unknown RPC opcodes during join+logon

Luke Howard lukeh at PADL.COM
Thu Aug 15 18:51:01 GMT 2002

>> 0x1A may be NetrServerAuthenticate3().
>yes it can be, it's very close to NetrServerAuthenticate2(), at least the
>query are the same. There a uint32 of difference in the reply.

Here are the two prototypes from our netlogon IDL file (slightly edited):

NTSTATUS NetrServerAuthenticate2(
    [in] LOGONSRV_HANDLE ServerName,
    [in] LPWSTR UserName,
    [in] /* enum */ NETLOGON_SECURE_CHANNEL_TYPE SecChan,
    [in] LPWSTR ComputerName,
    [in] NETLOGON_CREDENTIAL *ClientChal,
    [out] NETLOGON_CREDENTIAL *ServerChal,
    [in, out] ULONG *Flags

NTSTATUS NetrServerAuthenticate3(
    [in] LOGONSRV_HANDLE ServerName,
    [in] LPWSTR UserName,
    [in] LPWSTR computer_name,
    [in] NETLOGON_CREDENTIAL *ClientChal,
    [out] NETLOGON_CREDENTIAL *ServerChal,
    [in, out] ULONG *Flags,
    [out] ULONG *Unknown

You're correct about the additional uint32; not sure what this is yet but
IIRC it was set to zero in the trace we saw.

>nope. I've got a trace with a w2k joining a w2k domain with kerberos
>disabled, and i still get the NETLOGON 0X1D. I think it's a variant of the
>NetrSamLogon() call.

Hmm. The variant should be NetrLogonSamLogonEx(); the best candidate I
could find was opcode 0x27, which seems to make sense for Kerberos as it
doesn't take an NTLM authenticator, but it does take a NETLOGON_INFO query
and return a NETLOGON_VALIDATION (one of the info levels for which is
definitely a PAC verifier according to Ethereal). 

But I'm not sure whether anyone has actually seen this RPC. OTOH while we
know the layout of the structures passed to and from 0x1D, the contents are
not yet clear.

>Time to get a new trace with sign&seal disabled.

Yes, please send one if you have it.


-- Luke

Luke Howard | lukehoward.com
PADL Software | www.padl.com

More information about the samba-technical mailing list