Hi Andrew. I know you're out of the office hiking around. We hope you had a wonderful time (assuming you're reading this in a few weeks).
We worked out what is causing this. We are sending a [MS-SRVS] NetShareGetInfo packet for Level 502 information. In the response, we're receiving a SECURITY_DESCRIPTOR that has a NULL Owner SID (OffsetOwner). We can argue if that's permissible or not. In [MS-DTYP] 2.4.6 SECURITY_DESCRIPTOR it discusses: "OffsetOwner (4 bytes): An unsigned 32-bit integer that specifies the offset to the SID. This SID specifies the owner of the object to which the security descriptor is associated. This must be a valid offset if the OD flag is not set. If this field is set to zero, the OwnerSid field MUST not be present." Thus, if the OD flag (Owner Defaulted: "Set when the owner was established by default means") is cleared (not set) then the Owner SID must be valid, and NULL is not valid. That notwithstanding, as for this user interface, it doesn't recognize a NULL Owner SID event even if the OD flag is set. We are pursuing a fix for this in Windows 8.1/2012R2 and for Windows 10 (in the user-mode code that is behind this user request). But, I'm holding off on requesting a fix for Windows 8/2012 unless we have a strong business justification to do so. This can also be mitigated in Samba code by supplying the Owner SID in level 502 queries. Bryan -----Original Message----- From: Bryan Burgin Sent: Wednesday, March 11, 2015 1:04 PM To: Andrew Bartlett Cc: [email protected]; MSSolve Case Email; Tarun Chopra Subject: RE: [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect' Just touching base. The platforms group is actively working on this. I’m monitoring their work, but there are no action items for either of us right now. I will be traveling throughout China the next few weeks for Microsoft. I will be monitoring this issue in my journeys and will update you if I hear anything. Thank you for your patience. Bryan -----Original Message----- From: Bryan Burgin Sent: Tuesday, March 3, 2015 2:28 PM To: Andrew Bartlett Cc: [email protected]; MSSolve Case Email; Tarun Chopra Subject: RE: [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect' Andrew: Today I filed a bug against Windows 8.0/2012 for a QFE (hotfix) for this issue. We have a similar report and a duplicate hotfix request for Windows 8.1/Server 2012 R2. I also have another customer reporting this and requesting a fix for 8.0/2012. For your note, as it relates to the AD/KILE side of the question being handled by Obaid, our previous reproductions of this issue were with non-domain-joined "workgroup" machines. However, I passed your additional information onto the WinSE engineer working on the fix; it may be useful to him as it provides more insight. I'll update with status regarding the progress of the fix. Assume it's on autopilot for now. Bryan -----Original Message----- From: Bryan Burgin Sent: Monday, March 2, 2015 10:20 PM To: Andrew Bartlett Cc: [email protected]; MSSolve Case Email Subject: [REG:115030312463820] Windows behavior re '0x80070057 the parameter is incorrect' [dochelp on bcc] [+casemail] Starting new thread for SR 115030312463820: Windows behavior re '0x80070057 the parameter is incorrect'. I'll own this issue for you. Bryan -----Original Message----- From: Bryan Burgin Sent: Monday, March 2, 2015 10:15 PM To: 'Andrew Bartlett' Cc: [email protected] Subject: RE: View effective Access - Parameter is incorrect [Dochelp to bcc] Hi Andrew, Thank you for raising this issue. We're creating two cases to track this: one to chase down the error (which I'll own, potentially a QFE hotfix request) and the second as a [MS-KILE] doc issue (someone from the team will pick up). Please note that as for the error message itself, we are investigating this and published KB 3041857 to acknowledge it: https://support.microsoft.com/kb/3041857. SR 115030312463820: Windows behavior re '0x80070057 the parameter is incorrect'. SR 115030312463847: [MS-KILE] "View effective Access - Parameter is incorrect" -- Issue re TGS-REQ (S4U2Self) Don't reply to this mail; I'll start a separate thread for each to keep the discussions separate. [Note: in your mail below, I appended your add-on observation re Windows 8.1 to Windows 2012R2 "in-line"] Bryan -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Monday, March 2, 2015 6:12 PM To: Interoperability Documentation Help Cc: [email protected] Subject: View effective Access - Parameter is incorrect Using a Windows 8, and a Windows 8.1 Pro machine, joined to a Samba domain. I open up \\$SERVER\sysvol and right-click on one of the files. I then select properties, security, advanced, effective access. I select one of the other users in my domain (I logged in as administrator), and then 'view effective access'. The error I get is '0x80070057 the parameter is incorrect'. I can't see anything odd, except that in frame 91-93 the client asks for a TGS-REQ (S4U2Self) for a server of Administrator@REALM as an enterprise principal, perhaps being denied because Administrator is not a server account. Samba master gives 'KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (see trace) Samba 4.2 give 'KRB5KDC_ERR_POLICY' (not attached) Is this the issue, if so, cue my discussion about MS-KILE clarifications :-) Oddly, when looking at a comparitive trace of Windows 8.1 to Windows 2012R2, I can't even see a S4U2Self request. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
