unknown RPC opcodes during join+logon

Luke Howard lukeh at PADL.COM
Sat Aug 10 23:37:00 GMT 2002

>The only other weird frame is later (not appended below) a NTLMSSP DCERPC
>auth request which may be optional.

Could be setting up the NETLOGON secure channel; what is the RPC
authentication flavor? 0x44? You can disable this in the registry
with the usual instructions.

>After join the boot and logon  includes only two frames that require
>further analysis - the DCE/RPC request to the NETLOGON pipe for unknown
>opcode 0x1a (once during boot, once during logon) and request to NETLOGON
>pipe  for unknown opcode 0x1D (during boot I think).

0x1A may be NetrServerAuthenticate3().

Note sure about 0x1D; could it be the PAC verification RPC? Fairly
sure we saw it at domain logon.

-- Luke

Luke Howard | lukehoward.com
PADL Software | www.padl.com

More information about the samba-technical mailing list