unknown RPC opcodes during join+logon
Jim McDonough
jmcd at us.ibm.com
Sat Jul 27 08:42:02 GMT 2002
Jean Francois Micouleau <Jean-Francois.Micouleau at dalalu.fr> wrote:
>uint32 ptr to struct (00 13 2b c8)
>uint16 info level (00 0c)
>uint16 of padding
>UNIHDR string 1 (byte length, byte length: 00 06, 00 08)
>uint32 ptr: 00 0f 4e 40
>UNIHDR string 2 (00 20, 00 22)
>uint32 ptr:68 83 11 00
>UNIHDR string 3 (20 00, 22 00)
>uint32 ptr: 38 83 11 00
>don't know: 0f 64 ce f7 1d fe 30 45 8d f5 78 80 b3 a7 42 93
>uint32 ptr: e8 82 11 00
>UNISTR2: MCD
>padding
>UNISTR2: mcd.maine.rr.com
>UNISTR2: mcd.maine.rr.com
>SID: S-1-5-21-398125506-2811944389-3810785154
>uint32 status code
Ok, looks like we mostly agree, so the only thing I'd change on yours is:
-the long "don't know" is the domain guid...I'm sure of this.
So why are there ptrs before two of the strings but not the first one?
I haven't gotten to others yet, but yes, SMBNT is a trusted NT4
domain....so that's a big hint on that RPC...
Thanks JF for your work here. I'll probably leave it until Monday now.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd at us.ibm.com
jmcd at samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
More information about the samba-technical
mailing list