Bug 15792 - since 4.13 rpcd_spools getting lots of "dcesrv_handle_lookup: Attempt to use invalid " generated by windows
Summary: since 4.13 rpcd_spools getting lots of "dcesrv_handle_lookup: Attempt to use ...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Noel Power
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-29 16:02 UTC by Noel Power
Modified: 2025-01-30 13:52 UTC (History)
2 users (show)

See Also:


Attachments
new smbtorture test rpc.spoolss.printerhandles run against win2k12r2 server (13.39 KB, application/x-pcapng)
2025-01-29 16:04 UTC, Noel Power
no flags Details
new smbtorture test rpc.spoolss.printerhandles run against win2k16 server (11.89 KB, application/x-pcapng)
2025-01-29 16:05 UTC, Noel Power
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Noel Power 2025-01-29 16:02:51 UTC

    
Comment 1 Noel Power 2025-01-29 16:04:21 UTC
Created attachment 18543 [details]
new smbtorture test rpc.spoolss.printerhandles run against win2k12r2 server
Comment 2 Noel Power 2025-01-29 16:05:00 UTC
Created attachment 18544 [details]
new smbtorture test rpc.spoolss.printerhandles run against win2k16 server
Comment 3 Noel Power 2025-01-29 16:37:05 UTC
We have a customer reporting they are getting alot of

"dcesrv_handle_lookup: Attempt to use invalid sid S-1-2-3-blah-blah-foo - S-1-2-3-blah-blah-blah-bar"

error. Logging through the logs it seems that this scenario occurs when userA opens a printer_handle and userB closes it. Interestingly 'userB' in this case is actually the machine account (of the machine userA is logged into)

I am going to add a patch set here which includes a new smbtorture test (rpc.spoolss.printhandles)

This test opens a printer to get a printer_handle (with connection using the credentials passed to smbtorture) and opens a second connection which either uses anomymous credentials or credentials generated from env variables DOMAIN_USER & DOMAIN_USER_PASSWORD)

I also attaching wiretraces of the same smbtorture test running against win2k12r2 and win2k16

the commands to generate the traces are as follows

(win2k12r2)

DOMAIN_USER=npower DOMAIN_USER_PASSWORD=1234567890 TEST_PRINTER="\\\\192.168.122.15\\\\\\tw2024\\testy" ./bin/smbtorture -d0 -USAMBAUNIVERSE\\Administrator%1234567890 //192.168.122.15/Testshare rpc.spoolss.printerhandles
smbtorture 4.22.0pre1-DEVELOPERBUILD
Using seed 1738159038
time: 2025-01-29 13:57:18.708959
progress: 1
test: printerpolicyhandle.opencloseprinter
time: 2025-01-29 13:57:18.732446
Testing close on secondary pipe with second user
time: 2025-01-29 13:57:18.739391
success: printerpolicyhandle.opencloseprinter

(win2k16)

DOMAIN_USER=npower DOMAIN_USER_PASSWORD=1234567890 TEST_PRINTER="\\\\WINDOZE4ME.SAMBADOMAIN.GORDY\\\\\\npsle15sp6\\testy" ./bin/smbtorture -UAdministrator%1234567890 //windoze4me.sambadomain.gordy/C$ rpc.spoolss.printerhandles


This is a regression as prior to move of the s4 handle implementation to s3 the handle checking was much less strict (and didn't check the sid)

I'm guessing removing the sid check could possibly introduce some security problems so this is an attempt to introduce the ability to create handles that don't require the sid check and will allow such handles to be exchanged with other users.