[cifs-protocol] Re: Email for Case SRX081002601173
ronnie sahlberg
ronniesahlberg at gmail.com
Fri Oct 3 17:58:33 GMT 2008
Sure,
Find the capture attached.
Frame 2420
No. Time Source Destination Protocol Info
2420 182.851604 192.168.115.5 192.168.115.105 LSARPC
lsa_QueryDomainInformationPolicy response
Frame 2420 (806 bytes on wire, 806 bytes captured)
Arrival Time: Sep 27, 2007 11:50:58.095991000
[Time delta from previous captured frame: 0.091102000 seconds]
[Time delta from previous displayed frame: 0.091102000 seconds]
[Time since reference or first frame: 182.851604000 seconds]
Frame Number: 2420
Frame Length: 806 bytes
Capture Length: 806 bytes
[Frame is marked: False]
[Protocols in frame:
eth:ip:tcp:nbss:smb:dcerpc:gpef:x509af:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:x509af]
Ethernet II, Src: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f), Dst:
00:0c:29:2a:62:61 (00:0c:29:2a:62:61)
Destination: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)
Address: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f)
Address: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.115.5 (192.168.115.5), Dst:
192.168.115.105 (192.168.115.105)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 792
Identification: 0xe0b9 (57529)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xaf66 [correct]
[Good: True]
[Bad : False]
Source: 192.168.115.5 (192.168.115.5)
Destination: 192.168.115.105 (192.168.115.105)
Transmission Control Protocol, Src Port: 445 (445), Dst Port: 1103
(1103), Seq: 1489, Ack: 4056, Len: 752
Source port: 445 (445)
Destination port: 1103 (1103)
[Stream index: 53]
Sequence number: 1489 (relative sequence number)
[Next sequence number: 2241 (relative sequence number)]
Acknowledgement number: 4056 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 63154
Checksum: 0x73a6 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 2419]
[The RTT to ACK the segment was: 0.091102000 seconds]
[Number of bytes in flight: 752]
[Timestamps]
[Time since first frame in this TCP stream: 104.826266000 seconds]
[Time since previous frame in this TCP stream: 0.091102000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 748
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 2419]
[Time from request: 0.091102000 seconds]
SMB Command: Read AndX (0x2e)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x98
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit
reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in
request are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 8194 (\\WIN2003.VNET3.TRIDGELL.NET\IPC$)
[Path: \\WIN2003.VNET3.TRIDGELL.NET\IPC$]
[Mapped in: 854]
Process ID: 65279
User ID: 14336
Multiplex ID: 704
Read AndX Response (0x2e)
[FID: 0x8005 (\lsarpc)]
[Opened in: 2404]
[File Name: \lsarpc]
Create Flags: 0x00000016
.... .... .... .... .... .... ...1 .... = Extended
Response: Extended responses required
.... .... .... .... .... .... .... 0... = Create
Directory: Target of open can be a file
.... .... .... .... .... .... .... .1.. = Batch
Oplock: Requesting BATCH OPLOCK
.... .... .... .... .... .... .... ..1. = Exclusive
Oplock: Requesting OPLOCK
Access Mask: 0x0002019f
0... .... .... .... .... .... .... .... = Generic
Read: Generic read is NOT set
.0.. .... .... .... .... .... .... .... = Generic
Write: Generic write is NOT set
..0. .... .... .... .... .... .... .... = Generic
Execute: Generic execute is NOT set
...0 .... .... .... .... .... .... .... = Generic All:
Generic all is NOT set
.... ..0. .... .... .... .... .... .... = Maximum
Allowed: Maximum allowed is NOT set
.... ...0 .... .... .... .... .... .... = System
Security: System security is NOT set
.... .... ...0 .... .... .... .... .... = Synchronize:
Can NOT wait on handle to synchronize on completion of I/O
.... .... .... 0... .... .... .... .... = Write Owner:
Can NOT write owner (take ownership)
.... .... .... .0.. .... .... .... .... = Write DAC:
Owner may NOT write to the DAC
.... .... .... ..1. .... .... .... .... = Read
Control: READ ACCESS to owner, group and ACL of the SID
.... .... .... ...0 .... .... .... .... = Delete: NO
delete access
.... .... .... .... .... ...1 .... .... = Write
Attributes: WRITE ATTRIBUTES access
.... .... .... .... .... .... 1... .... = Read
Attributes: READ ATTRIBUTES access
.... .... .... .... .... .... .0.. .... = Delete
Child: NO delete child access
.... .... .... .... .... .... ..0. .... = Execute: NO
execute access
.... .... .... .... .... .... ...1 .... = Write EA:
WRITE EXTENDED ATTRIBUTES access
.... .... .... .... .... .... .... 1... = Read EA:
READ EXTENDED ATTRIBUTES access
.... .... .... .... .... .... .... .1.. = Append: APPEND access
.... .... .... .... .... .... .... ..1. = Write: WRITE access
.... .... .... .... .... .... .... ...1 = Read: READ access
File Attributes: 0x00000000
.... .... .... .... .0.. .... .... .... = Encrypted:
This is NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content
Indexed: This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline:
This file is NOT offline
.... .... .... .... .... 0... .... .... = Compressed:
This is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse
Point: This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This
is NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary:
This is NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This
file has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This
is NOT a device
.... .... .... .... .... .... ..0. .... = Archive:
This file has NOT been modified since last archive
.... .... .... .... .... .... ...0 .... = Directory:
This is NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID:
This is NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This
is NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This
is NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only:
This file is NOT read only
Share Access: 0x00000003 SHARE_WRITE SHARE_READ
.... .... .... .... .... .... .... .0.. = Delete:
Object can NOT be shared for delete
.... .... .... .... .... .... .... ..1. = Write:
Object can be shared for WRITE
.... .... .... .... .... .... .... ...1 = Read: Object
can be shared for READ
Create Options: 0x00000040
.... .... .... .... .... .... .... ...0 = Directory:
File being created/opened must not be a directory
.... .... .... .... .... .... .... ..0. = Write
Through: Writes need not flush buffered data before completing
.... .... .... .... .... .... .... .0.. = Sequential
Only: The file might not only be accessed sequentially
.... .... .... .... .... .... .... 0... = Intermediate
Buffering: Intermediate buffering is allowed
.... .... .... .... .... .... ...0 .... = Sync I/O
Alert: Operations NOT necessarily synchronous
.... .... .... .... .... .... ..0. .... = Sync I/O
Nonalert: Operations NOT necessarily synchronous
.... .... .... .... .... .... .1.. .... =
Non-Directory: File being created/opened must not be a directory
.... .... .... .... .... .... 0... .... = Create Tree
Connection: Create Tree Connections is NOT set
.... .... .... .... .... ...0 .... .... = Complete If
Oplocked: Complete if oplocked is NOT set
.... .... .... .... .... ..0. .... .... = No EA
Knowledge: The client understands extended attributes
.... .... .... .... .... .0.. .... .... = 8.3 Only:
The client understands long file names
.... .... .... .... .... 0... .... .... = Random
Access: The file will not be accessed randomly
.... .... .... .... ...0 .... .... .... = Delete On
Close: The file should not be deleted when it is closed
.... .... .... .... ..0. .... .... .... = Open By
FileID: OpenByFileID is NOT set
.... .... .... .... .0.. .... .... .... = Backup
Intent: This is a normal create
.... .... .... .... 0... .... .... .... = No
Compression: Compression is allowed for Open/Create
.... .... ...0 .... .... .... .... .... = Reserve
Opfilter: Reserve Opfilter is NOT set
.... .... ..0. .... .... .... .... .... = Open Reparse
Point: Normal open
.... .... .0.. .... .... .... .... .... = Open No
Recall: Open no recall is NOT set
.... .... 0... .... .... .... .... .... = Open For
Free Space query: This is NOT an open for free space query
[Disposition: Open (if file exists open it, else fail) (1)]
Word Count (WCT): 12
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
[File Offset: 0]
[File RW Length: 1024]
Remaining: 0
Data Compaction Mode: 0
Reserved: 0000
Data Length Low: 688
Data Offset: 60
Data Length High (multiply with 64K): 0
Reserved: 000000000000
Byte Count (BCC): 689
Padding: 00
DCE RPC Response, Fragment: Single, FragLen: 688, Call: 3 Ctx: 0, [Req: #2417]
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .0.. = Cancel Pending: Not set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 688
Auth Length: 0
Call ID: 3
Alloc hint: 664
Context ID: 0
Cancel count: 0
Opnum: 53
[Request in frame: 2417]
[Time from request: 0.094193000 seconds]
Local Security Authority, lsa_QueryDomainInformationPolicy
Operation: lsa_QueryDomainInformationPolicy (53)
[Request in frame: 2417]
Pointer to Info (lsa_DomainInformationPolicy)
Referent ID: 0x00020000
lsa_DomainInformationPolicy
Info
Efs Info
Blob Size: 639
Pointer to Efs Blob (uint8)
Referent ID: 0x00020004
EFS blob size: 639
GPEF
Key Count: 1
EfsKey
Length1: 631
Length2: 627
SID Offset: 28
Cert Length: 571
Cert Offset: 56
sid: S-1-5-21-53173311-3623041448-2049097239-500
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-53173311-3623041448-2049097239
RID: 500 (Administrator)
Certificate ()
signedCertificate
version: v3 (2)
serialNumber :
0xba9dd46d546a2e9c4a9f658021c734bf
signature (sha-1WithRSAEncryption)
Algorithm Id: 1.3.14.3.2.29
(sha-1WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items ()
Item: 1 item ()
Item
Id: 2.5.4.3
(id-at-commonName)
DirectoryString:
printableString (1)
printableString: administrator
Item: 1 item ()
Item
Id: 2.5.4.7
(id-at-localityName)
DirectoryString:
printableString (1)
printableString: EFS
Item: 1 item ()
Item
Id: 2.5.4.11
(id-at-organizationalUnitName)
DirectoryString:
printableString (1)
printableString: EFS File Encryption Certificate
validity
notBefore: utcTime (0)
utcTime: 04-04-08 07:27:01 (UTC)
notAfter: utcTime (0)
utcTime: 07-04-08 07:27:01 (UTC)
subject: rdnSequence (0)
rdnSequence: 3 items ()
Item: 1 item ()
Item
Id: 2.5.4.3
(id-at-commonName)
DirectoryString:
printableString (1)
printableString: administrator
Item: 1 item ()
Item
Id: 2.5.4.7
(id-at-localityName)
DirectoryString:
printableString (1)
printableString: EFS
Item: 1 item ()
Item
Id: 2.5.4.11
(id-at-organizationalUnitName)
DirectoryString:
printableString (1)
printableString: EFS File Encryption Certificate
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id:
1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey:
30818902818100BED9195BC7D21DCD13CEECEE24697B6A09...
extensions: 1 item
Item (id-ce-extKeyUsage)
Extension Id: 2.5.29.37
(id-ce-extKeyUsage)
KeyPurposeIDs: 1 item
Item:
1.3.6.1.4.1.311.10.3.4.1 (id-ms-efs-recovery)
algorithmIdentifier (sha-1WithRSAEncryption)
Algorithm Id: 1.3.14.3.2.29
(sha-1WithRSAEncryption)
Padding: 0
encrypted:
A7E6C169E205D3EEF730D9AE1A86379A8AF9BD9CD4FE70C1...
NT Error: STATUS_SUCCESS (0x00000000)
0000 00 0c 29 2a 62 61 00 0c 29 44 4a 1f 08 00 45 00 ..)*ba..)DJ...E.
0010 03 18 e0 b9 40 00 80 06 af 66 c0 a8 73 05 c0 a8 .... at ....f..s...
0020 73 69 01 bd 04 4f cf b4 72 73 37 8f 5e 36 50 18 si...O..rs7.^6P.
0030 f6 b2 73 a6 00 00 00 00 02 ec ff 53 4d 42 2e 00 ..s........SMB..
0040 00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 02 20 ff fe 00 38 c0 02 0c ff 00 00 00 00 ... ...8........
0060 00 00 00 00 00 b0 02 3c 00 00 00 00 00 00 00 00 .......<........
0070 00 00 00 b1 02 00 05 00 02 03 10 00 00 00 b0 02 ................
0080 00 00 03 00 00 00 98 02 00 00 00 00 00 00 00 00 ................
0090 02 00 02 00 00 00 7f 02 00 00 04 00 02 00 7f 02 ................
00a0 00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02 ..........w...s.
00b0 00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00 ..........;...8.
00c0 00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00 .. .............
00d0 00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be ......?\+..9....
00e0 22 7a f4 01 00 00 30 82 02 37 30 82 01 a4 a0 03 "z....0..70.....
00f0 02 01 02 02 10 ba 9d d4 6d 54 6a 2e 9c 4a 9f 65 ........mTj..J.e
0100 80 21 c7 34 bf 30 09 06 05 2b 0e 03 02 1d 05 00 .!.4.0...+......
0110 30 50 31 16 30 14 06 03 55 04 03 13 0d 61 64 6d 0P1.0...U....adm
0120 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a 06 03 inistrator1.0...
0130 55 04 07 13 03 45 46 53 31 28 30 26 06 03 55 04 U....EFS1(0&..U.
0140 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e 63 72 ...EFS File Encr
0150 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 63 61 yption Certifica
0160 74 65 30 1e 17 0d 30 34 30 34 30 38 30 37 32 37 te0...0404080727
0170 30 31 5a 17 0d 30 37 30 34 30 38 30 37 32 37 30 01Z..07040807270
0180 31 5a 30 50 31 16 30 14 06 03 55 04 03 13 0d 61 1Z0P1.0...U....a
0190 64 6d 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a dministrator1.0.
01a0 06 03 55 04 07 13 03 45 46 53 31 28 30 26 06 03 ..U....EFS1(0&..
01b0 55 04 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e U....EFS File En
01c0 63 72 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 cryption Certifi
01d0 63 61 74 65 30 81 9f 30 0d 06 09 2a 86 48 86 f7 cate0..0...*.H..
01e0 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 ..........0.....
01f0 00 be d9 19 5b c7 d2 1d cd 13 ce ec ee 24 69 7b ....[........$i{
0200 6a 09 c8 64 06 cd 90 0f a2 8f 8f 09 44 c5 0c e7 j..d........D...
0210 dd df 7d 25 96 85 41 05 19 14 35 0c ec 73 11 5a ..}%..A...5..s.Z
0220 3e e9 8c 7b d1 fa 7d dc 81 79 39 41 d7 be 0a aa >..{..}..y9A....
0230 d7 74 5b 5f 9b a1 13 76 af a6 9f 93 6b df c3 1b .t[_...v....k...
0240 ee fe 3b c8 93 33 6f 30 5b cf 67 e6 b1 d8 41 de ..;..3o0[.g...A.
0250 3e 4f 7b 4e fc 0a 9c e1 a5 b2 fc b1 db 0b 67 13 >O{N..........g.
0260 0f 5d 6d b0 0c 6d 68 29 23 70 cc 45 df 13 2d c3 .]m..mh)#p.E..-.
0270 8d 02 03 01 00 01 a3 1a 30 18 30 16 06 03 55 1d ........0.0...U.
0280 25 04 0f 30 0d 06 0b 2b 06 01 04 01 82 37 0a 03 %..0...+.....7..
0290 04 01 30 09 06 05 2b 0e 03 02 1d 05 00 03 81 81 ..0...+.........
02a0 00 a7 e6 c1 69 e2 05 d3 ee f7 30 d9 ae 1a 86 37 ....i.....0....7
02b0 9a 8a f9 bd 9c d4 fe 70 c1 fe 06 65 b9 9a 3d a7 .......p...e..=.
02c0 b8 a6 cf 58 60 fc f5 34 8e 59 70 e4 aa 7e 4e 63 ...X`..4.Yp..~Nc
02d0 6c 22 77 a6 df 89 bc 98 7c a2 7b 0d 14 7c 95 77 l"w.....|.{..|.w
02e0 fb 1a e8 71 6b a9 f2 93 fc e1 8f ed 7d 40 c2 cf ...qk.......}@..
02f0 b4 9a 32 ea 14 cd e1 43 f1 21 3d 4b 0c 97 47 e3 ..2....C.!=K..G.
0300 8e 1c 85 8d f5 82 ee 1c 86 bb 55 07 85 51 42 f6 ..........U..QB.
0310 a6 e6 45 54 c5 4a e7 82 cd b5 6a 4a cf c3 65 f5 ..ET.J....jJ..e.
0320 4d 83 00 00 00 00 M.....
On Sat, Oct 4, 2008 at 3:29 AM, Edgar Olougouna <edgaro at microsoft.com> wrote:
> ******* The following is an email for a support case from Microsoft Corp.
> ******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to
> ******* the case if you do. Instead, FORWARD your response to the
> ******* email address COMPMAIL at MICROSOFT.COM and place your text after
> ******* the keyword 'MESSAGE:'. Also, delete all other text above
> ******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:'
> ******* to ensure proper delivery of your email. Thank you.
>
> CASE_ID_NUM: SRX081002601173
> MESSAGE:
> ********************** The message for you follows ************************
> Hi Ronnie,
>
> I will be working with you to solve this case.
>
> In the [MS-GPEF] 2.2.1.2.2 EfsKey packet, you mentioned you are seeing a 4 byte integer with the value 0x00000001 between the Reserved2 field and the first byte of the SID.
> Could you send us the trace?
>
> Best regards,
>
> Edgar A. Olougouna
> Sr. SEE, Microsoft DSC Protocol Team | Email: edgaro at microsoft.com | Tel: +1.469.775.7189 x 57189
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EFSBLOB3.cap
Type: application/x-extension-cap
Size: 1742263 bytes
Desc: not available
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081004/fc85b93c/EFSBLOB3-0001.bin
More information about the cifs-protocol
mailing list