SAMR x3e opcode in AD machine join
Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Mon Aug 5 08:56:04 GMT 2002
On Mon, 5 Aug 2002, Anthony Liguori wrote:
> When a WinXP client joins an AD domain, one of the new RPC calls that
> appears is a SAMR x3e call. The call appears right before any other SAMR
> call (EnumDomains, LookupDomain, OpenDomain, etc.) and returns a policy
> handle and NTSTATUS code. The call takes a UNISTR2 (that's typically
> "\\DC" either NETBIOS or dns name depending on what is specified when
> joining the domain) and what appears to be an ACCESS_MASK.
> This function behaves exactly as one would expect a SamrConnect call to
> behave even though SamrConnect is already implemented with opcode x39. The
> call has to be some varient of SamrConnect because no call to SamrConnect
> is made before the other Samr calls to obtain to policy handle. One
> possibility is that its a different version of SamrConnect perhaps with
> different flags for the ACCESS_MASK parameter.
> Another possibility is that it is the SamrIConnect call. On WinXP, dumping
> the exports from samsrv.dll will reveal a bunch of SamrIxxx calls. At
> first, I thought they may just be internal versions of the call (the
> regular Samr calls might just stub to the SamrI call) but SamrConnect
> never actually calls SamrIConnect. Perhaps there are new versions of some
> of the Samr calls that are now used in Win2k prefixed with SamrI.
> Any ideas?
that's a new form of the samrConnect call. The only difference is the
added uint32. When I was playing with usrmgr.exe from a w2k machine I got
it too in my traces.
the query header is:
if you code it, don't forget the prs_align() call between the unistr2
string and the uint32 value.
More information about the samba-technical