[cifs-protocol] Question on Case SRX081002601173 [MS-GPEF]

Edgar Olougouna edgaro at microsoft.com
Tue Oct 7 22:23:02 GMT 2008


Hi Ronnie,



Looking at the trace I have a clarification question of this portion of the case.



Section 2.2.1.2.2

-------------------------

In one trace I have of this blob there is a 4 byte integer with the value 0x00000001  between the Reserved2 field and the first byte of the SID.

Is this a field that is missing in the documentation?



Clarification question:



I am trying to identify the 0x00000001 you referred to. According to the raw packet, did you mean that SID is starting from Byte 04 or Byte 08 on line 00c0?

The SID offset is 28 (0x1c), I would expect the SID starting from byte 09. Also the Reserved2 is defined as an 8 bytes field.



Byte  0  1  2  3  4  5  6   7  8  9 . . .



00a0  00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02   ..........w...s.

00b0  00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00   ..........;...8.

00c0  00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00   .. .............

00d0  00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be   ......?\+..9....





                            Length1: 631

                            Length2: 627

                            SID Offset: 28

                            Cert Length: 571

                            Cert Offset: 56

                            sid: S-1-5-21-53173311-3623041448-2049097239-500

                                Revision: 1

                                Num Auth: 5

                                Authority: 5

                                Sub-authorities:



Best regards,



Edgar A. Olougouna

Sr. SEE, Microsoft DSC Protocol Team | Email: edgaro at microsoft.com | Tel: +1.469.775.7189 x 57189





-----Original Message-----
From: ronnie sahlberg [mailto:ronniesahlberg at gmail.com]
Sent: Friday, October 03, 2008 12:59 PM
To: Edgar Olougouna
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: Email for Case SRX081002601173



Sure,





Find the capture attached.

Frame 2420







No.     Time        Source                Destination           Protocol Info

   2420 182.851604  192.168.115.5         192.168.115.105       LSARPC

  lsa_QueryDomainInformationPolicy response



Frame 2420 (806 bytes on wire, 806 bytes captured)

    Arrival Time: Sep 27, 2007 11:50:58.095991000

    [Time delta from previous captured frame: 0.091102000 seconds]

    [Time delta from previous displayed frame: 0.091102000 seconds]

    [Time since reference or first frame: 182.851604000 seconds]

    Frame Number: 2420

    Frame Length: 806 bytes

    Capture Length: 806 bytes

    [Frame is marked: False]

    [Protocols in frame:

eth:ip:tcp:nbss:smb:dcerpc:gpef:x509af:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:x509af]

Ethernet II, Src: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f), Dst:

00:0c:29:2a:62:61 (00:0c:29:2a:62:61)

    Destination: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)

        Address: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f)

        Address: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol, Src: 192.168.115.5 (192.168.115.5), Dst:

192.168.115.105 (192.168.115.105)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 792

    Identification: 0xe0b9 (57529)

    Flags: 0x04 (Don't Fragment)

        0... = Reserved bit: Not set

        .1.. = Don't fragment: Set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: TCP (0x06)

    Header checksum: 0xaf66 [correct]

        [Good: True]

        [Bad : False]

    Source: 192.168.115.5 (192.168.115.5)

    Destination: 192.168.115.105 (192.168.115.105) Transmission Control Protocol, Src Port: 445 (445), Dst Port: 1103 (1103), Seq: 1489, Ack: 4056, Len: 752

    Source port: 445 (445)

    Destination port: 1103 (1103)

    [Stream index: 53]

    Sequence number: 1489    (relative sequence number)

    [Next sequence number: 2241    (relative sequence number)]

    Acknowledgement number: 4056    (relative ack number)

    Header length: 20 bytes

    Flags: 0x18 (PSH, ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgement: Set

        .... 1... = Push: Set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

    Window size: 63154

    Checksum: 0x73a6 [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [SEQ/ACK analysis]

        [This is an ACK to the segment in frame: 2419]

        [The RTT to ACK the segment was: 0.091102000 seconds]

        [Number of bytes in flight: 752]

    [Timestamps]

        [Time since first frame in this TCP stream: 104.826266000 seconds]

        [Time since previous frame in this TCP stream: 0.091102000 seconds] NetBIOS Session Service

    Message Type: Session message

    Length: 748

SMB (Server Message Block Protocol)

    SMB Header

        Server Component: SMB

        [Response to: 2419]

        [Time from request: 0.091102000 seconds]

        SMB Command: Read AndX (0x2e)

        NT Status: STATUS_SUCCESS (0x00000000)

        Flags: 0x98

            1... .... = Request/Response: Message is a response to the client/redirector

            .0.. .... = Notify: Notify client only on open

            ..0. .... = Oplocks: OpLock not requested/granted

            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized

            .... 1... = Case Sensitivity: Path names are caseless

            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted

            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported

        Flags2: 0xc807

            1... .... .... .... = Unicode Strings: Strings are Unicode

            .1.. .... .... .... = Error Code Type: Error codes are NT error codes

            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only

            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs

            .... 1... .... .... = Extended Security Negotiation:

Extended security negotiation is supported

            .... .... .0.. .... = Long Names Used: Path names in request are not long file names

            .... .... .... .1.. = Security Signatures: Security signatures are supported

            .... .... .... ..1. = Extended Attributes: Extended attributes are supported

            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response

        Process ID High: 0

        Signature: 0000000000000000

        Reserved: 0000

        Tree ID: 8194  (\\WIN2003.VNET3.TRIDGELL.NET\IPC$)

            [Path: \\WIN2003.VNET3.TRIDGELL.NET\IPC$]

            [Mapped in: 854]

        Process ID: 65279

        User ID: 14336

        Multiplex ID: 704

    Read AndX Response (0x2e)

        [FID: 0x8005 (\lsarpc)]

            [Opened in: 2404]

            [File Name: \lsarpc]

            Create Flags: 0x00000016

                .... .... .... .... .... .... ...1 .... = Extended

Response: Extended responses required

                .... .... .... .... .... .... .... 0... = Create

Directory: Target of open can be a file

                .... .... .... .... .... .... .... .1.. = Batch

Oplock: Requesting BATCH OPLOCK

                .... .... .... .... .... .... .... ..1. = Exclusive

Oplock: Requesting OPLOCK

            Access Mask: 0x0002019f

                0... .... .... .... .... .... .... .... = Generic

Read: Generic read is NOT set

                .0.. .... .... .... .... .... .... .... = Generic

Write: Generic write is NOT set

                ..0. .... .... .... .... .... .... .... = Generic

Execute: Generic execute is NOT set

                ...0 .... .... .... .... .... .... .... = Generic All:

Generic all is NOT set

                .... ..0. .... .... .... .... .... .... = Maximum

Allowed: Maximum allowed is NOT set

                .... ...0 .... .... .... .... .... .... = System

Security: System security is NOT set

                .... .... ...0 .... .... .... .... .... = Synchronize:

Can NOT wait on handle to synchronize on completion of I/O

                .... .... .... 0... .... .... .... .... = Write Owner:

Can NOT write owner (take ownership)

                .... .... .... .0.. .... .... .... .... = Write DAC:

Owner may NOT write to the DAC

                .... .... .... ..1. .... .... .... .... = Read

Control: READ ACCESS to owner, group and ACL of the SID

                .... .... .... ...0 .... .... .... .... = Delete: NO delete access

                .... .... .... .... .... ...1 .... .... = Write

Attributes: WRITE ATTRIBUTES access

                .... .... .... .... .... .... 1... .... = Read

Attributes: READ ATTRIBUTES access

                .... .... .... .... .... .... .0.. .... = Delete

Child: NO delete child access

                .... .... .... .... .... .... ..0. .... = Execute: NO execute access

                .... .... .... .... .... .... ...1 .... = Write EA:

WRITE EXTENDED ATTRIBUTES access

                .... .... .... .... .... .... .... 1... = Read EA:

READ EXTENDED ATTRIBUTES access

                .... .... .... .... .... .... .... .1.. = Append: APPEND access

                .... .... .... .... .... .... .... ..1. = Write: WRITE access

                .... .... .... .... .... .... .... ...1 = Read: READ access

            File Attributes: 0x00000000

                .... .... .... .... .0.. .... .... .... = Encrypted:

This is NOT an encrypted file

                .... .... .... .... ..0. .... .... .... = Content

Indexed: This file MAY be indexed by the content indexing service

                .... .... .... .... ...0 .... .... .... = Offline:

This file is NOT offline

                .... .... .... .... .... 0... .... .... = Compressed:

This is NOT a compressed file

                .... .... .... .... .... .0.. .... .... = Reparse

Point: This file does NOT have an associated reparse point

                .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file

                .... .... .... .... .... ...0 .... .... = Temporary:

This is NOT a temporary file

                .... .... .... .... .... .... 0... .... = Normal: This file has some attribute set

                .... .... .... .... .... .... .0.. .... = Device: This is NOT a device

                .... .... .... .... .... .... ..0. .... = Archive:

This file has NOT been modified since last archive

                .... .... .... .... .... .... ...0 .... = Directory:

This is NOT a directory

                .... .... .... .... .... .... .... 0... = Volume ID:

This is NOT a volume ID

                .... .... .... .... .... .... .... .0.. = System: This is NOT a system file

                .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file

                .... .... .... .... .... .... .... ...0 = Read Only:

This file is NOT read only

            Share Access: 0x00000003 SHARE_WRITE SHARE_READ

                .... .... .... .... .... .... .... .0.. = Delete:

Object can NOT be shared for delete

                .... .... .... .... .... .... .... ..1. = Write:

Object can be shared for WRITE

                .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ

            Create Options: 0x00000040

                .... .... .... .... .... .... .... ...0 = Directory:

File being created/opened must not be a directory

                .... .... .... .... .... .... .... ..0. = Write

Through: Writes need not flush buffered data before completing

                .... .... .... .... .... .... .... .0.. = Sequential

Only: The file might not only be accessed sequentially

                .... .... .... .... .... .... .... 0... = Intermediate

Buffering: Intermediate buffering is allowed

                .... .... .... .... .... .... ...0 .... = Sync I/O

Alert: Operations NOT necessarily synchronous

                .... .... .... .... .... .... ..0. .... = Sync I/O

Nonalert: Operations NOT necessarily synchronous

                .... .... .... .... .... .... .1.. .... =

Non-Directory: File being created/opened must not be a directory

                .... .... .... .... .... .... 0... .... = Create Tree

Connection: Create Tree Connections is NOT set

                .... .... .... .... .... ...0 .... .... = Complete If

Oplocked: Complete if oplocked is NOT set

                .... .... .... .... .... ..0. .... .... = No EA

Knowledge: The client understands extended attributes

                .... .... .... .... .... .0.. .... .... = 8.3 Only:

The client understands long file names

                .... .... .... .... .... 0... .... .... = Random

Access: The file will not be accessed randomly

                .... .... .... .... ...0 .... .... .... = Delete On

Close: The file should not be deleted when it is closed

                .... .... .... .... ..0. .... .... .... = Open By

FileID: OpenByFileID is NOT set

                .... .... .... .... .0.. .... .... .... = Backup

Intent: This is a normal create

                .... .... .... .... 0... .... .... .... = No

Compression: Compression is allowed for Open/Create

                .... .... ...0 .... .... .... .... .... = Reserve

Opfilter: Reserve Opfilter is NOT set

                .... .... ..0. .... .... .... .... .... = Open Reparse

Point: Normal open

                .... .... .0.. .... .... .... .... .... = Open No

Recall: Open no recall is NOT set

                .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query

            [Disposition: Open (if file exists open it, else fail) (1)]

        Word Count (WCT): 12

        AndXCommand: No further commands (0xff)

        Reserved: 00

        AndXOffset: 0

        [File Offset: 0]

        [File RW Length: 1024]

        Remaining: 0

        Data Compaction Mode: 0

        Reserved: 0000

        Data Length Low: 688

        Data Offset: 60

        Data Length High (multiply with 64K): 0

        Reserved: 000000000000

        Byte Count (BCC): 689

        Padding: 00

DCE RPC Response, Fragment: Single, FragLen: 688, Call: 3 Ctx: 0, [Req: #2417]

    Version: 5

    Version (minor): 0

    Packet type: Response (2)

    Packet Flags: 0x03

        0... .... = Object: Not set

        .0.. .... = Maybe: Not set

        ..0. .... = Did Not Execute: Not set

        ...0 .... = Multiplex: Not set

        .... 0... = Reserved: Not set

        .... .0.. = Cancel Pending: Not set

        .... ..1. = Last Frag: Set

        .... ...1 = First Frag: Set

    Data Representation: 10000000

        Byte order: Little-endian (1)

        Character: ASCII (0)

        Floating-point: IEEE (0)

    Frag Length: 688

    Auth Length: 0

    Call ID: 3

    Alloc hint: 664

    Context ID: 0

    Cancel count: 0

    Opnum: 53

    [Request in frame: 2417]

    [Time from request: 0.094193000 seconds] Local Security Authority, lsa_QueryDomainInformationPolicy

    Operation: lsa_QueryDomainInformationPolicy (53)

    [Request in frame: 2417]

    Pointer to Info (lsa_DomainInformationPolicy)

        Referent ID: 0x00020000

        lsa_DomainInformationPolicy

            Info

            Efs Info

                Blob Size: 639

                Pointer to Efs Blob (uint8)

                    Referent ID: 0x00020004

                    EFS blob size: 639

                    GPEF

                        Key Count: 1

                        EfsKey

                            Length1: 631

                            Length2: 627

                            SID Offset: 28

                            Cert Length: 571

                            Cert Offset: 56

                            sid: S-1-5-21-53173311-3623041448-2049097239-500

                                Revision: 1

                                Num Auth: 5

                                Authority: 5

                                Sub-authorities:

21-53173311-3623041448-2049097239

                                RID: 500 (Administrator)

                            Certificate ()

                                signedCertificate

                                    version: v3 (2)

                                    serialNumber :

0xba9dd46d546a2e9c4a9f658021c734bf

                                    signature (sha-1WithRSAEncryption)

                                        Algorithm Id: 1.3.14.3.2.29

(sha-1WithRSAEncryption)

                                    issuer: rdnSequence (0)

                                        rdnSequence: 3 items ()

                                            Item: 1 item ()

                                                Item

                                                    Id: 2.5.4.3

(id-at-commonName)

                                                    DirectoryString:

printableString (1)



printableString: administrator

                                            Item: 1 item ()

                                                Item

                                                    Id: 2.5.4.7

(id-at-localityName)

                                                    DirectoryString:

printableString (1)

                                                        printableString: EFS

                                            Item: 1 item ()

                                                Item

                                                    Id: 2.5.4.11

(id-at-organizationalUnitName)

                                                    DirectoryString:

printableString (1)



printableString: EFS File Encryption Certificate

                                    validity

                                        notBefore: utcTime (0)

                                            utcTime: 04-04-08 07:27:01 (UTC)

                                        notAfter: utcTime (0)

                                            utcTime: 07-04-08 07:27:01 (UTC)

                                    subject: rdnSequence (0)

                                        rdnSequence: 3 items ()

                                            Item: 1 item ()

                                                Item

                                                    Id: 2.5.4.3

(id-at-commonName)

                                                    DirectoryString:

printableString (1)



printableString: administrator

                                            Item: 1 item ()

                                                Item

                                                    Id: 2.5.4.7

(id-at-localityName)

                                                    DirectoryString:

printableString (1)

                                                        printableString: EFS

                                            Item: 1 item ()

                                                Item

                                                    Id: 2.5.4.11

(id-at-organizationalUnitName)

                                                    DirectoryString:

printableString (1)



printableString: EFS File Encryption Certificate

                                    subjectPublicKeyInfo

                                        algorithm (rsaEncryption)

                                            Algorithm Id:

1.2.840.113549.1.1.1 (rsaEncryption)

                                        Padding: 0

                                        subjectPublicKey:

30818902818100BED9195BC7D21DCD13CEECEE24697B6A09...

                                    extensions: 1 item

                                        Item (id-ce-extKeyUsage)

                                            Extension Id: 2.5.29.37

(id-ce-extKeyUsage)

                                            KeyPurposeIDs: 1 item

                                                Item:

1.3.6.1.4.1.311.10.3.4.1 (id-ms-efs-recovery)

                                algorithmIdentifier (sha-1WithRSAEncryption)

                                    Algorithm Id: 1.3.14.3.2.29

(sha-1WithRSAEncryption)

                                Padding: 0

                                encrypted:

A7E6C169E205D3EEF730D9AE1A86379A8AF9BD9CD4FE70C1...

    NT Error: STATUS_SUCCESS (0x00000000)



0000  00 0c 29 2a 62 61 00 0c 29 44 4a 1f 08 00 45 00   ..)*ba..)DJ...E.

0010  03 18 e0 b9 40 00 80 06 af 66 c0 a8 73 05 c0 a8   .... at ....f..s...

0020  73 69 01 bd 04 4f cf b4 72 73 37 8f 5e 36 50 18   si...O..rs7.^6P.

0030  f6 b2 73 a6 00 00 00 00 02 ec ff 53 4d 42 2e 00   ..s........SMB..

0040  00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00   ................

0050  00 00 02 20 ff fe 00 38 c0 02 0c ff 00 00 00 00   ... ...8........

0060  00 00 00 00 00 b0 02 3c 00 00 00 00 00 00 00 00   .......<........

0070  00 00 00 b1 02 00 05 00 02 03 10 00 00 00 b0 02   ................

0080  00 00 03 00 00 00 98 02 00 00 00 00 00 00 00 00   ................

0090  02 00 02 00 00 00 7f 02 00 00 04 00 02 00 7f 02   ................

00a0  00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02   ..........w...s.

00b0  00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00   ..........;...8.

00c0  00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00   .. .............

00d0  00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be   ......?\+..9....

00e0  22 7a f4 01 00 00 30 82 02 37 30 82 01 a4 a0 03   "z....0..70.....

00f0  02 01 02 02 10 ba 9d d4 6d 54 6a 2e 9c 4a 9f 65   ........mTj..J.e

0100  80 21 c7 34 bf 30 09 06 05 2b 0e 03 02 1d 05 00   .!.4.0...+......

0110  30 50 31 16 30 14 06 03 55 04 03 13 0d 61 64 6d   0P1.0...U....adm

0120  69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a 06 03   inistrator1.0...

0130  55 04 07 13 03 45 46 53 31 28 30 26 06 03 55 04   U....EFS1(0&..U.

0140  0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e 63 72   ...EFS File Encr

0150  79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 63 61   yption Certifica

0160  74 65 30 1e 17 0d 30 34 30 34 30 38 30 37 32 37   te0...0404080727

0170  30 31 5a 17 0d 30 37 30 34 30 38 30 37 32 37 30   01Z..07040807270

0180  31 5a 30 50 31 16 30 14 06 03 55 04 03 13 0d 61   1Z0P1.0...U....a

0190  64 6d 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a   dministrator1.0.

01a0  06 03 55 04 07 13 03 45 46 53 31 28 30 26 06 03   ..U....EFS1(0&..

01b0  55 04 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e   U....EFS File En

01c0  63 72 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69   cryption Certifi

01d0  63 61 74 65 30 81 9f 30 0d 06 09 2a 86 48 86 f7   cate0..0...*.H..

01e0  0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81   ..........0.....

01f0  00 be d9 19 5b c7 d2 1d cd 13 ce ec ee 24 69 7b   ....[........$i{

0200  6a 09 c8 64 06 cd 90 0f a2 8f 8f 09 44 c5 0c e7   j..d........D...

0210  dd df 7d 25 96 85 41 05 19 14 35 0c ec 73 11 5a   ..}%..A...5..s.Z

0220  3e e9 8c 7b d1 fa 7d dc 81 79 39 41 d7 be 0a aa   >..{..}..y9A....

0230  d7 74 5b 5f 9b a1 13 76 af a6 9f 93 6b df c3 1b   .t[_...v....k...

0240  ee fe 3b c8 93 33 6f 30 5b cf 67 e6 b1 d8 41 de   ..;..3o0[.g...A.

0250  3e 4f 7b 4e fc 0a 9c e1 a5 b2 fc b1 db 0b 67 13   >O{N..........g.

0260  0f 5d 6d b0 0c 6d 68 29 23 70 cc 45 df 13 2d c3   .]m..mh)#p.E..-.

0270  8d 02 03 01 00 01 a3 1a 30 18 30 16 06 03 55 1d   ........0.0...U.

0280  25 04 0f 30 0d 06 0b 2b 06 01 04 01 82 37 0a 03   %..0...+.....7..

0290  04 01 30 09 06 05 2b 0e 03 02 1d 05 00 03 81 81   ..0...+.........

02a0  00 a7 e6 c1 69 e2 05 d3 ee f7 30 d9 ae 1a 86 37   ....i.....0....7

02b0  9a 8a f9 bd 9c d4 fe 70 c1 fe 06 65 b9 9a 3d a7   .......p...e..=.

02c0  b8 a6 cf 58 60 fc f5 34 8e 59 70 e4 aa 7e 4e 63   ...X`..4.Yp..~Nc

02d0  6c 22 77 a6 df 89 bc 98 7c a2 7b 0d 14 7c 95 77   l"w.....|.{..|.w

02e0  fb 1a e8 71 6b a9 f2 93 fc e1 8f ed 7d 40 c2 cf   ...qk.......}@..

02f0  b4 9a 32 ea 14 cd e1 43 f1 21 3d 4b 0c 97 47 e3   ..2....C.!=K..G.

0300  8e 1c 85 8d f5 82 ee 1c 86 bb 55 07 85 51 42 f6   ..........U..QB.

0310  a6 e6 45 54 c5 4a e7 82 cd b5 6a 4a cf c3 65 f5   ..ET.J....jJ..e.

0320  4d 83 00 00 00 00                                 M.....





On Sat, Oct 4, 2008 at 3:29 AM, Edgar Olougouna <edgaro at microsoft.com> wrote:

> ******* The following is an email for a support case from Microsoft Corp.

> ******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to

> ******* the case if you do.  Instead, FORWARD your response to the

> ******* email address COMPMAIL at MICROSOFT.COM and place your text after

> ******* the keyword 'MESSAGE:'.  Also, delete all other text above

> ******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:'

> ******* to ensure proper delivery of your email.  Thank you.

>

> CASE_ID_NUM: SRX081002601173

> MESSAGE:

> ********************** The message for you follows

> ************************ Hi Ronnie,

>

> I will be working with you to solve this case.

>

> In the [MS-GPEF] 2.2.1.2.2 EfsKey packet, you mentioned you are seeing a 4 byte integer with the value 0x00000001  between the Reserved2 field and the first byte of the SID.

> Could you send us the trace?

>

> Best regards,

>

> Edgar A. Olougouna

> Sr. SEE, Microsoft DSC Protocol Team | Email: edgaro at microsoft.com |

> Tel: +1.469.775.7189 x 57189

>

>
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the cifs-protocol mailing list