[cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317
Andreas Schneider
asn at samba.org
Tue Jan 9 07:57:22 UTC 2024
On Monday, 8 January 2024 19:28:45 CET Jeff McCashland (He/him) wrote:
> [-Support]
>
> Hi Andreas,
Hi Jeff,
> We have updated [MS-LSAD] for the next release to address this issue:
thank you very much for the update!
> 2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure
> communicates authentication material. The cleartext password data is in the
> form of a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16). The following
> structure corresponds to the TrustedDomainAuthInformationInternalAes
> information class (section 2.2.7.2).
>
> 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129)
> AuthenticationInformation: A structure containing encrypted
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication
> information for the trusted domain. If the length of cbCipher in
> AuthenticationInformation is less than (512 + IncomingAuthInfoSize +
> OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER.
The same applies to LsarCreateTrustedDomainEx2, the decrypted cipher is also a
LSAPR_TRUSTED_DOMAIN_AUTH_BLOB :-)
> I hope that helps!
It does, thanks.
Best regards
Andreas
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Thursday, December 21, 2023 9:20 AM
> To: Andreas Schneider <asn at samba.org>; cifs-protocol at lists.samba.org
> Cc: cifs-protocol <cifs-protocol at lists.samba.org>; Microsoft Support
> <supportmail at microsoft.com> Subject: RE: [EXTERNAL] Re: [MS-LSAD]
> LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information -
> TrackingID#2312150040008317
>
> Hi Andreas,
>
> Thank you for the information. I will work with our LSAD team to confirm and
> update the spec.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol
> Open Specifications Team Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm |
> Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone
> number found here: http://support.microsoft.com/globalenglish | Extension
> 1138300
>
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Thursday, December 21, 2023 4:31 AM
> To: cifs-protocol at lists.samba.org; Jeff McCashland (He/him)
> <jeffm at microsoft.com> Cc: cifs-protocol <cifs-protocol at lists.samba.org>;
> Microsoft Support <supportmail at microsoft.com> Subject: [EXTERNAL] Re:
> [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth
> information - TrackingID#2312150040008317
> On Friday, 15 December 2023 19:18:01 CET Jeff McCashland (He/him) wrote:
> > [Updated Subject w/new SR ID]
> >
> > Hi Andreas,
>
> Hi Jeff,
>
> > I was able to confirm in our source code that
> > LsarCreateTrustedDomainEx3 actually marshals the data into
> > LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION as documented.
>
> I've implemented LsarCreateTrustedDomainEx3 in our rpc_server and let
> Windows create a trust. I was able to successfully decrypt the data. The
> data blob after decryption *is* in the format
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB!
>
>
> Your unmarshal function on Windows probably converts the
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB after decryption into an
> LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION structure. However this step is
> undocumented. You do exactly the same with LsarCreateTrustedDomainEx2. In
> LsarCreateTrustedDomainEx2 after decryption the data blob (ciphertext) is a
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB too.
>
>
> I guess your unmarshall functions converts from
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION.
>
>
> Merry Christmas :-)
>
>
> Andreas
>
> > I am still researching why the requirement is there.
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://suppo/
> > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> > 7C37da3b29a64349553f6f08dc0220a95d%7C72f988bf86f141af91ab2d7cd011db47%
> > 7C1%7C0%7C638387586534264986%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > a=ap82GTwsfpE3q8xNpFkfIi1wEXoUHw4CZNUOsdvRLJY%3D&reserved=0 |
> > Extension
> > 1138300
> >
> > -----Original Message-----
> > From: Andreas Schneider <asn at samba.org>
> > Sent: Friday, December 15, 2023 8:22 AM
> > To: cifs-protocol at lists.samba.org; Jeff McCashland (He/him)
> > <jeffm at microsoft.com> Cc: cifs-protocol
> > <cifs-protocol at lists.samba.org>; Microsoft Support
> > <supportmail at microsoft.com> Subject: Re: [cifs-protocol] [EXTERNAL]
> > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 -
> > TrackingID#2312050040012372
> >
> > On Thursday, 14 December 2023 18:38:05 CET Jeff McCashland (He/him) wrote:
> > > Hi Andreas,
> >
> > Hi Jeff,
> >
> > > Thank you for the suggestion. I will look into that.
> >
> > I revisted our CreateTrustedDomainEx2 code and it uses 2.2.7.16
> > LSAPR_TRUSTED_DOMAIN_AUTH_BLOB instead of 2.2.7.11. So it is already
> > wrong in the CreateTrustedDomainEx2 documentation which probably has
> > just been copied over.
> >
> > I've implemented the test using LSAPR_TRUSTED_DOMAIN_AUTH_BLOB as the
> > blob we encrypt but my test still fails. There might be some more
> > details we need to figure out. I will wait with them the
> > LSAPR_TRUSTED_DOMAIN_AUTH_BLOB part is clarified :-)
> >
> > Thank you and have a nice weekend!
> >
> > Andreas
> > >
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > > Local country phone number found here:
> > > http://suppo/
> > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > > m%
> > > 7C5282d20f08da48f4ebd208dbfd89e75b%7C72f988bf86f141af91ab2d7cd011db4
> > > 7%
> > > 7C1%7C0%7C638382540985584052%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > > wM
> > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > > at
> > > a=c59izqMznI7MT7J2l6LC2Gdbk3RRrRej5pE8xFPEbY4%3D&reserved=0 |
> > > Extension
> > > 1138300
> > >
> > > -----Original Message-----
> > > From: Andreas Schneider <asn at samba.org>
> > > Sent: Thursday, December 14, 2023 4:14 AM
> > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>;
> > > cifs-protocol at lists.samba.org Cc: cifs-protocol
> > > <cifs-protocol at lists.samba.org>; Microsoft Support
> > > <supportmail at microsoft.com> Subject: Re: [cifs-protocol] [EXTERNAL]
> > > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 -
> > > TrackingID#2312050040012372
> > >
> > > On Thursday, 14 December 2023 07:28:46 CET Andreas Schneider wrote:
> > > > On Wednesday, 13 December 2023 22:55:54 CET Andreas Schneider via
> > > > cifs-
> > > >
> > > > protocol wrote:
> > > > > On Wednesday, 13 December 2023 18:45:25 CET Jeff McCashland
> > > > > (He/him)
> > >
> > > wrote:
> > > > > > Hi Andreas,
> > > > >
> > > > > Hi Jeff,
> > > > >
> > > > > > I found that the cause of the INVALID_PARAMETER error is that
> > > > > > cbCipher is too small in the
> > > > > > PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> > > > > > structure included in the request.
> > > > > >
> > > > > > The value sent is 0xD0 (208), while we were expecting at least
> > > > > > 520 (0x208).
> > > > > > Is there some significance that the correct hex value matches
> > > > > > the passed decimal value?
> > > > >
> > > > > thank you very much for taking a look.
> > > > >
> > > > > I think the value is more a coincidence. It is strange that you
> > > > > expect at least 520 bytes in size. This is either because of
> > > > > some password length requirement or you need to use a buffers
> > > > > for passwords and fill it up with random data if too short, like
> > > > > we have for the *Buffer* in [MS-SAMR] 2.2.6.32. That's done in
> > > > > MS-SAMR to avoid guessing the password length.
> > > > >
> > > > > I can test if using longer passwords fixes the issue.
> > > >
> > > > We use passwords which are ~15 chars long. Using longer password
> > > > doesn't fix the problem.
> > > >
> > > > Our testsuite has one function to test LsarCreateTrustedDomainEx2
> > > > and LsarCreateTrustedDomainEx3. The values we use are essentially
> > > > the same.
> > > > There are just differences in one char and the function using
> > > > different structures.
> > > >
> > > > LsarCreateTrustedDomainEx2 succeeds with those values and
> > > > LsarCreateTrustedDomainEx3 fails. I would argue that
> > > > LsarCreateTrustedDomainEx3 expects something which is not documented.
> > > >
> > > > Why does LsarCreateTrustedDomainEx3 expect at least 520 bytes for
> > > > the cbCipher value?
> > >
> > > Hi Jeff,
> > >
> > > Section 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129) has:
> > >
> > > +++++++++
> > > AuthenticationInformation: A structure containing authentication
> > > information for the trusted domain.
> > >
> > > The server MUST first decrypt this data structure using the
> > > algorithm specified in AES Cipher Usage (section 5.1.5) with the key
> > > being the session key negotiated by the transport. Next, the server
> > > MUST unmarshal the data inside this structure and store it in a
> > > structure, the format of which is specified in section 2.2.7.11.
> > > +++++++++
> > >
> > > I've talked to other Samba Team members and our guess is that the
> > > data structure inside is not 2.2.7.11 but it is 2.2.7.16
> > > LSAPR_TRUSTED_DOMAIN_AUTH_BLOB. That blob contains 512 bytes of
> > > random data and would explain the 520 bytes size check.
> > >
> > >
> > > Best regards
> > >
> > > Andreas
> > > >
> > > > Best regards
> > > >
> > > > Andreas
> > > > > >
> > > > > > Please let me know if this doesn't fully answer your question.
> > > > >
> > > > > Now the question is why does the cipher need to be bigger than
> > > > > 520 bytes?
> > > > > I
> > > > > don't see anything in the documentation about it. There is just
> > > > > an upper limit in the docs:
> > > > >
> > > > > #define MAX_AUTHBLOB_SIZE ( 64 * 1024 )
> > > > >
> > > > >
> > > > > Best regards
> > > > >
> > > > > Andreas
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > Microsoft Protocol Open Specifications Team Phone: +1 (425)
> > > > > > 703-8300 x38300
> > > > > >
> > > > > > | Hours:
> > > > > > 9am-5pm
> > > > > >
> > > > > > Time zone: (UTC-08:00) Pacific Time (US and Canada) Local
> > > > > > country phone number found here:
> > > > > > http://s/
> > > > > > upport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40mi
> > > > > > cr
> > > > > > os
> > > > > > oft.com%7Ca0a3d9e3339542a24b6808dbfc9e373e%7C72f988bf86f141af9
> > > > > > 1a
> > > > > > b2
> > > > > > d7cd011db47%7C1%7C0%7C638381528699136760%7CUnknown%7CTWFpbGZsb
> > > > > > 3d
> > > > > > 8e
> > > > > > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
> > > > > > %3
> > > > > > D%
> > > > > > 7C3000%7C%7C%7C&sdata=degD5aTx9XBA2kYQadl4RW19Rp2VxTRvNiwmuQIH
> > > > > > hW
> > > > > > k%
> > > > > > 3D&reserved=0 | Extension
> > > > > > 1138300
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Jeff McCashland (He/him)
> > > > > > Sent: Monday, December 11, 2023 9:28 AM
> > > > > > To: Andreas Schneider <asn at samba.org>
> > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: RE:
> > > > > > [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
> > > > > > -
> > > > > > TrackingID#2312050040012372
> > > > > >
> > > > > > Hi Andrew,
> > > > > >
> > > > > > Thank you for the information. I will let you know what I find.
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > Microsoft Protocol Open Specifications Team Phone: +1 (425)
> > > > > > 703-8300 x38300
> > > > > >
> > > > > > | Hours:
> > > > > > 9am-5pm
> > > > > >
> > > > > > Time zone: (UTC-08:00) Pacific Time (US and Canada) Local
> > > > > > country phone number found here:
> > > > > > http://s/
> > > > > > upport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40mi
> > > > > > cr
> > > > > > os
> > > > > > oft.com%7Ca0a3d9e3339542a24b6808dbfc9e373e%7C72f988bf86f141af9
> > > > > > 1a
> > > > > > b2
> > > > > > d7cd011db47%7C1%7C0%7C638381528699143936%7CUnknown%7CTWFpbGZsb
> > > > > > 3d
> > > > > > 8e
> > > > > > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
> > > > > > %3
> > > > > > D%
> > > > > > 7C3000%7C%7C%7C&sdata=6x4I5Uupmj3X3JQ9wRxgXVridToWl%2BU%2FzFo4
> > > > > > Pw
> > > > > > R7
> > > > > > qdA%3D&reserved=0 | Extension
> > > > > > 1138300
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Andreas Schneider <asn at samba.org>
> > > > > > Sent: Monday, December 11, 2023 6:23 AM
> > > > > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: Re:
> > > > > > [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
> > > > > > -
> > > > > > TrackingID#2312050040012372
> > > > > >
> > > > > > On Thursday, 7 December 2023 20:43:05 CET Jeff McCashland
> > > > > > (He/him)
> > >
> > > wrote:
> > > > > > > Hi Andreas,
> > > > > >
> > > > > > Hi Jeff,
> > > > > >
> > > > > > > I was not able to find an INVALID_PARAMETER failure in the
> > > > > > > provided network trace. Is this the network trace that was
> > > > > > > collected at the same time as the TTT trace?
> > > > > >
> > > > > > I've compiled wireshark from the git master branch. This has
> > > > > > support for decoding the new lsa calls correctly. I opened the
> > > > > > wireshark trace I sent you with it and the first
> > > > > > LsarCreateTrustedDomainEx3 request is frame 76.
> > > > > > Frame 77 is the corresponding response which returns
> > > > > > INVALID_PARAMETER (screenshot attached).
> > > > > >
> > > > > > I hope that helps. Thanks for your help.
> > > > > >
> > > > > >
> > > > > > Best regards
> > > > > >
> > > > > > Andreas
> > > > > > >
> > > > > > > I see the INVALID_PARAMETER error in your smbtorture logs,
> > > > > > > but I don't know which packet in the network trace that relates
> > > > > > > to.
> > > > > > >
> > > > > > > Could you clarify?
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > > Microsoft Protocol Open Specifications Team Phone: +1 (425)
> > > > > > > 703-8300 x38300 |
> > > > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> > > > > > > Canada) Local country phone number found here:
> > > > > > > http://suppo/
> > > > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40micr
> > > > > > > os
> > > > > > > of
> > > > > > > t.com%
> > > > > > > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7
> > > > > > > cd
> > > > > > > 01
> > > > > > > 1db47%
> > > > > > > 7C1%7C0%7C638379014130155860%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> > > > > > > iM
> > > > > > > C4
> > > > > > > wLjAwM
> > > > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%
> > > > > > > 7C
> > > > > > > %7
> > > > > > > C&sdat
> > > > > > > a=QJVmNP2krXHQDVe%2B1OQnuwGDsK2yfgH6hyezrqzjaQY%3D&reserved=
> > > > > > > 0
> > > > > > >
> > > > > > > | Extension
> > > > > > >
> > > > > > > 1138300
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Jeff McCashland (He/him)
> > > > > > > Sent: Wednesday, December 6, 2023 7:53 AM
> > > > > > > To: Andreas Schneider <asn at samba.org>
> > > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: RE:
> > > > > > > [EXTERNAL] [MS-LSAD] Need help with
> > > > > > > LsarCreateTrustedDomainEx3
> > > > > > > -
> > > > > > > TrackingID#2312050040012372
> > > > > > >
> > > > > > > Hi Andreas,
> > > > > > >
> > > > > > > Hopefully the LSASS TTT will tell us which parameter it is.
> > > > > > > I will let you know.
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > > Microsoft Protocol Open Specifications Team Phone: +1 (425)
> > > > > > > 703-8300 x38300 |
> > > > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> > > > > > > Canada) Local country phone number found here:
> > > > > > > http://suppo/
> > > > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40micr
> > > > > > > os
> > > > > > > of
> > > > > > > t.com%
> > > > > > > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2d7
> > > > > > > cd
> > > > > > > 01
> > > > > > > 1db47%
> > > > > > > 7C1%7C0%7C638379014130166111%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> > > > > > > iM
> > > > > > > C4
> > > > > > > wLjAwM
> > > > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%
> > > > > > > 7C
> > > > > > > %7
> > > > > > > C&sdat
> > > > > > > a=YozjfDZHR1hYS4F9VW4bWyBSwETo0h5MzsNIKienQP4%3D&reserved=0
> > > > > > >
> > > > > > > | Extension
> > > > > > >
> > > > > > > 1138300
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Andreas Schneider <asn at samba.org>
> > > > > > > Sent: Wednesday, December 6, 2023 1:41 AM
> > > > > > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: Re:
> > > > > > > [EXTERNAL] [MS-LSAD] Need help with
> > > > > > > LsarCreateTrustedDomainEx3
> > > > > > > -
> > > > > > > TrackingID#2312050040012372 On
> > > > > > >
> > > > > > > Tuesday, 5 December 2023 23:40:12 CET Jeff McCashland
> > > > > > > (He/him)
> >
> > wrote:
> > > > > > > > Hi Andreas,
> > > > > > >
> > > > > > > Hi Jeff,
> > > > > > >
> > > > > > > > I would like to collect LSASS TTT traces to troubleshoot
> > > > > > > > the failure.
> > > > > > >
> > > > > > > Thank you very much for your help!
> > > > > > >
> > > > > > > I've uploaded lsass03.zip to the workspace. It includes the
> > > > > > > TimeTrace, the network trace and smbtorture debug log.
> > > > > > >
> > > > > > > Günther just added support for LsarCreateTrustedDomainEx3 to
> > > > > > > Wireshark two weeks ago [1]. I don't think the code is in a
> > > > > > > release yet. You wont see the calls nicely unmarshalled yet.
> > > > > > > However I attached smbtorture debug log. You can see the NDR
> > > > > > > printout there.
> > > > > > >
> > > > > > > The question is which input paramter
> > > > > > > LsarCreateTrustedDomainEx3 thinks is invalid. Once I know
> > > > > > > that, I can fix hopefully the test :-)
> > > > > > >
> > > > > > >
> > > > > > > Thank you very much for your assistance! This is much
> > > > > > > appreciated.
> > > > > > >
> > > > > > >
> > > > > > > Best regards
> > > > > > >
> > > > > > > Andreas
> > > > > > >
> > > > > > > [1]
> > > > > > > https://gitl/
> > > > > > > ab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F13370&
> > > > > > > da
> > > > > > > ta
> > > > > > > =05%7C
> > > > > > > 02%7Cjeffm%40microsoft.com%7C57e7e1341d7243e6808108dbfa54bc2
> > > > > > > 9%
> > > > > > > 7C
> > > > > > > 72f988
> > > > > > > bf86f141af91ab2d7cd011db47%7C1%7C0%7C638379014130172902%7CUn
> > > > > > > kn
> > > > > > > ow
> > > > > > > n%7CTW
> > > > > > > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
> > > > > > > wi
> > > > > > > LC
> > > > > > > JXVCI6
> > > > > > > Mn0%3D%7C3000%7C%7C%7C&sdata=8V1KVQz858RkWskCVF8lfnHCfaVT35P
> > > > > > > mt
> > > > > > > TZ
> > > > > > > XNoTOd
> > > > > > > Ds%3D&reserved=0
> > > > > > >
> > > > > > > > The LSASS traces can be quite large, but are highly
> > > > > > > > compressible, so please add them to a .zip archive before
> > > > > > > > uploading (file transfer workspace credentials are below).
> > > > > > > > Please log into the workspace and find
> > > > > > > > PartnerTTDRecorder_x86_x64.zip available for download. The
> > > > > > > > x64 tool can be staged onto the Windows server in any
> > > > > > > > location (instructions below assume C:\TTD).> > > > > To
> > > > > > > >
> > > > > > > > collect the needed traces:
> > > > > > > > 1. From a PowerShell prompt, execute:
> > > > > > > > C:\TTD\tttracer.exe -Attach
> > > > > > > >
> > > > > > > > ([int](Get-Process
> > > > > > > >
> > > > > > > > -NAME
> > > > > > > >
> > > > > > > > lsass | Format-Wide -Property
> > > > > > > > ID).formatEntryInfo.formatPropertyField.propertyValue) 2.
> > > > > > > > Wait for a little window to pop up in top left corner of
> > > > > > > > your screen, titled "lsass01.run" 3. start a network trace
> > > > > > > > using netsh or WireShark, etc.
> > > > > > > >
> > > > > > > > 4. Repro the attempted operation
> > > > > > > > 5. Stop the network trace and save it
> > > > > > > > 6. CAREFULLY: uncheck the checkbox next to "Tracing"
> > > > > > > >
> > > > > > > > in the
> > > > > > > >
> > > > > > > > small "lsass01.run" window. Do not close or exit the small
> > > > > > > > window or you will need to reboot. 7. The TTTracer.exe
> > > > > > > > process will generate a trace file, then print out the
> > > > > > > > name and location of the file. Compress the *.run file
> > > > > > > > into a .zip archive before uploading with the matching
> > > > > > > > network trace. It is a good idea to reboot the machine at
> > > > > > > > the next opportunity to restart the lsass process.
> > > > > > > >
> > > > > > > > Workspace credentials:
> > > > > > > > Log in as:
> > > > > > > > 2312050040012372_andreas at dtmxfer.onmicrosoft.com
> > > > > > > > 1-Time: 3fjE7C5Q
> > > > > > > >
> > > > > > > > Workspace link:
> > > > > > > > https://supp/
> > > > > > > > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLC
> > > > > > > > Jh
> > > > > > > > bG
> > > > > > > > ciOiJS
> > > > > > > > U&
> > > > > > > > data=05%7C02%7Cjeffm%40microsoft.com%7C54e1a37f1c1443631ff
> > > > > > > > f0
> > > > > > > > 8d
> > > > > > > > bf63f7
> > > > > > > > 00
> > > > > > > > f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63837452456
> > > > > > > > 58
> > > > > > > > 53
> > > > > > > > 145%7C
> > > > > > > > Un
> > > > > > > > known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
> > > > > > > > JB
> > > > > > > > Ti
> > > > > > > > I6Ik1h
> > > > > > > > aW
> > > > > > > > wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dzdf2v%2BshYAg5Ykvo
> > > > > > > > Up
> > > > > > > > sI
> > > > > > > > %2BiM2
> > > > > > > > f1
> > > > > > > > FuLIaxMoDK1zJanU%3D&reserved=0
> > > > > > > > zI1NiJ9.eyJ3c2lkIjoiMmFkNGE3MjEtZDBjMS00YzFkLTlhMzItY2ZlMG
> > > > > > > > E1
> > > > > > > > Ym
> > > > > > > > I0MWJm
> > > > > > > > Ii
> > > > > > > > wic3Ii
> > > > > > > > OiIyMzEyMDUwMDQwMDEyMzcyIiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLT
> > > > > > > > Rl
> > > > > > > > NW
> > > > > > > > UtYmUz
> > > > > > > > OC
> > > > > > > > 1lYTNi
> > > > > > > > ZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOi
> > > > > > > > I0
> > > > > > > > Yz
> > > > > > > > NmODcy
> > > > > > > > OS
> > > > > > > > 1iZGY3
> > > > > > > > LTQ5MzUtYjE3My02ZGVmY2Q5ODY3ZTAiLCJpc3MiOiJodHRwczovL2FwaS
> > > > > > > > 5k
> > > > > > > > dG
> > > > > > > > 1uZWJ1
> > > > > > > > bG
> > > > > > > > EubWlj
> > > > > > > > cm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE3MDk1OT
> > > > > > > > E2
> > > > > > > > Nj
> > > > > > > > QsIm5i
> > > > > > > > Zi
> > > > > > > > I6MTcw
> > > > > > > > MTgxNTY2NH0.aoqsUChbv4ldUIHza-JNdUpjPPE6iosBaQpCZ49SyHTSan
> > > > > > > > Gl
> > > > > > > > ht
> > > > > > > > y-H-f_
> > > > > > > > 2t
> > > > > > > > lGEFYq
> > > > > > > > PmDkt5SsQ9_fyOTERFuxtCYbfNeFZSVyWyI_AW_mLy06ymrLISZamM0GOb
> > > > > > > > Mw
> > > > > > > > d8
> > > > > > > > xkSJrl
> > > > > > > > 6s
> > > > > > > > MHiQd6
> > > > > > > > pBtoQ4tIaA3yebDax4mrbJbSjgolCVFcXhwMVOdSocmTwwV5jnC4gKalHF
> > > > > > > > 6H
> > > > > > > > -U
> > > > > > > > KMHkZb
> > > > > > > > Kn
> > > > > > > > Aqyui2
> > > > > > > > Eg4tAT9sNTlrUDaxznIMuA1s0Z2YT2X6jVGMugeJHf5NiO0N6DOlEcQOye
> > > > > > > > CS
> > > > > > > > Xs
> > > > > > > > WoLxJo
> > > > > > > > F6
> > > > > > > > CT3Q1e
> > > > > > > > o5otojkQv3QD-IrpZU2RHpPTpWcH9TAcus-fH2KdDD-670wxHw&wid=2ad
> > > > > > > > 4a
> > > > > > > > 72
> > > > > > > > 1-d0c1
> > > > > > > > -4
> > > > > > > > c1d-9a
> > > > > > > > 32-cfe0a5bb41bf
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > > > Microsoft Protocol Open Specifications Team Phone: +1
> > > > > > > > (425)
> > > > > > > > 703-8300 x38300 |
> > > > > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US
> > > > > > > > and
> > > > > > > > Canada) Local country phone number found here:
> > > > > > > > http://suppo/
> > > > > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40mi
> > > > > > > > cr
> > > > > > > > os
> > > > > > > > oft.co
> > > > > > > > m%
> > > > > > > > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2
> > > > > > > > d7
> > > > > > > > cd
> > > > > > > > 011db4
> > > > > > > > 7%
> > > > > > > > 7C1%7C0%7C638374524565858700%7CUnknown%7CTWFpbGZsb3d8eyJWI
> > > > > > > > jo
> > > > > > > > iM
> > > > > > > > C4wLjA
> > > > > > > > wM
> > > > > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7
> > > > > > > > C%
> > > > > > > > 7C
> > > > > > > > %7C&sd
> > > > > > > > at
> > > > > > > > a=EQOmU95wBWcFuv2c56sDxW8YHrBn2%2FCnX34U4igxtow%3D&reserve
> > > > > > > > d=
> > > > > > > > 0
> > > > > > > >
> > > > > > > > | Extension
> > > > > > > >
> > > > > > > > 1138300
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Jeff McCashland (He/him)
> > > > > > > > Sent: Tuesday, December 5, 2023 11:50 AM
> > > > > > > > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > > > > > > > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > > > > > > > <supportmail at microsoft.com>
> > > > > > > > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > > > > > > > LsarCreateTrustedDomainEx3
> > > > > > > > - TrackingID#2312050040012372
> > > > > > > >
> > > > > > > > [Michael to BCC]
> > > > > > > >
> > > > > > > > Hi Andreas,
> > > > > > > >
> > > > > > > > I will dig into your question and let you know what I find.
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > > > Microsoft Protocol Open Specifications Team Phone: +1
> > > > > > > > (425)
> > > > > > > > 703-8300 x38300 |
> > > > > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US
> > > > > > > > and
> > > > > > > > Canada) Local country phone number found here:
> > > > > > > > http://suppo/
> > > > > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40mi
> > > > > > > > cr
> > > > > > > > os
> > > > > > > > oft.co
> > > > > > > > m%
> > > > > > > > 7C54e1a37f1c1443631fff08dbf63f700f%7C72f988bf86f141af91ab2
> > > > > > > > d7
> > > > > > > > cd
> > > > > > > > 011db4
> > > > > > > > 7%
> > > > > > > > 7C1%7C0%7C638374524565862806%7CUnknown%7CTWFpbGZsb3d8eyJWI
> > > > > > > > jo
> > > > > > > > iM
> > > > > > > > C4wLjA
> > > > > > > > wM
> > > > > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7
> > > > > > > > C%
> > > > > > > > 7C
> > > > > > > > %7C&sd
> > > > > > > > at
> > > > > > > > a=X2E1OH%2FlPSBqIUii84PAHkxyXw5B5GNlk22G5AzwWk4%3D&reserve
> > > > > > > > d=
> > > > > > > > 0
> > > > > > > >
> > > > > > > > | Extension
> > > > > > > >
> > > > > > > > 1138300
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Michael Bowen <Mike.Bowen at microsoft.com>
> > > > > > > > Sent: Tuesday, December 5, 2023 11:25 AM
> > > > > > > > To: Andreas Schneider <asn at samba.org>; cifs-protocol
> > > > > > > > <cifs-protocol at lists.samba.org> Cc: Microsoft Support
> > > > > > > > <supportmail at microsoft.com>
> > > > > > > > Subject: RE: [EXTERNAL] [MS-LSAD] Need help with
> > > > > > > > LsarCreateTrustedDomainEx3
> > > > > > > > - TrackingID#2312050040012372
> > > > > > > >
> > > > > > > > [DocHelp to BCC]
> > > > > > > > Hi Andreas,
> > > > > > > >
> > > > > > > > Thank you for your question about MS-LSAD. Case number
> > > > > > > > 2312050040012372 has been created to track this issue, one
> > > > > > > > of our engineers will contact you soon.
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Mike Bowen
> > > > > > > > Escalation Engineer - Microsoft Open Specifications
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Andreas Schneider <asn at samba.org>
> > > > > > > > Sent: Tuesday, December 5, 2023 5:34 AM
> > > > > > > > To: Interoperability Documentation Help
> > > > > > > > <dochelp at microsoft.com>; cifs-protocol
> > > > > > > > <cifs-protocol at lists.samba.org> Subject: [EXTERNAL]
> > > > > > > > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3
> > > > > > > >
> > > > > > > > Hi Dochelp Team!
> > > > > > > >
> > > > > > > > I'm currently trying to write an smbtorture test for
> > > > > > > > LsarCreateTrustedDomainEx3. My test doesn't work against
> > > > > > > > Windows Server 2022.
> > > > > > > >
> > > > > > > > lsa_CreateTrustedDomainEx3: struct
> > > > > > > >
> > > > > > > > lsa_CreateTrustedDomainEx3
> > > > > > > >
> > > > > > > > out: struct lsa_CreateTrustedDomainEx3
> > > > > > > >
> > > > > > > > trustdom_handle : *
> > > > > > > >
> > > > > > > > trustdom_handle: struct policy_handle
> > > > > > > >
> > > > > > > > handle_type : 0x00000000 (0)
> > > > > > > >
> > > > > > > > uuid :
> > > > > > > > 00000000-0000-0000-0000-000000000000
> > > > > > > >
> > > > > > > > result :
> > > > > > > > NT_STATUS_INVALID_PARAMETER
> > > > > > > >
> > > > > > > > The test is more or less the same as we have for
> > > > > > > > LsarCreateTrustedDomainEx2, but it fails for
> > > > > > > > LsarCreateTrustedDomainEx3 with NT_STATUS_INVALID_PARAMETER.
> > > > > > > > Another Samba Team member did check the code I wrote and
> > > > > > > > could find anything wrong.
> > > > > > > >
> > > > > > > > I've tried to turn on debug logging for the netlogon
> > > > > > > > service on windows, but it doesn't log anything useful. So
> > > > > > > > I'm not able to figure out what value the server thinks is
> > > > > > > > invalid.
> > > > > > > >
> > > > > > > > Could someone of the Dochelp Team help me if I create a
> > > > > > > > Time Trace and figure out on which input value the server
> > > > > > > > chokes?
> > > > > > > >
> > > > > > > >
> > > > > > > > Thanks for your help.
> > > > > > > >
> > > > > > > >
> > > > > > > > Best regards
> > > > > > > >
> > > > > > > > Andreas Schneider
> > > > > > > >
> > > > > > > > --
> > > > > > > > Andreas Schneider asn at samba.org
> > > > > > > > Samba Team http://www.samba.org/
> > > > > > > > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> > > > > > >
> > > > > > > --
> > > > > > > Andreas Schneider asn at samba.org
> > > > > > > Samba Team http://www.samba.org/
> > > > > > > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> > > > > >
> > > > > > --
> > > > > > Andreas Schneider asn at samba.org
> > > > > > Samba Team http://www.samba.org/
> > > > > > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> > >
> > > --
> > > Andreas Schneider asn at samba.org
> > > Samba Team http://www.samba.org/
> > > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> >
> > --
> > Andreas Schneider asn at samba.org
> > Samba Team http://www.samba.org/
> > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
> --
> Andreas Schneider asn at samba.org
> Samba Team http://www.samba.org/
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list