unknown RPC opcodes during join+logon

Vijay Kota vijay at spinnakernet.com
Fri Sep 20 00:47:58 GMT 2002

Yes.. the alignment is *after* the credential. You can look at the
even.cap trace I mailed earlier. Stub data begins at 0x4E and the
credential blob starts at 0xE0 (ie. 0x92 bytes away).

To answer Jean's question, odd/even refer to the Netbios name
without the null character. So, in odd.cap, the win2k client
sends 7 and 6 (= sizeof("FUBAR")) as the lengths. In even.cap,
the client sends 8 and 7. Samba sends the same lengths as the
win2k client.

One difference is that Samba uses SMBTrans as the RPC transport
but I doubt that this is significant.

-----Original Message-----
From: Richard Sharpe [mailto:rsharpe at ns.aus.com] 
Sent: Thursday, September 19, 2002 8:05 PM
To: Jean Francois Micouleau
Cc: Vijay Kota; samba-technical at lists.samba.org
Subject: RE: unknown RPC opcodes during join+logon

On Fri, 20 Sep 2002, Jean Francois Micouleau wrote:

> On Fri, 20 Sep 2002, Richard Sharpe wrote:
> > On Thu, 19 Sep 2002, Vijay Kota wrote:
> >
> > > I am attaching the traces for 2 clients - FUBAR and FOOBAR.
> >
> > OK, thanks for that, but there is insufficient info in just two
packets to
> > allow Ethereal to dissect all the stuff in there.
> >
> > That makes it difficult to see what is going on.
> I would say it's enough.
> vijay, I guess the odd/even name are unicode strings. What are the
> string length values W2K is sending and what samba is sending ?
> if there is an alignment bug it's before the credential blob.

Hmmm, having looked at my trace of a WinXP client calling 
ServerAuthenticate3, the alignment bytes are after the

Either than, or Ethereal is wrong in the dissection I have.

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list