unknown RPC opcodes during join+logon

Jim McDonough jmcd at us.ibm.com
Sat Jul 27 08:32:01 GMT 2002

Ok, upon further inspection, the LSA request 0x2e takes policy handle from
the OpenPolicy2 an extra word 0x000c (or is it two bytes, 0x0c, 0x00)...

a few more pieces of info: the netbios domain is MCD, the DNS domain is
mcd.maine.rr.com (16 bytes w/o NULL)

The reply contains: (hex values, and sizes/types are guesses for a bunch -
I'm soliciting opinions/guesses/ideas/inspirations/palm readings)
ptr?  00132bc8
int16?      000c (info level maybe?)
int16?      1840 (Hmm, this and the previous one probably get combined to a
pointer, when I look below)
int16?      0006 (number of bytes in unicode netbios domain)
int16?      0008 (same as above plus null?)
ptr?  000f4e40
int16?      0020 (number of bytes in unicode dns domain)
int16?      0022 (same as above plus null?)
ptr?  00118368
int16?      0020 (same number as above? -- the dns domain appears twice in
the reply)
int16?      0022
ptr?  00118338 (probably a ptr that happens to be near the previous one?)
DOMAIN GUID (this I know) f7ce640f-fe1d-4530-8df5-7880b3a74293
ptr?  001182e8 (really starting to look like pointer ranges)
unistr2 of "MCD" - 00000004 00000000 00000003 M.C.D.
int16 0000 alignment
unistr2 of "mcd.maine.rr.com" 00000011 00000000 00000010
unistr2 of "mcd.maine.rr.com" ditto
int32? 00000004
010400000000000515000000c2e8ba17c5dd9aa782f723e3 <- is this a SID?
rc 0000000

So my guess is:
ptr to struct {
  unistr2_hdr netbios_domain_name;
  unistr2_hdr dns_domain_name;
  unistr2_hdr dns_domain_name;
  ptr to {
    domain GUID;
  ptr to SID; ??? or whatever that last thing is
  unistr2 netbios_domain_name;
  unistr2 dns_domain_name;
  unistr2 dns_domain_name;

Anybody want to comment?

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list