unknown RPC opcodes during join+logon

Jean Francois Micouleau Jean-Francois.Micouleau at dalalu.fr
Thu Aug 15 13:56:01 GMT 2002

On Sun, 11 Aug 2002, Luke Howard wrote:

> >The only other weird frame is later (not appended below) a NTLMSSP DCERPC
> >auth request which may be optional.
> Could be setting up the NETLOGON secure channel; what is the RPC
> authentication flavor? 0x44? You can disable this in the registry
> with the usual instructions.
> >After join the boot and logon  includes only two frames that require
> >further analysis - the DCE/RPC request to the NETLOGON pipe for unknown
> >opcode 0x1a (once during boot, once during logon) and request to NETLOGON
> >pipe  for unknown opcode 0x1D (during boot I think).
> 0x1A may be NetrServerAuthenticate3().

yes it can be, it's very close to NetrServerAuthenticate2(), at least the
query are the same. There a uint32 of difference in the reply.

> Note sure about 0x1D; could it be the PAC verification RPC? Fairly
> sure we saw it at domain logon.

nope. I've got a trace with a w2k joining a w2k domain with kerberos
disabled, and i still get the NETLOGON 0X1D. I think it's a variant of the
NetrSamLogon() call.

Time to get a new trace with sign&seal disabled.


More information about the samba-technical mailing list