unknown RPC opcodes during join+logon
Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Thu Aug 15 13:56:01 GMT 2002
On Sun, 11 Aug 2002, Luke Howard wrote:
>
> >The only other weird frame is later (not appended below) a NTLMSSP DCERPC
> >auth request which may be optional.
>
> Could be setting up the NETLOGON secure channel; what is the RPC
> authentication flavor? 0x44? You can disable this in the registry
> with the usual instructions.
>
> >After join the boot and logon includes only two frames that require
> >further analysis - the DCE/RPC request to the NETLOGON pipe for unknown
> >opcode 0x1a (once during boot, once during logon) and request to NETLOGON
> >pipe for unknown opcode 0x1D (during boot I think).
>
> 0x1A may be NetrServerAuthenticate3().
yes it can be, it's very close to NetrServerAuthenticate2(), at least the
query are the same. There a uint32 of difference in the reply.
> Note sure about 0x1D; could it be the PAC verification RPC? Fairly
> sure we saw it at domain logon.
nope. I've got a trace with a w2k joining a w2k domain with kerberos
disabled, and i still get the NETLOGON 0X1D. I think it's a variant of the
NetrSamLogon() call.
Time to get a new trace with sign&seal disabled.
J.F.
More information about the samba-technical
mailing list