[cifs-protocol] Clarify reserved bytes that are in fact used in LogonSamLogonEx response

Mon Jul 20 06:00:19 MDT 2009

G'day,

My friend in Samba development Matthieu has been chasing down small but
possibly significant differences between Samba4 and Windows.  He is
puzzled by the following, and we wondered if you might be able to shed
some light on the matter.

Thanks,

Andrew Bartlett

-------- Original Message --------
Subject: clarify reserved bytes that are in fact used in LogonSamLogonEx 
response
Date: Mon, 20 Jul 2009 00:45:28 +0400
From: Matthieu Patou <mat+Informatique.Samba at matws.net>

Hello,

Data returned by the LogonSamLogonEx RPC  there is a NETLOGON_VALIDATION
  pointer called ValidationInformation (in MS-NRPC.pdf).

The following data is obtained with a Windows 2003R2 server

0000   06 00 00 00 00 00 02 00 10 95 6f 37 a6 05 ca 01
0010   ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f
0020   04 53 0a 67 38 61 c9 01 04 13 74 91 01 62 c9 01
0030   ff ff ff ff ff ff ff 7f 1a 00 1c 00 04 00 02 00
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060   00 00 00 00 00 00 00 00 3b 00 00 00 f4 01 00 00
0070   01 02 00 00 05 00 00 00 08 00 02 00 20 05 00 00
0080   fa 40 c6 06 2c 65 f8 cc 0e 8e 5c 8a 9e 9a 57 b7
0090   14 00 16 00 0c 00 02 00 0c 00 0e 00 10 00 02 00
00a0   14 00 02 00 c7 b2 00 73 b4 fb 7d b2 10 02 00 00
00b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00d0   00 00 00 00 14 00 16 00 18 00 02 00 30 00 30 00
00e0   1c 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00
00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0130   00 00 00 00 0e 00 00 00 00 00 00 00 0d 00 00 00
0140   41 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00
0150   72 00 61 00 74 00 6f 00 72 00 00 00 05 00 00 00
0160   07 02 00 00 07 00 00 00 08 02 00 00 07 00 00 00
0170   00 02 00 00 07 00 00 00 06 02 00 00 07 00 00 00
0180   01 02 00 00 07 00 00 00 0b 00 00 00 00 00 00 00
0190   0a 00 00 00 57 00 32 00 4b 00 33 00 41 00 44 00
01a0   56 00 5a 00 30 00 31 00 07 00 00 00 00 00 00 00
01b0   06 00 00 00 4d 00 53 00 57 00 32 00 4b 00 33 00
01c0   04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00
01d0   86 ec 41 48 9a 49 bf 58 d1 8f f7 2b 0b 00 00 00
01e0   00 00 00 00 0a 00 00 00 6d 00 73 00 77 00 32 00
01f0   6b 00 33 00 2e 00 74 00 73 00 74 00 18 00 00 00
0200   00 00 00 00 18 00 00 00 41 00 64 00 6d 00 69 00
0210   6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00
0220   72 00 40 00 6d 00 73 00 77 00 32 00 6b 00 33 00
0230   2e 00 74 00 73 00 74 00 01 00 00 00 00 00 00 00
0240   00 00 00 00

As the level for this netlogon_validation is 6, the returned data is in
fact a pointer to a NETLOGON_VALIDATION_SAM_INFO4 structure called
ValidationSam4.

It is stated: "All fields of this structure, except the following
fields, have the same meaning as the identically
named fields in the KERB_VALIDATION_INFO structure, as specified in
[MS-PAC] section 2.5. The
following is the list of fields that are not found in [MS-PAC]"

Reading this document inform us that after LogonDomainId there is
reserved1 (at offset 0xa5)
"Reserved1: A two-element array of unsigned 32-bit integers. This member
is reserved, and
each element of the array MUST be equal to 0x00000000 and MUST be
ignored on receipt."

Clearly it's not the case here because the value is not null: c7 b2 00
73 b4 fb 7d b2. Can you explain the contents of this two longs ?

Best regards.

Matthieu Patou.

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090720/986ce34b/attachment.pgp>