[cifs-protocol] [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372

Andreas Schneider asn at samba.org
Thu Dec 14 12:14:24 UTC 2023


On Thursday, 14 December 2023 07:28:46 CET Andreas Schneider wrote:
> On Wednesday, 13 December 2023 22:55:54 CET Andreas Schneider via cifs-
> 
> protocol wrote:
> > On Wednesday, 13 December 2023 18:45:25 CET Jeff McCashland (He/him) 
wrote:
> > > Hi Andreas,
> > 
> > Hi Jeff,
> > 
> > > I found that the cause of the INVALID_PARAMETER error is that cbCipher
> > > is
> > > too small in the PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> > > structure included in the request.
> > > 
> > > The value sent is 0xD0 (208), while we were expecting at least 520
> > > (0x208).
> > > Is there some significance that the correct hex value matches the passed
> > > decimal value?
> > 
> > thank you very much for taking a look.
> > 
> > I think the value is more a coincidence. It is strange that you expect at
> > least 520 bytes in size. This is either because of some password length
> > requirement or you need to use a buffers for passwords and fill it up with
> > random data if too short, like we have for the *Buffer* in [MS-SAMR]
> > 2.2.6.32. That's done in MS-SAMR to avoid guessing the password length.
> > 
> > I can test if using longer passwords fixes the issue.
> 
> We use passwords which are ~15 chars long. Using longer password doesn't fix
> the problem.
> 
> Our testsuite has one function to test LsarCreateTrustedDomainEx2 and
> LsarCreateTrustedDomainEx3. The values we use are essentially the same.
> There are just differences in one char and the function using different
> structures.
> 
> LsarCreateTrustedDomainEx2 succeeds with those values and
> LsarCreateTrustedDomainEx3 fails. I would argue that
> LsarCreateTrustedDomainEx3 expects something which is not documented.
> 
> Why does LsarCreateTrustedDomainEx3 expect at least 520 bytes for the
> cbCipher value?

Hi Jeff,

Section 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129) has:

+++++++++
AuthenticationInformation: A structure containing authentication information 
for the trusted domain.

The server MUST first decrypt this data structure using the algorithm 
specified in AES Cipher Usage (section 5.1.5) with the key being the session 
key negotiated by the transport. Next, the server MUST unmarshal the data 
inside this structure and store it in a structure, the format of which is 
specified in section 2.2.7.11.
+++++++++

I've talked to other Samba Team members and our guess is that the data 
structure inside is not 2.2.7.11 but it is 2.2.7.16 
LSAPR_TRUSTED_DOMAIN_AUTH_BLOB. That blob contains 512 bytes of random data 
and would explain the 520 bytes size check.


Best regards


	Andreas

> 
> Best regards
> 
> 
> 	Andreas
> 
> > > Please let me know if this doesn't fully answer your question.
> > 
> > Now the question is why does the cipher need to be bigger than 520 bytes?
> > I
> > don't see anything in the documentation about it. There is just an upper
> > limit in the docs:
> > 
> > #define MAX_AUTHBLOB_SIZE ( 64 * 1024 )
> > 
> > 
> > Best regards
> > 
> > 	Andreas
> > 	
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol
> > > Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours:
> > > 9am-5pm
> > > 
> > > Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> > > number found here: http://support.microsoft.com/globalenglish |
> > > Extension
> > > 1138300
> > > 
> > > -----Original Message-----
> > > From: Jeff McCashland (He/him)
> > > Sent: Monday, December 11, 2023 9:28 AM
> > > To: Andreas Schneider <asn at samba.org>
> > > Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> > > <cifs-protocol at lists.samba.org> Subject: RE: [EXTERNAL] [MS-LSAD] Need
> > > help
> > > with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
> > > 
> > > Hi Andrew,
> > > 
> > > Thank you for the information. I will let you know what I find.
> > > 
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol
> > > Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours:
> > > 9am-5pm
> > > 
> > > Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> > > number found here: http://support.microsoft.com/globalenglish |
> > > Extension
> > > 1138300
> > > 
> > > -----Original Message-----
> > > From: Andreas Schneider <asn at samba.org>
> > > Sent: Monday, December 11, 2023 6:23 AM
> > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > > Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> > > <cifs-protocol at lists.samba.org> Subject: Re: [EXTERNAL] [MS-LSAD] Need
> > > help
> > > with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
> > > 
> > > On Thursday, 7 December 2023 20:43:05 CET Jeff McCashland (He/him) 
wrote:
> > > > Hi Andreas,
> > > 
> > > Hi Jeff,
> > > 
> > > > I was not able to find an INVALID_PARAMETER failure in the provided
> > > > network trace. Is this the network trace that was collected at the
> > > > same time as the TTT trace?
> > > 
> > > I've compiled wireshark from the git master branch. This has support for
> > > decoding the new lsa calls correctly. I opened the wireshark trace I
> > > sent
> > > you with it and the first LsarCreateTrustedDomainEx3 request is frame
> > > 76.
> > > Frame 77 is the corresponding response which returns INVALID_PARAMETER
> > > (screenshot attached).
> > > 
> > > I hope that helps. Thanks for your help.
> > > 
> > > 
> > > Best regards
> > > 
> > >         Andreas
> > > > 
> > > > I see the INVALID_PARAMETER error in your smbtorture logs, but I don't
> > > > know which packet in the network trace that relates to.
> > > > 
> > > > Could you clarify?
> > > > 
> > > > Best regards,
> > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > > Local country phone number found here:
> > > > http://suppo/
> > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> > > > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7cd011db47%
> > > > 7C1%7C0%7C638379014130155860%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > > > a=QJVmNP2krXHQDVe%2B1OQnuwGDsK2yfgH6hyezrqzjaQY%3D&reserved=0 |
> > > > Extension
> > > > 1138300
> > > > 
> > > > -----Original Message-----
> > > > From: Jeff McCashland (He/him)
> > > > Sent: Wednesday, December 6, 2023 7:53 AM
> > > > To: Andreas Schneider <asn at samba.org>
> > > > Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> > > > <cifs-protocol at lists.samba.org> Subject: RE: [EXTERNAL] [MS-LSAD] Need
> > > > help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372
> > > > 
> > > > Hi Andreas,
> > > > 
> > > > Hopefully the LSASS TTT will tell us which parameter it is. I will let
> > > > you know.
> > > > 
> > > > Best regards,
> > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > > Local country phone number found here:
> > > > http://suppo/
> > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> > > > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7cd011db47%
> > > > 7C1%7C0%7C638379014130166111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > > > a=YozjfDZHR1hYS4F9VW4bWyBSwETo0h5MzsNIKienQP4%3D&reserved=0 |
> > > > Extension
> > > > 1138300
> > > > 
> > > > -----Original Message-----
> > > > From: Andreas Schneider <asn at samba.org>
> > > > Sent: Wednesday, December 6, 2023 1:41 AM
> > > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > > > Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol
> > > > <cifs-protocol at lists.samba.org> Subject: Re: [EXTERNAL] [MS-LSAD] Need
> > > > help with LsarCreateTrustedDomainEx3 - TrackingID#2312050040012372 On
> > > > 
> > > > Tuesday, 5 December 2023 23:40:12 CET Jeff McCashland (He/him) wrote:
> > > > > Hi Andreas,
> > > > 
> > > > Hi Jeff,
> > > > 
> > > > > I would like to collect LSASS TTT traces to troubleshoot the
> > > > > failure.
> > > > 
> > > > Thank you very much for your help!
> > > > 
> > > > I've uploaded lsass03.zip to the workspace. It includes the TimeTrace,
> > > > the network trace and smbtorture debug log.
> > > > 
> > > > Günther just added support for LsarCreateTrustedDomainEx3 to Wireshark
> > > > two weeks ago [1]. I don't think the code is in a release yet. You
> > > > wont see the calls nicely unmarshalled yet. However I attached
> > > > smbtorture debug log. You can see the NDR printout there.
> > > > 
> > > > The question is which input paramter LsarCreateTrustedDomainEx3 thinks
> > > > is invalid. Once I know that, I can fix hopefully the test :-)
> > > > 
> > > > 
> > > > Thank you very much for your assistance! This is much appreciated.
> > > > 
> > > > 
> > > > Best regards
> > > > 
> > > >         Andreas
> > > > 
> > > > [1]
> > > > https://gitl/
> > > > ab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F13370&data=05%7C
> > > > 02%7Cjeffm%40microsoft.com%7C57e7e1341d7243e6808108dbfa54bc29%7C72f988
> > > > bf86f141af91ab2d7cd011db47%7C1%7C0%7C638379014130172902%7CUnknown%7CTW
> > > > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> > > > Mn0%3D%7C3000%7C%7C%7C&sdata=8V1KVQz858RkWskCVF8lfnHCfaVT35PmtTZXNoTOd
> > > > Ds%3D&reserved=0
> > > > 
> > > > > The LSASS traces can be quite large, but are highly compressible, so
> > > > > please add them to a .zip archive before uploading (file transfer
> > > > > workspace credentials are below). Please log into the workspace and
> > > > > find PartnerTTDRecorder_x86_x64.zip available for download. The x64
> > > > > tool can be staged onto the Windows server in any location
> > > > > (instructions below assume C:\TTD).
> > > > > 
> > > > > To collect the needed traces:
> > > > >         1. From a PowerShell prompt, execute:
> > > > >                 C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME
> > > > > 
> > > > > lsass | Format-Wide -Property
> > > > > ID).formatEntryInfo.formatPropertyField.propertyValue) 2. Wait for a
> > > > > little window to pop up in top left corner of your screen, titled
> > > > > "lsass01.run" 3. start a network trace using netsh or WireShark,
> > > > > etc.
> > > > > 
> > > > >         4. Repro the attempted operation
> > > > >         5. Stop the network trace and save it
> > > > >         6. CAREFULLY: uncheck the checkbox next to "Tracing" in the
> > > > > 
> > > > > small "lsass01.run" window. Do not close or exit the small window or
> > > > > you will need to reboot. 7. The TTTracer.exe process will generate a
> > > > > trace file, then print out the name and location of the file.
> > > > > Compress the *.run file into a .zip archive before uploading with
> > > > > the matching network trace. It is a good idea to reboot the machine
> > > > > at the next opportunity to restart the lsass process.
> > > > > 
> > > > > Workspace credentials:
> > > > > Log in as: 2312050040012372_andreas at dtmxfer.onmicrosoft.com
> > > > > 1-Time: 3fjE7C5Q
> > > > > 
> > > > > Workspace link:
> > > > > https://supp/
> > > > > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJS
> > > > > U&
> > > > > data=05%7C02%7Cjeffm%40microsoft.com%7C54e1a37f1c1443631fff08dbf63f7
> > > > > 00
> > > > > f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638374524565853145%7C
> > > > > Un
> > > > > known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> > > > > aW
> > > > > wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dzdf2v%2BshYAg5YkvoUpsI%2BiM2
> > > > > f1
> > > > > FuLIaxMoDK1zJanU%3D&reserved=0
> > > > > zI1NiJ9.eyJ3c2lkIjoiMmFkNGE3MjEtZDBjMS00YzFkLTlhMzItY2ZlMGE1YmI0MWJm
> > > > > Ii
> > > > > wic3Ii
> > > > > OiIyMzEyMDUwMDQwMDEyMzcyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUz
> > > > > OC
> > > > > 1lYTNi
> > > > > ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiI0YzNmODcy
> > > > > OS
> > > > > 1iZGY3
> > > > > LTQ5MzUtYjE3My02ZGVmY2Q5ODY3ZTAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1
> > > > > bG
> > > > > EubWlj
> > > > > cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MDk1OTE2NjQsIm5i
> > > > > Zi
> > > > > I6MTcw
> > > > > MTgxNTY2NH0.aoqsUChbv4ldUIHza-JNdUpjPPE6iosBaQpCZ49SyHTSanGlhty-H-f_
> > > > > 2t
> > > > > lGEFYq
> > > > > PmDkt5SsQ9_fyOTERFuxtCYbfNeFZSVyWyI_AW_mLy06ymrLISZamM0GObMwd8xkSJrl
> > > > > 6s
> > > > > MHiQd6
> > > > > pBtoQ4tIaA3yebDax4mrbJbSjgolCVFcXhwMVOdSocmTwwV5jnC4gKalHF6H-UKMHkZb
> > > > > Kn
> > > > > Aqyui2
> > > > > Eg4tAT9sNTlrUDaxznIMuA1s0Z2YT2X6jVGMugeJHf5NiO0N6DOlEcQOyeCSXsWoLxJo
> > > > > F6
> > > > > CT3Q1e
> > > > > o5otojkQv3QD-IrpZU2RHpPTpWcH9TAcus-fH2KdDD-670wxHw&wid=2ad4a721-d0c1
> > > > > -4
> > > > > c1d-9a
> > > > > 32-cfe0a5bb41bf
> > > > > 
> > > > > Best regards,
> > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > > > Local country phone number found here:
> > > > > http://suppo/
> > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > > > > m%
> > > > > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db4
> > > > > 7%
> > > > > 7C1%7C0%7C638374524565858700%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > > > > wM
> > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > > > > at
> > > > > a=EQOmU95wBWcFuv2c56sDxW8YHrBn2%2FCnX34U4igxtow%3D&reserved=0 |
> > > > > Extension
> > > > > 1138300
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Jeff McCashland (He/him)
> > > > > Sent: Tuesday, December 5, 2023 11:50 AM
> > > > > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > > > > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > > > > <supportmail at microsoft.com>
> > > > > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > > > > LsarCreateTrustedDomainEx3
> > > > > - TrackingID#2312050040012372
> > > > > 
> > > > > [Michael to BCC]
> > > > > 
> > > > > Hi Andreas,
> > > > > 
> > > > > I will dig into your question and let you know what I find.
> > > > > 
> > > > > Best regards,
> > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > > > Local country phone number found here:
> > > > > http://suppo/
> > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > > > > m%
> > > > > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2d7cd011db4
> > > > > 7%
> > > > > 7C1%7C0%7C638374524565862806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > > > > wM
> > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > > > > at
> > > > > a=X2E1OH%2FlPSBqIUii84PAHkxyXw5B5GNlk22G5AzwWk4%3D&reserved=0 |
> > > > > Extension
> > > > > 1138300
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > > > > Sent: Tuesday, December 5, 2023 11:25 AM
> > > > > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > > > > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > > > > <supportmail at microsoft.com>
> > > > > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > > > > LsarCreateTrustedDomainEx3
> > > > > - TrackingID#2312050040012372
> > > > > 
> > > > > [DocHelp to BCC]
> > > > > Hi Andreas,
> > > > > 
> > > > > Thank you for your question about MS-LSAD. Case number
> > > > > 2312050040012372 has been created to track this issue, one of our
> > > > > engineers will contact you soon.
> > > > > 
> > > > > Best regards,
> > > > > Mike Bowen
> > > > > Escalation Engineer - Microsoft Open Specifications
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Andreas Schneider <asn at samba.org>
> > > > > Sent: Tuesday, December 5, 2023 5:34 AM
> > > > > To: Interoperability Documentation Help <dochelp at microsoft.com>;
> > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: [EXTERNAL]
> > > > > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
> > > > > 
> > > > > Hi Dochelp Team!
> > > > > 
> > > > > I'm currently trying to write an smbtorture test for
> > > > > LsarCreateTrustedDomainEx3. My test doesn't work against Windows
> > > > > Server 2022.
> > > > > 
> > > > >      lsa_CreateTrustedDomainEx3: struct lsa_CreateTrustedDomainEx3
> > > > >      
> > > > >         out: struct lsa_CreateTrustedDomainEx3
> > > > >         
> > > > >             trustdom_handle          : *
> > > > >             
> > > > >                 trustdom_handle: struct policy_handle
> > > > >                 
> > > > >                     handle_type              : 0x00000000 (0)
> > > > > 
> > > > >                     uuid                     :
> > > > > 00000000-0000-0000-0000-000000000000
> > > > > 
> > > > >             result                   : NT_STATUS_INVALID_PARAMETER
> > > > > 
> > > > > The test is more or less the same as we have for
> > > > > LsarCreateTrustedDomainEx2, but it fails for
> > > > > LsarCreateTrustedDomainEx3 with NT_STATUS_INVALID_PARAMETER. Another
> > > > > Samba Team member did check the code I wrote and could find anything
> > > > > wrong.
> > > > > 
> > > > > I've tried to turn on debug logging for the netlogon service on
> > > > > windows, but it doesn't log anything useful. So I'm not able to
> > > > > figure out what value the server thinks is invalid.
> > > > > 
> > > > > Could someone of the Dochelp Team help me if I create a Time Trace
> > > > > and figure out on which input value the server chokes?
> > > > > 
> > > > > 
> > > > > Thanks for your help.
> > > > > 
> > > > > 
> > > > > Best regards
> > > > > 
> > > > >         Andreas Schneider
> > > > > 
> > > > > --
> > > > > Andreas Schneider                      asn at samba.org
> > > > > Samba Team                             http://www.samba.org/
> > > > > GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> > > > 
> > > > --
> > > > Andreas Schneider                      asn at samba.org
> > > > Samba Team                             http://www.samba.org/
> > > > GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> > > 
> > > --
> > > Andreas Schneider                      asn at samba.org
> > > Samba Team                             http://www.samba.org/
> > > GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D





More information about the cifs-protocol mailing list