
> > > Workspace credentials:
> > > Log in as: 2312050040012372_andreas at dtmxfer.onmicrosoft.com
> > > 1-Time: 3fjE7C5Q
> > >
> > > Workspace link:
> > > https://supp/
> > > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> > > U&
> > > data=05%7C02%7Cjeffm%40microsoft.com%7C54e1a37f1c1443631fff08dbf63f7
> > > 00
> > > f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638374524565853145%7C
> > > Un
> > > known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> > > aW
> > > wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dzdf2v%2BshYAg5YkvoUpsI%2BiM2
> > > f1
> > > FuLIaxMoDK1zJanU%3D&reserved=0
> > > zI1NiJ9.eyJ3c2lkIjoiMmFkNGE3MjEtZDBjMS00YzFkLTlhMzItY2ZlMGE1YmI0MWJm
> > > Ii
> > > wic3Ii
> > > OiIyMzEyMDUwMDQwMDEyMzcyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUz
> > > OC
> > > 1lYTNi
> > > ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI0YzNmODcy
> > > OS
> > > 1iZGY3
> > > LTQ5MzUtYjE3My02ZGVmY2Q5ODY3ZTAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1
> > > bG
> > > EubWlj
> > > cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MDk1OTE2NjQsIm5i
> > > Zi
> > > I6MTcw
> > > MTgxNTY2NH0.aoqsUChbv4ldUIHza-JNdUpjPPE6iosBaQpCZ49SyHTSanGlhty-H-f_
> > > 2t
> > > lGEFYq
> > > PmDkt5SsQ9_fyOTERFuxtCYbfNeFZSVyWyI_AW_mLy06ymrLISZamM0GObMwd8xkSJrl
> > > 6s
> > > MHiQd6
> > > pBtoQ4tIaA3yebDax4mrbJbSjgolCVFcXhwMVOdSocmTwwV5jnC4gKalHF6H-UKMHkZb
> > > Kn
> > > Aqyui2
> > > Eg4tAT9sNTlrUDaxznIMuA1s0Z2YT2X6jVGMugeJHf5NiO0N6DOlEcQOyeCSXsWoLxJo
> > > F6
> > > CT3Q1e
> > > o5otojkQv3QD-IrpZU2RHpPTpWcH9TAcus-fH2KdDD-670wxHw&wid=2ad4a721-d0c1
> > > -4
> > > c1d-9a
> > > 32-cfe0a5bb41bf
> > >
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://suppo/
> > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > > m%
> > > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db4
> > > 7%
> > > 7C1%7C0%7C638374524565858700%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > > wM
> > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > > at
> > > a=EQOmU95wBWcFuv2c56sDxW8YHrBn2%2FCnX34U4igxtow%3D&reserved=0 |
> > > Extension
> > > 1138300
> > >
> > > -----Original Message-----
> > > From: Jeff McCashland (He/him)
> > > Sent: Tuesday, December 5, 2023 11:50 AM
> > > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > > <supportmail at microsoft.com>
> > > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > > LsarCreateTrustedDomainEx3
> > > - TrackingID#2312050040012372
> > >
> > > [Michael to BCC]
> > >
> > > Hi Andreas,
> > >
> > > I will dig into your question and let you know what I find.
> > >
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://suppo/
> > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > > m%
> > > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db4
> > > 7%
> > > 7C1%7C0%7C638374524565862806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > > wM
> > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > > at
> > > a=X2E1OH%2FlPSBqIUii84PAHkxyXw5B5GNlk22G5AzwWk4%3D&reserved=0 |
> > > Extension
> > > 1138300
> > >
> > > -----Original Message-----
> > > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > > Sent: Tuesday, December 5, 2023 11:25 AM
> > > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > > <supportmail at microsoft.com>
> > > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > > LsarCreateTrustedDomainEx3
> > > - TrackingID#2312050040012372
> > >
> > > [DocHelp to BCC]
> > > Hi Andreas,
> > >
> > > Thank you for your question about MS-LSAD. Case number
> > > 2312050040012372 has been created to track this issue, one of our
> > > engineers will contact you soon.
> > >
> > > Best regards,
> > > Mike Bowen
> > > Escalation Engineer - Microsoft Open Specifications
> > >
> > > -----Original Message-----
> > > From: Andreas Schneider <asn at samba.org>
> > > Sent: Tuesday, December 5, 2023 5:34 AM
> > > To: Interoperability Documentation Help <dochelp at microsoft.com>;
> > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: [EXTERNAL]
> > > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
> > >
> > > Hi Dochelp Team!
> > >
> > > I'm currently trying to write an smbtorture test for
> > > LsarCreateTrustedDomainEx3. My test doesn't work against Windows
> > > Server 2022.
> > >
> > > lsa_CreateTrustedDomainEx3: struct lsa_CreateTrustedDomainEx3
> > >
> > > out: struct lsa_CreateTrustedDomainEx3
> > >
> > > trustdom_handle : *
> > >
> > > trustdom_handle: struct policy_handle
> > >
> > > handle_type : 0x00000000 (0)
> > >
> > > uuid :
> > > 00000000-0000-0000-0000-000000000000
> > >
> > > result : NT_STATUS_INVALID_PARAMETER
> > >
> > > The test is more or less the same as we have for
> > > LsarCreateTrustedDomainEx2, but it fails for
> > > LsarCreateTrustedDomainEx3 with NT_STATUS_INVALID_PARAMETER. Another
> > > Samba Team member did check the code I wrote and could find anything
> > > wrong.
> > >
> > > I've tried to turn on debug logging for the netlogon service on
> > > windows, but it doesn't log anything useful. So I'm not able to
> > > figure out what value the server thinks is invalid.
> > >
> > > Could someone of the Dochelp Team help me if I create a Time Trace
> > > and figure out on which input value the server chokes?
> > >
> > >
> > > Thanks for your help.
> > >
> > >
> > > Best regards
> > >
> > > Andreas Schneider
> > >
> > > --
> > > Andreas Schneider asn at samba.org
> > > Samba Team http://www.samba.org/
> > > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> >
> > --
> > Andreas Schneider asn at samba.org
> > Samba Team http://www.samba.org/
> > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
> --
> Andreas Schneider asn at samba.org
> Samba Team http://www.samba.org/
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list