15792 – since 4.13 rpcd_spools getting lots of "dcesrv_handle_lookup: Attempt to use invalid " generated by windows

Bug 15792 - since 4.13 rpcd_spools getting lots of "dcesrv_handle_lookup: Attempt to use invalid " generated by windows

Summary: since 4.13 rpcd_spools getting lots of "dcesrv_handle_lookup: Attempt to use ...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	4.21.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Noel Power
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-01-29 16:02 UTC by Noel Power
Modified:	2026-01-26 14:50 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/3941 https://gitlab.com/samba-team/samba/-/merge_requests/3980

Attachments
new smbtorture test rpc.spoolss.printerhandles run against win2k12r2 server (13.39 KB, application/x-pcapng) 2025-01-29 16:04 UTC, Noel Power	no flags	Details
new smbtorture test rpc.spoolss.printerhandles run against win2k16 server (11.89 KB, application/x-pcapng) 2025-01-29 16:05 UTC, Noel Power	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noel Power 2025-01-29 16:02:51 UTC

Comment 1 Noel Power 2025-01-29 16:04:21 UTC

Created attachment 18543 [details]
new smbtorture test rpc.spoolss.printerhandles run against win2k12r2 server

Comment 2 Noel Power 2025-01-29 16:05:00 UTC

Created attachment 18544 [details]
new smbtorture test rpc.spoolss.printerhandles run against win2k16 server

Comment 3 Noel Power 2025-01-29 16:37:05 UTC

We have a customer reporting they are getting alot of

"dcesrv_handle_lookup: Attempt to use invalid sid S-1-2-3-blah-blah-foo - S-1-2-3-blah-blah-blah-bar"

error. Logging through the logs it seems that this scenario occurs when userA opens a printer_handle and userB closes it. Interestingly 'userB' in this case is actually the machine account (of the machine userA is logged into)

I am going to add a patch set here which includes a new smbtorture test (rpc.spoolss.printhandles)

This test opens a printer to get a printer_handle (with connection using the credentials passed to smbtorture) and opens a second connection which either uses anomymous credentials or credentials generated from env variables DOMAIN_USER & DOMAIN_USER_PASSWORD)

I also attaching wiretraces of the same smbtorture test running against win2k12r2 and win2k16

the commands to generate the traces are as follows

(win2k12r2)

DOMAIN_USER=npower DOMAIN_USER_PASSWORD=1234567890 TEST_PRINTER="\\\\192.168.122.15\\\\\\tw2024\\testy" ./bin/smbtorture -d0 -USAMBAUNIVERSE\\Administrator%1234567890 //192.168.122.15/Testshare rpc.spoolss.printerhandles
smbtorture 4.22.0pre1-DEVELOPERBUILD
Using seed 1738159038
time: 2025-01-29 13:57:18.708959
progress: 1
test: printerpolicyhandle.opencloseprinter
time: 2025-01-29 13:57:18.732446
Testing close on secondary pipe with second user
time: 2025-01-29 13:57:18.739391
success: printerpolicyhandle.opencloseprinter

(win2k16)

DOMAIN_USER=npower DOMAIN_USER_PASSWORD=1234567890 TEST_PRINTER="\\\\WINDOZE4ME.SAMBADOMAIN.GORDY\\\\\\npsle15sp6\\testy" ./bin/smbtorture -UAdministrator%1234567890 //windoze4me.sambadomain.gordy/C$ rpc.spoolss.printerhandles


This is a regression as prior to move of the s4 handle implementation to s3 the handle checking was much less strict (and didn't check the sid)

I'm guessing removing the sid check could possibly introduce some security problems so this is an attempt to introduce the ability to create handles that don't require the sid check and will allow such handles to be exchanged with other users.

Comment 4 Noel Power 2025-04-24 10:04:18 UTC

fwiw

customer tested patch from https://gitlab.com/samba-team/samba/-/merge_requests/3980 (the less risky version) and it solves their problem

Comment 5 Franz Pförtsch 2026-01-26 14:50:08 UTC

I think we are the customer ...

this is the changelog of our samba.

user@server:~> rpm -q samba --changelog       | head -50
* Tue Jan 13 2026 jjindrak@suse.com
- Fix for SG#71347, bsc#1254586:
  * 881134-sle15sp6-bnc1234210.patch:
    [PATCH 01/16] selftest: Add a new test to open/close printer
    handle  (different users)
    [PATCH 02/16] s3/rpc_server/spoolss: Capture printer_handle
    creator
    [PATCH 03/16] librpc/rpc: create less restrictive policy handle
    [PATCH 04/16] s4/rpc_server: spoolss: create printer handles that
    are  less restricive
    [PATCH 05/16] s3/rpc_server/spools: Fix ClosePrinter and remove
    knownfail
    [PATCH 06/16] selftest: Add some more ClosePrinter combos to
    opencloseprinter test
    [PATCH 07/16] selftest: Override fault_code for invalid printer
    handles
    [PATCH 08/16] s4-torture: add torture_assert_werr_equal_goto and
    torture_assert_werr_ok_goto macros
    [PATCH 09/16] selftest: Test printer job cntrl from userB with
    userA's printer handle
    [PATCH 10/16] s3/rpc_server/spoolss: Capture printer/server
    access_mask flags
    [PATCH 11/16] selftest: Add test with second user calling
    DeletePrinter
    [PATCH 12/16] selftest: tests for DeletePrinter using handle
    obtained  by other user
    [PATCH 13/16] selftest: Add a test second user test for
    SetPrinter  with security descriptor
    [PATCH 14/16] selftest: Extend second user printer_handle tests
    [PATCH 15/16] selftest: Add some printserver tests (with userB
    using  userA's handle)
    [PATCH 16/16] SUSE: Update changelog for bnc#1234210
  * load-shares-for-printers.patch:
    [PATCH] s3:printing: Load the shares for [printers] in samba-bgqd

* Tue Jan 13 2026 jjindrak@suse.com
- LEVEL 3 SUPPORT STARTS HERE
- All changes above this marker are made by SUSE L3 Team.

* Wed Nov 19 2025 nopower@suse.com