SAMR x3e opcode in AD machine join

Jean Francois Micouleau Jean-Francois.Micouleau at
Mon Aug 5 08:56:04 GMT 2002

On Mon, 5 Aug 2002, Anthony Liguori wrote:

> When a WinXP client joins an AD domain, one of the new RPC calls that
> appears is a SAMR x3e call.  The call appears right before any other SAMR
> call (EnumDomains, LookupDomain, OpenDomain, etc.) and returns a policy
> handle and NTSTATUS code.  The call takes a UNISTR2 (that's typically
> "\\DC" either NETBIOS or dns name depending on what is specified when
> joining the domain) and what appears to be an ACCESS_MASK.
> This function behaves exactly as one would expect a SamrConnect call to
> behave even though SamrConnect is already implemented with opcode x39. The
> call has to be some varient of SamrConnect because no call to SamrConnect
> is made before the other Samr calls to obtain to policy handle.  One
> possibility is that its a different version of SamrConnect perhaps with
> different flags for the ACCESS_MASK parameter.
> Another possibility is that it is the SamrIConnect call. On WinXP, dumping
> the exports from samsrv.dll will reveal a bunch of SamrIxxx calls.  At
> first, I thought they may just be internal versions of the call (the
> regular Samr calls might just stub to the SamrI call) but SamrConnect
> never actually calls SamrIConnect.  Perhaps there are new versions of some
> of the Samr calls that are now used in Win2k prefixed with SamrI.
> Any ideas?

that's a new form of the samrConnect call. The only difference is the
added uint32. When I was playing with usrmgr.exe from a w2k machine I got
it too in my traces.

the query header is:

uint32 ptr_to_string;
UNISTR2 string;
uint32 unknown;
uint32 access_mask;

if you code it, don't forget the prs_align() call between the unistr2
string and the uint32 value.


More information about the samba-technical mailing list