[cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317

Stefan Metzmacher metze at samba.org
Wed Jan 10 07:52:44 UTC 2024


Hi Jeff,

> We have updated [MS-LSAD] for the next release to address this issue:
> 
> 2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
> The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure communicates authentication material. The cleartext password data is in the form of a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16). The following structure corresponds to the TrustedDomainAuthInformationInternalAes information class (section 2.2.7.2).
> 
> 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129)
> AuthenticationInformation: A structure containing encrypted LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication information for the trusted domain.
> If the length of cbCipher in AuthenticationInformation is less than (512 + IncomingAuthInfoSize + OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER.

Please note that LSAPR_TRUSTED_DOMAIN_AUTH_BLOB is not strictly correct.

Maybe it would be useful to define a new separate structure for the content of
LSAPR_TRUSTED_DOMAIN_AUTH_BLOB.AuthBlob. As that's what is used in
LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES.Cipher

metze




More information about the cifs-protocol mailing list