[cifs-protocol] 117090816306100 [MS-NRPC] interaction with SYSVOLReady =0

Edgar Olougouna edgaro at microsoft.com
Thu Sep 14 03:22:26 UTC 2017


Metze,
To close the loop on our discussion on SysvolReady, the access denied could be due to SysVol not being ready, but it could also be due to other implementation conditions. Examples include DC promotion, FSR migration to DFSR, replica maintenance. That error does not necessarily mean that access is denied. 
My understanding is that SysVolReady = 0 should be a transient state.

3.4.5.3.2  Calling NetrLogonSamLogonEx
On receiving STATUS_ACCESS_DENIED, the client SHOULD re-establish the secure channel with the DC. <109>
<109> Section 3.4.5.3.2: Windows clients reestablish the secure channel with the domain controller upon receiving STATUS_ACCESS_DENIED.

3.5.4.5.1 NetrLogonSamLogonEx (Opnum 39)
If the server cannot service the request due to an implementation-specific condition, the server SHOULD return STATUS_ACCESS_DENIED.

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, September 8, 2017 10:55 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: 117090816306100 [MS-NRPC] interaction with SYSVOLReady =0

Hello Metze,
I am reviewing this and will follow-up with you.

Thanks,
Edgar

-----Original Message-----
From: Sreekanth Nadendla 
Sent: Friday, September 8, 2017 8:39 AM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: 117090816306100 [MS-NRPC] interaction with SYSVOLReady =0

Casemail in Cc
Dochelp in Bcc

Hello Stefan, 
Thank you for your inquiry about MS-NRPC open specification. We have created incident #117090816306100 to investigate this issue. One of the Open specifications team member will contact you shortly.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, September 8, 2017 5:06 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [MS-NRPC] interaction with SYSVOLReady =0

Hi DocHelp,

I had the situation where a Windows 2012 DC returns NT_STATUS_ACCESS_DENIED for all NetrLogonSamLogonEx requests.

I finally managed to find that the DC didn't provide SYSVOL and NETLOGON shares, this led to checking the SYSVOLReady key and it was 0.
(Under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters)

After manually changing SYSVOLReady to 1 (just for short term testing)
NetrLogonSamLogonEx() worked fine.

I guess the following section in [MS-NRPC] 3.5.4.5.1 NetrLogonSamLogonEx is supposed to describe this:

 If the server cannot service the request due to an  implementation-specific condition, the server SHOULD  return STATUS_ACCESS_DENIED.

Can this please be extended maybe with a windows behavior note, proposing SYSVOLReady = 0 as a possible reason for this behavior.

Is there more affected by this registry key than all NetrLogonSamLogon* calls.

I'm wondering why [MS-ADTS] 6.3.3 LDAP Ping or 6.3.5 Mailslot Ping would still return "normal" results in that case. As Samba made use of such a DC, I'd guess yes, but I haven't verified if we just ignore a LOGON_SAM_PAUSE_RESPONSE* response.

Thanks!
metze




More information about the cifs-protocol mailing list