unknown RPC opcodes during join+logon
Luke Howard
lukeh at PADL.COM
Sat Aug 10 23:37:00 GMT 2002
>The only other weird frame is later (not appended below) a NTLMSSP DCERPC
>auth request which may be optional.
Could be setting up the NETLOGON secure channel; what is the RPC
authentication flavor? 0x44? You can disable this in the registry
with the usual instructions.
>After join the boot and logon includes only two frames that require
>further analysis - the DCE/RPC request to the NETLOGON pipe for unknown
>opcode 0x1a (once during boot, once during logon) and request to NETLOGON
>pipe for unknown opcode 0x1D (during boot I think).
0x1A may be NetrServerAuthenticate3().
Note sure about 0x1D; could it be the PAC verification RPC? Fairly
sure we saw it at domain logon.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the samba-technical
mailing list