[cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

Jeff McCashland (He/him) jeffm at microsoft.com
Tue Jan 9 17:37:18 UTC 2024


Good catch, we missed that! We'll take care of it.

-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Monday, January 8, 2024 11:57 PM
To: cifs-protocol at lists.samba.org; Jeff McCashland (He/him) <jeffm at microsoft.com>
Subject: Re: [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

On Monday, 8 January 2024 19:28:45 CET Jeff McCashland (He/him) wrote:
> [-Support]
>
> Hi Andreas,

Hi Jeff,

> We have updated [MS-LSAD] for the next release to address this issue:

thank you very much for the update!

> 2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure
> communicates authentication material. The cleartext password data is
> in the form of a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16).
> The following structure corresponds to the
> TrustedDomainAuthInformationInternalAes
> information class (section 2.2.7.2).
>
> 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129)
> AuthenticationInformation: A structure containing encrypted
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication
> information for the trusted domain. If the length of cbCipher in
> AuthenticationInformation is less than (512 + IncomingAuthInfoSize +
> OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER.

The same applies to LsarCreateTrustedDomainEx2, the decrypted cipher is also a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB :-)

> I hope that helps!

It does, thanks.


Best regards


        Andreas


> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://suppo/
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C57dc8a7331904001aac808dc10e89e05%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638403838488412957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=LkqsAsNBAnylz2JEOATzqJAul8KSr%2BXJxvw5KmKW1Z4%3D&reserved=0 |
> Extension
> 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Thursday, December 21, 2023 9:20 AM
> To: Andreas Schneider <asn at samba.org>; cifs-protocol at lists.samba.org
> Cc: cifs-protocol <cifs-protocol at lists.samba.org>; Microsoft Support
> <supportmail at microsoft.com> Subject: RE: [EXTERNAL] Re: [MS-LSAD]
> LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information
> -
> TrackingID#2312150040008317
>
> Hi Andreas,
>
> Thank you for the information. I will work with our LSAD team to
> confirm and update the spec.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here:
> http://suppo/
> rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%
> 7C57dc8a7331904001aac808dc10e89e05%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638403838488420825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=5O9HST1I2elYauHUEVfgULt18kTXD46ffEL9SUiZPlU%3D&reserved=0 |
> Extension
> 1138300
>
> -----Original Message-----
> From: Andreas Schneider <asn at samba.org>
> Sent: Thursday, December 21, 2023 4:31 AM
> To: cifs-protocol at lists.samba.org; Jeff McCashland (He/him)
> <jeffm at microsoft.com> Cc: cifs-protocol
> <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com> Subject: [EXTERNAL] Re:
> [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth
> information - TrackingID#2312150040008317 On Friday, 15 December 2023
> 19:18:01 CET Jeff McCashland (He/him) wrote:
> > [Updated Subject w/new SR ID]
> >
> > Hi Andreas,
>
> Hi Jeff,
>
> > I was able to confirm in our source code that
> > LsarCreateTrustedDomainEx3 actually marshals the data into
> > LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION as documented.
>
> I've implemented LsarCreateTrustedDomainEx3 in our rpc_server and let
> Windows create a trust. I was able to successfully decrypt the data.
> The data blob after decryption *is* in the format
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB!
>
>
> Your unmarshal function on Windows probably converts the
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB after decryption into an
> LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION structure. However this step is
> undocumented. You do exactly the same with LsarCreateTrustedDomainEx2.
> In
> LsarCreateTrustedDomainEx2 after decryption the data blob (ciphertext)
> is a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB too.
>
>
> I guess your unmarshall functions converts from
> LSAPR_TRUSTED_DOMAIN_AUTH_BLOB into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION.
>
>
> Merry Christmas :-)
>
>
>         Andreas
>
> > I am still researching why the requirement is there.
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300 |
> > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> > Local country phone number found here:
> > http://suppo/
> > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.co
> > m%
> > 7C37da3b29a64349553f6f08dc0220a95d%7C72f988bf86f141af91ab2d7cd011db4
> > 7%
> > 7C1%7C0%7C638387586534264986%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> > wM
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd
> > at
> > a=ap82GTwsfpE3q8xNpFkfIi1wEXoUHw4CZNUOsdvRLJY%3D&reserved=0 |
> > Extension
> > 1138300
> >
> > -----Original Message-----
> > From: Andreas Schneider <asn at samba.org>
> > Sent: Friday, December 15, 2023 8:22 AM
> > To: cifs-protocol at lists.samba.org; Jeff McCashland (He/him)
> > <jeffm at microsoft.com> Cc: cifs-protocol
> > <cifs-protocol at lists.samba.org>; Microsoft Support
> > <supportmail at microsoft.com> Subject: Re: [cifs-protocol] [EXTERNAL]
> > [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 -
> > TrackingID#2312050040012372
> >
> > On Thursday, 14 December 2023 18:38:05 CET Jeff McCashland (He/him) wrote:
> > > Hi Andreas,
> >
> > Hi Jeff,
> >
> > > Thank you for the suggestion. I will look into that.
> >
> > I revisted our CreateTrustedDomainEx2 code and it uses 2.2.7.16
> > LSAPR_TRUSTED_DOMAIN_AUTH_BLOB instead of 2.2.7.11. So it is already
> > wrong in the CreateTrustedDomainEx2 documentation which probably has
> > just been copied over.
> >
> > I've implemented the test using LSAPR_TRUSTED_DOMAIN_AUTH_BLOB as
> > the blob we encrypt but my test still fails. There might be some
> > more details we need to figure out. I will wait with them the
> > LSAPR_TRUSTED_DOMAIN_AUTH_BLOB part is clarified :-)
> >
> > Thank you and have a nice weekend!
> >
> >         Andreas
> > >
> > > Best regards,
> > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > > Protocol Open Specifications Team Phone: +1 (425) 703-8300 x38300
> > > |
> > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> > > Canada) Local country phone number found here:
> > > http://suppo/
> > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.
> > > co
> > > m%
> > > 7C5282d20f08da48f4ebd208dbfd89e75b%7C72f988bf86f141af91ab2d7cd011d
> > > b4
> > > 7%
> > > 7C1%7C0%7C638382540985584052%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> > > jA
> > > wM
> > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
> > > sd
> > > at
> > > a=c59izqMznI7MT7J2l6LC2Gdbk3RRrRej5pE8xFPEbY4%3D&reserved=0 |
> > > Extension
> > > 1138300
> > >
> > > -----Original Message-----
> > > From: Andreas Schneider <asn at samba.org>
> > > Sent: Thursday, December 14, 2023 4:14 AM
> > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>;
> > > cifs-protocol at lists.samba.org Cc: cifs-protocol
> > > <cifs-protocol at lists.samba.org>; Microsoft Support
> > > <supportmail at microsoft.com> Subject: Re: [cifs-protocol]
> > > [EXTERNAL] [MS-LSAD] Need help with LsarCreateTrustedDomainEx3 -
> > > TrackingID#2312050040012372
> > >
> > > On Thursday, 14 December 2023 07:28:46 CET Andreas Schneider wrote:
> > > > On Wednesday, 13 December 2023 22:55:54 CET Andreas Schneider
> > > > via
> > > > cifs-
> > > >
> > > > protocol wrote:
> > > > > On Wednesday, 13 December 2023 18:45:25 CET Jeff McCashland
> > > > > (He/him)
> > >
> > > wrote:
> > > > > > Hi Andreas,
> > > > >
> > > > > Hi Jeff,
> > > > >
> > > > > > I found that the cause of the INVALID_PARAMETER error is
> > > > > > that cbCipher is too small in the
> > > > > > PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> > > > > > structure included in the request.
> > > > > >
> > > > > > The value sent is 0xD0 (208), while we were expecting at
> > > > > > least
> > > > > > 520 (0x208).
> > > > > > Is there some significance that the correct hex value
> > > > > > matches the passed decimal value?
> > > > >
> > > > > thank you very much for taking a look.
> > > > >
> > > > > I think the value is more a coincidence. It is strange that
> > > > > you expect at least 520 bytes in size. This is either because
> > > > > of some password length requirement or you need to use a
> > > > > buffers for passwords and fill it up with random data if too
> > > > > short, like we have for the *Buffer* in [MS-SAMR] 2.2.6.32.
> > > > > That's done in MS-SAMR to avoid guessing the password length.
> > > > >
> > > > > I can test if using longer passwords fixes the issue.
> > > >
> > > > We use passwords which are ~15 chars long. Using longer password
> > > > doesn't fix the problem.
> > > >
> > > > Our testsuite has one function to test
> > > > LsarCreateTrustedDomainEx2 and LsarCreateTrustedDomainEx3. The
> > > > values we use are essentially the same.
> > > > There are just differences in one char and the function using
> > > > different structures.
> > > >
> > > > LsarCreateTrustedDomainEx2 succeeds with those values and
> > > > LsarCreateTrustedDomainEx3 fails. I would argue that
> > > > LsarCreateTrustedDomainEx3 expects something which is not documented.
> > > >
> > > > Why does LsarCreateTrustedDomainEx3 expect at least 520 bytes
> > > > for the cbCipher value?
> > >
> > > Hi Jeff,
> > >
> > > Section 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129) has:
> > >
> > > +++++++++
> > > AuthenticationInformation: A structure containing authentication
> > > information for the trusted domain.
> > >
> > > The server MUST first decrypt this data structure using the
> > > algorithm specified in AES Cipher Usage (section 5.1.5) with the
> > > key being the session key negotiated by the transport. Next, the
> > > server MUST unmarshal the data inside this structure and store it
> > > in a structure, the format of which is specified in section 2.2.7.11.
> > > +++++++++
> > >
> > > I've talked to other Samba Team members and our guess is that the
> > > data structure inside is not 2.2.7.11 but it is 2.2.7.16
> > > LSAPR_TRUSTED_DOMAIN_AUTH_BLOB. That blob contains 512 bytes of
> > > random data and would explain the 520 bytes size check.
> > >
> > >
> > > Best regards
> > >
> > >         Andreas
> > > >
> > > > Best regards
> > > >
> > > >       Andreas
> > > > > >
> > > > > > Please let me know if this doesn't fully answer your question.
> > > > >
> > > > > Now the question is why does the cipher need to be bigger than
> > > > > 520 bytes?
> > > > > I
> > > > > don't see anything in the documentation about it. There is
> > > > > just an upper limit in the docs:
> > > > >
> > > > > #define MAX_AUTHBLOB_SIZE ( 64 * 1024 )
> > > > >
> > > > >
> > > > > Best regards
> > > > >
> > > > >     Andreas
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > Microsoft Protocol Open Specifications Team Phone: +1 (425)
> > > > > > 703-8300 x38300
> > > > > >
> > > > > > | Hours:
> > > > > > 9am-5pm
> > > > > >
> > > > > > Time zone: (UTC-08:00) Pacific Time (US and Canada) Local
> > > > > > country phone number found here:
> > > > > > http://s/
> > > > > > upport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40
> > > > > > mi
> > > > > > cr
> > > > > > os
> > > > > > oft.com%7Ca0a3d9e3339542a24b6808dbfc9e373e%7C72f988bf86f141a
> > > > > > f9
> > > > > > 1a
> > > > > > b2
> > > > > > d7cd011db47%7C1%7C0%7C638381528699136760%7CUnknown%7CTWFpbGZ
> > > > > > sb
> > > > > > 3d
> > > > > > 8e
> > > > > > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> > > > > > n0
> > > > > > %3
> > > > > > D%
> > > > > > 7C3000%7C%7C%7C&sdata=degD5aTx9XBA2kYQadl4RW19Rp2VxTRvNiwmuQ
> > > > > > IH
> > > > > > hW
> > > > > > k%
> > > > > > 3D&reserved=0 | Extension
> > > > > > 1138300
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Jeff McCashland (He/him)
> > > > > > Sent: Monday, December 11, 2023 9:28 AM
> > > > > > To: Andreas Schneider <asn at samba.org>
> > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: RE:
> > > > > > [EXTERNAL] [MS-LSAD] Need help with
> > > > > > LsarCreateTrustedDomainEx3
> > > > > > -
> > > > > > TrackingID#2312050040012372
> > > > > >
> > > > > > Hi Andrew,
> > > > > >
> > > > > > Thank you for the information. I will let you know what I find.
> > > > > >
> > > > > > Best regards,
> > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > Microsoft Protocol Open Specifications Team Phone: +1 (425)
> > > > > > 703-8300 x38300
> > > > > >
> > > > > > | Hours:
> > > > > > 9am-5pm
> > > > > >
> > > > > > Time zone: (UTC-08:00) Pacific Time (US and Canada) Local
> > > > > > country phone number found here:
> > > > > > http://s/
> > > > > > upport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40
> > > > > > mi
> > > > > > cr
> > > > > > os
> > > > > > oft.com%7Ca0a3d9e3339542a24b6808dbfc9e373e%7C72f988bf86f141a
> > > > > > f9
> > > > > > 1a
> > > > > > b2
> > > > > > d7cd011db47%7C1%7C0%7C638381528699143936%7CUnknown%7CTWFpbGZ
> > > > > > sb
> > > > > > 3d
> > > > > > 8e
> > > > > > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> > > > > > n0
> > > > > > %3
> > > > > > D%
> > > > > > 7C3000%7C%7C%7C&sdata=6x4I5Uupmj3X3JQ9wRxgXVridToWl%2BU%2FzF
> > > > > > o4
> > > > > > Pw
> > > > > > R7
> > > > > > qdA%3D&reserved=0 | Extension
> > > > > > 1138300
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Andreas Schneider <asn at samba.org>
> > > > > > Sent: Monday, December 11, 2023 6:23 AM
> > > > > > To: Jeff McCashland (He/him) <jeffm at microsoft.com>
> > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: Re:
> > > > > > [EXTERNAL] [MS-LSAD] Need help with
> > > > > > LsarCreateTrustedDomainEx3
> > > > > > -
> > > > > > TrackingID#2312050040012372
> > > > > >
> > > > > > On Thursday, 7 December 2023 20:43:05 CET Jeff McCashland
> > > > > > (He/him)
> > >
> > > wrote:
> > > > > > > Hi Andreas,
> > > > > >
> > > > > > Hi Jeff,
> > > > > >
> > > > > > > I was not able to find an INVALID_PARAMETER failure in the
> > > > > > > provided network trace. Is this the network trace that was
> > > > > > > collected at the same time as the TTT trace?
> > > > > >
> > > > > > I've compiled wireshark from the git master branch. This has
> > > > > > support for decoding the new lsa calls correctly. I opened
> > > > > > the wireshark trace I sent you with it and the first
> > > > > > LsarCreateTrustedDomainEx3 request is frame 76.
> > > > > > Frame 77 is the corresponding response which returns
> > > > > > INVALID_PARAMETER (screenshot attached).
> > > > > >
> > > > > > I hope that helps. Thanks for your help.
> > > > > >
> > > > > >
> > > > > > Best regards
> > > > > >
> > > > > >         Andreas
> > > > > > >
> > > > > > > I see the INVALID_PARAMETER error in your smbtorture logs,
> > > > > > > but I don't know which packet in the network trace that
> > > > > > > relates to.
> > > > > > >
> > > > > > > Could you clarify?
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer |
> > > > > > > Microsoft Protocol Open Specifications Team Phone: +1
> > > > > > > (425)
> > > > > > > 703-8300 x38300 |
> > > > > > > Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US
> > > > > > > and
> > > > > > > Canada) Local country phone number found here:
> > > > > > > http://suppo/
> > > > > > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40mi
> > > > > > > cr
> > > > > > > os
> > > > > > > of
> > > > > > > t.com%
> > > > > > > 7C57e7e1341d7243e6808108dbfa54bc29%7C72f988bf86f141af91ab2
> > > > > > > d7
> > > > > > > cd
> > > > > > > 01
> > > > > > > 1db47%
> > > > > > > 7C1%7C0%7C638379014130155860%7CUnknown%7CTWFpbGZsb3d8eyJWI
> > > > > > > jo
> > > > > > > iM
> > > > > > > C4
> > > > > > > wLjAwM
> > > > > > > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7
> > > > > > > C%
> > > > > > > 7C
> > > > > > > %7
> > > > > > > C&sdat
> > > > > > > a=QJVmNP2krXHQDVe%2B1OQnuwGDsK2yfgH6hyezrqzjaQY%3D&reserve
> > > > > > > d=
> > > > > > > 0
> > > > > > >
> > > > > > > | Extension
> > > > > > >
> > > > > > > 1138300
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Jeff McCashland (He/him)
> > > > > > > Sent: Wednesday, December 6, 2023 7:53 AM
> > > > > > > To: Andreas Schneider <asn at samba.org>
> > > > > > > Cc: Microsoft Support <supportmail at microsoft.com>;
> > > > > > > cifs-protocol <cifs-protocol at lists.samba.org> Subject: RE:
> > > > > > > [EXTERNAL] [MS-LSAD] Need help with
> > > > > > > LsarCrea