[cifs-protocol] 602144 RE: CDAP netlogon and 'implementation defined' behaviour

Tue Jul 8 20:59:54 GMT 2008

Andrew,

As per our previous conversation regarding NETLOGON_SAM_LOGON_RESPONSE_NT40, I wanted to send you a proposed update to the documentation to see if this resolves the issue.  The current MS-ADTS documentation for section 7.3.3.2 Domain Controller Response to an LDAP Ping reads as follows:

If the server is configured to respond to ping requests in the form of a NETLOGON_SAM_LOGON_RESPONSE_NT40 structure (the way in which the server is configured is outside the state model and is implementation-dependent), and v does not have the NETLOGON_NT_VERSION_AVOID_NT4EMUL bit set, the response of the dc is documented in "Response to Invalid Filter" (section 7.3.3.3).

The proposed update to this text is as follows:

If the server is configured to respond to ping requests in the form of a NETLOGON_SAM_LOGON_RESPONSE_NT40 structure (the way in which the server is configured is outside the state model and is implementation-dependent), and v does not have the NETLOGON_NT_VERSION_AVOID_NT4EMUL bit set, the server uses the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure to send the response back.

The intended changes highlights that if the server is configured to respond to ping request using the NETLOGON_SAM_LOGON_RESPONSE_NT40 structure, then that is what the client will receive.  It also intends to leave open how this is implemented so that you the implementer can decide how this gets enabled/disabled.  Please let us know if this resolves your issue and we will update the documentation accordingly.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Richard Guthrie
Sent: Monday, June 23, 2008 10:30 AM
To: 'Andrew Bartlett'
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: CDAP netlogon and 'implementation defined' behaviour

Andrew,

I have re-visited your request to have more use cases added to the documentation. We have decided to leave the text as is, but I wanted to resend the kb article that discusses why a windows server might respond with NETLOGON_SAM_LOGON_RESPONSE_NT40 which is kb article http://support.microsoft.com/kb/298713.  If there are no further questions, I will consider this issue resolved.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, May 30, 2008 8:32 PM
To: Richard Guthrie
Cc: pfif at tridgell.net
Subject: RE: CDAP netlogon and 'implementation defined' behaviour

On Fri, 2008-05-30 at 17:57 -0700, Richard Guthrie wrote:
> Andrew,
>
>
>
> I have conducted research on your issue below and am providing answers
> to your question below.  I still have one item to get clarification on
> which I will send once I have that issue resolved.
>
>
>
> Item 1 â€“ A windows server can be configured to respond with
> aNETLOGON_SAM_LOGON_RESPONSE_NT40 if the registry key
> HKLM/System/CurrentControlSet/Services/NetLogon/Parameters/NT4Emulator
> has been set with a value of 0x1.  The
> articlehttp://support.microsoft.com/kb/298713 discusses this setting.
> If configured all clients would receive
> thisNETLOGON_SAM_LOGON_RESPONSE_NT40.  In addition the server would
> respond usingNETLOGON_SAM_LOGON_RESPONSE_NT40 structure if the client
> sets theNETLOGON_NT_VERSION_1 bit in the NETLOGON_NT_VERSION field.
> Typically this would be a client this is less than version Windows
> 2000 such as NT4.0 or Windows 95/98.

Great.  Sadly I'm having trouble getting to kb articles these days, as Firefox 3 bails with:

Content Encoding Error

The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

    * Please contact the website owners to inform them of this problem.

> Item 2 â€“ The typical scenario you would see this registry key set is
> in a domain migration scenario from NT4.0 to Windows 2000 and beyond.
>
OK, to be clear, this would be set on the Win2000 server when it is in an NT4 level domain?

It would be great if parts of the protocol that only matter in this (comparatively unusual in 2008) situation were marked as such.
>
> We working to determine documentation requirements in the MS-ADTS
> documentation with regard to this field and settings.  I will send you
> the updated documentation if we determine a change is required.
> Finally, one issue that is under investigation from another related
> customer request is that the server is returning NETLOGON_NT_VERSION_1
> set to 1 even when the client did not set this bit on the request.  I
> will also send you an update once that issue is resolved as I believe
> it may affect your testing and implementation and donâ€™t want it to
> affect our coming to resolution here.
>
This is in "Expected values in 'NtVersion' and other fields MS-ADTS 7.3.3.2" (which does not seem to have an issue number yet) for me.

>
> Please let me know if this answers your original question and I will
> consider these questions closed.
>
If the docs are updated to reflect this, then I will consider it closed.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.