Project

General

Profile

Bug #1720

join domain fails with INVALID_PARAMETER

Added by Gordon Ross almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Start date:
2011-11-03
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

While testing at the SNIA SDC, we observed that an attempt to join the plug-fest provided Windows domain fails in the SMB session setup request with an error return 0xC000000D (STATUS_INVALID_PARAMETER). That domain was reportedly a 2003r2 server with Domain Functional Level (DFL) set to Windows 2003 (but we're not sure now). We had the local lmauth_level=4 (the default).

I was able to develop and test a fix on site (SDC is great for that:)


Files

illumos-1720.patch (2.41 KB) illumos-1720.patch Gordon Ross, 2011-11-03 02:19 AM

History

#1

Updated by Gordon Ross almost 8 years ago

Unfortunately, when we tried to reproduce this "back home", we could not.
So for now, I'm attaching the patch we tested at the SDC. I hope someone
will figure out how to verify the fix. At this point, the best theory is that there was an LSA Policy adjustment changed from its default that caused our previous code to get this error. One can spend much time twiddling the policy knobs trying to reproduce this.

#2

Updated by Gordon Ross almost 8 years ago

After further investigation here:
http://msdn.microsoft.com/en-us/library/cc236650%28v=PROT.13%29.aspx
and observation of network traffic from Windows clients, it is fairly clear that we are supposed to set the NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY bit when we send an NTLMv2 hash, and set NTLMSSP_NEGOTIATE_LM_KEY when we send an (old style) LM hash.

We should lean toward "secure by default" here, and default to using the stronger NTLMv2 hash. (Most other systems do today.)

The fix is to correct the NTLMSSP negotiation bits based on which hash we're using, and setup defaults to use the NTLMv2 hash.

#3

Updated by Gordon Ross almost 8 years ago

  • Status changed from New to Resolved
changeset:   13522:03c15f1e19ad
tag:         tipchangeset:   13522:03c15f1e19ad
tag:         tip
user:        Gordon Ross <gwr@nexenta.com>
date:        Tue Nov 15 12:50:57 2011 -0500
description:
    1720 join domain fails with INVALID_PARAMETER
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Reviewed by: Albert Lee <trisk@nexenta.com>
    Approved by: Garrett D'Amore <garrett@nexenta.com>

Also available in: Atom PDF