unknown RPC opcodes during join+logon

Vijay Kota vijay at spinnakernet.com
Thu Sep 19 14:51:01 GMT 2002

I too think the algorithm is not the same since I implemented the RPC
using the same algorithm (cred_session_key() and cred_create(zerotime))
but got 0xC0000022. This was with a flags value of 0x0007FFFF. However,
the PDC returns STATUS_SUCCESS if flags = 0x000001FF. So the flags field
seems to be significant.

Strangely though, if I don't align after the challenge and push a
0x006B006B (or 0x0000006B) before the neg_flags (= 0x0007FFFF), I could
get it to work. I am not claiming that the preceding statement was very
logical :-)) but it would be great if someone could verify it and at
least disprove it.


-----Original Message-----
From: Luke Howard [mailto:lukeh at PADL.COM] 
Sent: Thursday, September 19, 2002 12:56 AM
To: lukeh at PADL.COM
Cc: vijay at spinnakernet.com; samba-technical at lists.samba.org
Subject: Re: unknown RPC opcodes during join+logon

>The return code always follows the last top-level [out] value, but
>is an additional [out] ULONG in NetrServerAuthenticate3.
>The algorithm for calculating credentials is the same.

Actually, I'm no longer sure this is the case. It seems that the
algorithm for NetrServerAuthenticate3 is the same if the client
thinks the domain is an NT4 domain (in which case it talks to it
over SMB), but it looks like the algorithm is different in a 
Windows 2000 domain (where the RPC is made over ncacn_ip_tcp),
as unlikely as this seems (given they are the same RPC). Note
that the flags are ostensibly irrelevant, because the client
sends the authenticator before it receives the flags from the

-- Luke

Luke Howard | PADL Software Pty Ltd | www.padl.com

More information about the samba-technical mailing list