[cifs-protocol] Expected values for Ntversion , lmNTToken , NT20Token

Hongwei Sun hongweis at microsoft.com
Tue Jun 10 19:31:14 GMT 2008


   After investigation , we have the following responses to your questions.

  (1)  For NtVersion field in NETLOGON_SAM_LOGON_RESPONSE_EX or NETLOGON_SAM_LOGON_RESPONSE,  The returned value always has NETLOGON_NT_VERSION_1 bit turned on , in addition to the original request.

    For example, if 04:00:00:00 (NETLOGON_NT_VERSION_5EX) is sent as request, NETLOGON_SAM_LOGON_RESPONSE response will be returned with NtVersion equal to 05 (NETLOGON_NT_VERSION_5EX | NETLOGON_NT_VERSION_1).   For request 08:00:00:00(NETLOGON_NT_VERSION_5EX_IP),  the response will be 0D ((NETLOGON_NT_VERSION_5EX | NETLOGON_NT_VERSION_5EX_IP|NETLOGON_NT_VERSION_1).  We will update the documentation in the future release.

  (2)  lmNTToken and NT20Token should be 0xFFFF.  We will incorporate the changes to the documentation.

  Please don't hesitate to let us know if you have more questions.


Hongwei  Sun - Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027

-----Original Message-----
In the documentation for the LDAP "ping", the values for certain fields are specified in the 'netlogon' blob returned.

I'm looking at the expected values for a few things...


It is stated that this value is NETLOGON_NT_VERSION_5.  On the wire, when querying with

The returned value is 0x05.  This appears to map (see my previous mail) to NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_1.

Also for

The returned value is 0x0d.  This appears to map (see my previous mail) to NETLOGON_NT_VERSION_5EX_WITH_IP|NETLOGON_NT_VERSION_5EX|

This is packed in a NETLOGON_SAM_LOGON_RESPONSE_EX by win2k3, so the docmentation claims ( that is should be NETLOGON_NT_VERSION_5EX.

LmNTToken and NT20Token

Similarly, it is stated that the (presumably ignored) LmNTToken and Nt20Token values are 0xFF.  On the network Win2k3 sends 0xFFFF for both.

Are any of the expected values in this document backed by a testcase that shows them to be true?

It also seems that the expected values are specified in 3 different places, first under the packet layout, then under the LDAP and Mailslot descriptions.  Either way, they all seem to contain the same flawed 'plausible, but not correct' information.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           <http://samba.org>
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list