Forward: [Re: Thoughts on problems with W2K joining ...] (fwd)

Thu Dec 7 15:04:54 GMT 2000

code exists for doing join to domain in TNG.  this issue was resolved ten
months ago.

p.s. for those people insisting on reinventing the wheel, you should know
that if you do not null-terminate the name (e.g. UNISTR2->len = 4, maxlen
=4, name=(uint16*)"T\0E\0S\0T") from the LsaQueryInfoPolicy response to
the NT5 client, the NT5 LSA unmarshalling code will take the next 2 bytes
- whatever they contain - as the string termination character.

if this is what you have done (unistr2->len and maxlen =
strlen(unistr2->name) instread of strlen(name)+1) then even-lengthed
domain names will fail and odd-lengthed names will succeed because the
item following the domain name is a 32-bit quantity, and is 4-byte
aligned, leaving 2 null chars to be "interpreted" as a unicode
null-termination character.

in nt5 registry, set Netlogon/Parameters/Debug to [string, NOT a dword!!!]
"0x1fffffff", and replace the NETLOGON.DLL with a checked build
NETLOGON.DLL.

reboot.

then attempt a join, and then examine %system%/debug/netlogon.log.

you will find that an attempt was made, logged and failed, to access TEST+
via a UDP 138 NETLOGON MAILSLOT query, where + is some totally random
character.

i think that this even shows up on-the-wire.  which means that if the
domain TEST+ actually exists (do a UDP mailslot flood and it will exist,
all right)....

hm.

you know what?

i think this is enough of a security risk to let ms know (hi guys).  they
have recently changed their minds about client-side problems being less of
a priority than server-side problems.

luke

---------- Forwarded message ----------
Date: Thu, 7 Dec 2000 09:51:15 -0500
From: Andrew Klaassen <ak at dkp.com>
Reply-To: tng-technical at lists.dcerpc.org
To: tng-technical at lists.dcerpc.org
Subject: Forward: [Re: Thoughts on problems with W2K joining ...]

Not sure if this is useful for the TNG people; I saw it on that
samba-ntdom list.  Apparently there are alignment issues when
joining a w2k to the domain.

Andrew Klaassen

----- Forwarded message from gandalf at mail.rss.cz -----

Date: Thu, 7 Dec 2000 12:41:31 +0100 (CET)
From: <gandalf at mail.rss.cz>
Subject: Re: Thoughts on problems with W2K joining ...
To: Richard Sharpe <sharpe at ns.aus.com>
Cc: David Bannon <D.Bannon at latrobe.edu.au>, <samba-ntdom at us5.samba.org>

Sorry to be unclear, it is workgroup parameter in the smb.conf
For now, I tried four names (with the otherwise identical
configuration) ->

TGROUP does not work
TGRP does not work
GRP works
GRPKP works

s.p.

On Wed, 6 Dec 2000, Richard Sharpe wrote:

> At 12:01 PM 12/7/00 +0100, gandalf at mail.rss.cz wrote:
> >
> >Hi,
> >
> >I would not believe this, but I have seen it with my own eyes:  Got
> >fresh cvs today, compiled, removed old /usr/local/samba, installed the
> >fresh one, used the same smb.conf as million times before, started the
> >w2k, tried to join domain, and - The domain cannot be accesed, blablabla,
> >as usual (see my post few days ago with the subject 'another error...')
> >Then I CHANGED THE GROUP NAME in the smb.conf file, restarted samba,
>
> What do you mean, you changed the group name?????

-- 
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Stanislav Polasek, Research Support Scheme
Bartolomejska 11, 110 00 Praha 1, Czech Republic
tel ++420-2-24231871, fax ++420-2-24231997
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

----- End forwarded message -----