Bug 15680 - Trust domains are not created
Summary: Trust domains are not created
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.20.2
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-09 14:22 UTC by Dinar Yulmukhametov
Modified: 2024-07-18 16:18 UTC (History)
2 users (show)

See Also:


Attachments
trust create log with -d 10 and commented try-except (14.03 KB, text/plain)
2024-07-12 07:59 UTC, Dinar Yulmukhametov
no flags Details
Network trace (rpcclient lsaquery against Windows Server 2012) (6.57 KB, application/octet-stream)
2024-07-17 12:15 UTC, Andreas Schneider
no flags Details
Draft patches for a fix... (15.96 KB, patch)
2024-07-18 16:18 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dinar Yulmukhametov 2024-07-09 14:22:48 UTC
When creating trusted domains with Windows Server 2016 and older, Samba
receives an ACCESS_DENIED response. After that, Windows disconnects
the connection.

Steps to reproduce:

$ samba-tool domain trust create win.dom.net --direction="both" --type="external" --quarantined="no" --create-location="both" --skip-validation -Uadministrator@win.dom.net
...
ERROR: REMOTE_DC[DC1.win.dom.net]: failed to query LSA_POLICY_INFO_DNS - ERROR(0xC0000022) - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Actual result:
"Access denied" error

Expected Results:
Successful create of a trust domain
Comment 1 Andreas Schneider 2024-07-12 06:58:12 UTC
Can you please provide a the full output of samba-tool with log level 10 and a corresponding network trace?
Comment 2 Andreas Schneider 2024-07-12 07:01:35 UTC
You can also remove the try: line and the except: block in OpenPolicyFallback and you will get the NTError we probably miss to handle.
Comment 3 Dinar Yulmukhametov 2024-07-12 07:59:41 UTC
Created attachment 18375 [details]
trust create log with -d 10 and commented try-except

This is output for command:

samba-tool domain trust create winlocal.net --direction="both" --type="external" --quarantined="no" --create-location="both" --skip-validation -UAdministrator@winlocal.net -d 10

and OpenPolicyFallback function with commented try-except:

code:

def OpenPolicyFallback(
    conn: lsa.lsarpc,
    system_name: str,
    in_version: int,
    in_revision_info: lsa.revision_info1,
    sec_qos: bool = False,
    access_mask: int = 0,
):
    attr = lsa.ObjectAttribute()
    if sec_qos:
        qos = lsa.QosInfo()
        qos.len = 0xc
        qos.impersonation_level = 2
        qos.context_mode = 1
        qos.effective_only = 0

        attr.sec_qos = qos

    # try:
    out_version, out_rev_info, policy = conn.OpenPolicy3(
        system_name,
        attr,
        access_mask,
        in_version,
        in_revision_info
    )
    # except NTSTATUSError as e:
    #     if e.args[0] == NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE:
    #         out_version = 1
    #         out_rev_info = lsa.revision_info1()
    #         out_rev_info.revision = 1
    #         out_rev_info.supported_features = 0

    #         policy = conn.OpenPolicy2(system_name, attr, access_mask)
    #     else:
    #         raise

    return out_version, out_rev_info, policy
Comment 4 Andreas Schneider 2024-07-12 08:57:58 UTC
It looks like that the OpenPolicy3() succeeds, but then QueryInfoPolicy2() fails with ACCESS_DENIED using the policy handle returned by OpenPolicy3. A network trace would show more details.

If that's the case, then it it sounds like a Windows bug. MS-LSAD states:

> Note: LsarOpenPolicy3 supersedes LsarOpenPolicy2 and MUST be used whenever
> possible.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9f88a19f-3bb0-474c-8308-a9f661e6c760
Comment 5 Andreas Schneider 2024-07-12 09:30:26 UTC
On the other hand, 3.1.4.4.3 LsarQueryInformationPolicy2 (Opnum 46) has:

> PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or 
> LsarOpenPolicy2.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/516f503c-0230-489d-b012-e650b46b66a2

I will contact Micosoft for clarification.
Comment 6 Andreas Schneider 2024-07-17 12:15:20 UTC
Created attachment 18378 [details]
Network trace (rpcclient lsaquery against Windows Server 2012)
Comment 7 Andreas Schneider 2024-07-17 13:03:28 UTC
If I do a LsarOpenPolicy3 call against Windows Server 2016, I get 
DCERPC_FAULT_ACCESS_DENIED and the dcerpc connection is closed by the server.

The dcerpc fault is unexpected and the disconnect is unfortunate.
Normally you get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE and then be able to call 
LsarOpenPolicy2 :-(
Comment 8 Stefan Metzmacher 2024-07-18 16:18:50 UTC
Created attachment 18379 [details]
Draft patches for a fix...

These need someone to cleanup, but the basics should work...