unknown RPC opcodes during join+logon

Richard Sharpe rsharpe at ns.aus.com
Fri Sep 20 00:47:32 GMT 2002 

On Thu, 19 Sep 2002, Vijay Kota wrote:

> I too think the algorithm is not the same since I implemented the RPC
> using the same algorithm (cred_session_key() and cred_create(zerotime))
> but got 0xC0000022. This was with a flags value of 0x0007FFFF. However,
> the PDC returns STATUS_SUCCESS if flags = 0x000001FF. So the flags field
> seems to be significant.

Hang on. Here, you are saying that you implemented the server side of 
ServerAuthenticate3 and generated the response.
 
> Strangely though, if I don't align after the challenge and push a
> 0x006B006B (or 0x0000006B) before the neg_flags (= 0x0007FFFF), I could
> get it to work. I am not claiming that the preceding statement was very
> logical :-)) but it would be great if someone could verify it and at
> least disprove it.

Are you saying you had to push this into the response?

In the trace I have, Ethereal dissects the response  as (courtesy of 
Luke Howard) 

  Credentials (via a pointer) 8 bytes
  Flags, in this case 0x0007ffff
  Unknown UINT32: 0x00000452
  Status: SS_SUCCESS (0)

And the flgs are properly aligned.

> Vijay
> 
> -----Original Message-----
> From: Luke Howard [mailto:lukeh at PADL.COM] 
> Sent: Thursday, September 19, 2002 12:56 AM
> To: lukeh at PADL.COM
> Cc: vijay at spinnakernet.com; samba-technical at lists.samba.org
> Subject: Re: unknown RPC opcodes during join+logon
> 
> 
> >The return code always follows the last top-level [out] value, but
> there
> >is an additional [out] ULONG in NetrServerAuthenticate3.
> >
> >The algorithm for calculating credentials is the same.
> 
> Actually, I'm no longer sure this is the case. It seems that the
> algorithm for NetrServerAuthenticate3 is the same if the client
> thinks the domain is an NT4 domain (in which case it talks to it
> over SMB), but it looks like the algorithm is different in a 
> Windows 2000 domain (where the RPC is made over ncacn_ip_tcp),
> as unlikely as this seems (given they are the same RPC). Note
> that the flags are ostensibly irrelevant, because the client
> sends the authenticator before it receives the flags from the
> server.
> 
> -- Luke
> 
> --
> Luke Howard | PADL Software Pty Ltd | www.padl.com
> 

-- 
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list