[cifs-protocol] 117090816306100 [MS-NRPC] interaction with SYSVOLReady =0

Edgar Olougouna edgaro at microsoft.com
Fri Sep 8 17:54:39 UTC 2017


Hello Metze,
I am reviewing this and will follow-up with you.

Thanks,
Edgar

-----Original Message-----
From: Sreekanth Nadendla 
Sent: Friday, September 8, 2017 8:39 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: 117090816306100 [MS-NRPC] interaction with SYSVOLReady =0

Casemail in Cc
Dochelp in Bcc

Hello Stefan, 
Thank you for your inquiry about MS-NRPC open specification. We have created incident #117090816306100 to investigate this issue. One of the Open specifications team member will contact you shortly.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, September 8, 2017 5:06 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [MS-NRPC] interaction with SYSVOLReady =0

Hi DocHelp,

I had the situation where a Windows 2012 DC returns NT_STATUS_ACCESS_DENIED for all NetrLogonSamLogonEx requests.

I finally managed to find that the DC didn't provide SYSVOL and NETLOGON shares, this led to checking the SYSVOLReady key and it was 0.
(Under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters)

After manually changing SYSVOLReady to 1 (just for short term testing)
NetrLogonSamLogonEx() worked fine.

I guess the following section in [MS-NRPC] 3.5.4.5.1 NetrLogonSamLogonEx is supposed to describe this:

 If the server cannot service the request due to an  implementation-specific condition, the server SHOULD  return STATUS_ACCESS_DENIED.

Can this please be extended maybe with a windows behavior note, proposing SYSVOLReady = 0 as a possible reason for this behavior.

Is there more affected by this registry key than all NetrLogonSamLogon* calls.

I'm wondering why [MS-ADTS] 6.3.3 LDAP Ping or 6.3.5 Mailslot Ping would still return "normal" results in that case. As Samba made use of such a DC, I'd guess yes, but I haven't verified if we just ignore a LOGON_SAM_PAUSE_RESPONSE* response.

Thanks!
metze




More information about the cifs-protocol mailing list