Parsing a NetLogon exchange.

Christopher R. Hertel crh at
Thu Aug 5 23:29:24 MDT 2010

I am working on a side project that has me trying to decipher a NetLogon
exchange.  I understand that RPCs on the NetLogon pipe are (at least
partially) encrypted, but some of the information is visible.

How do I know whether the credentials presented by the client were accepted
(successful authentication) or rejected?

It looks to me as though the server is returning success, because there is a
roughly 6K blob that is read from the named pipe.  I'm assuming that this
blob is the authorization information that the DC sends back to the server,
and that the server uses in order to determine what it is that the client
may access.  As I understand it, that information would not be returned if
the authentication failed.

The thing is, the server implementation that I'm studying returns Bad
Password to the client.  If I'm right that the authorization information is
only returned by the DC if authentication is successful, then there must be
something in the authorization information that is causing access to be denied.

Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list