about FRS: some help is required to solve problems when generating packets

Matthieu Patou mat at samba.org
Sun Jul 31 15:25:16 MDT 2011 

Hello,

I've been working a bit on FRS today.

I just came to the point where a W2K3R2 server wants to send a 
StartPromotionParent to a Samba server.
The biggest problem I came across is the MGMT rpc, it appear that before 
connecting to the FRS endpoint windows search for a principal.

I had to make the dissector for MGMT in wireshark in order to make it 
easier to debug.


The initial IDL is like this

         WERROR mgmt_inq_princ_name (
                 [in]        uint32                  authn_proto,
                 [in]        uint32                  princ_name_size,
                 [out]       uint32                  size,
                 [out]       
[string,size_of(princ_name_size),charset(DOS)] uint8 princ_name[]
                 );
}
and it produce packet like frame 40 in frs_replication3.

On the Windows side I kept getting error like:
<NtFrsApi_Rpc_BindEx:           3132:  1288: S0: 00:01:49> ++ ERROR - 
Inq PrincName for ares.home.matws.net;  WStatus: 1783-???
<RcsCreateSeedingCxtion:        3132:  7096: S0: 00:01:49> ERROR - 
binding  WStatus: 1783-???

I watched the capture of metze related to windows to windows DC promo 
and see that the frame was very similar just that windows use the 
princ_name_size as the max size of the string.

So I started to tweak the IDL to finaly have something like that:

         WERROR mgmt_inq_princ_name (
                 [in]        uint32                  authn_proto,
                 [in]        uint32                  princ_name_size,
                 [out]       uint32                  size,
                 [out]       [string,charset(DOS)] uint8 princ_name[256]
                 );
}

By doing so I'm able to have a packet like the 91th in frs_replication4, 
and this time windows was happy has it decided to go further.

Next step is not 100% clear. Either I work on Wireshark dissectors for 
FRS or I work on having a stub FRS server so that Windows server can 
actually think they have replicated and so start netlogon.

Any comments ?

Matthieu.



-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary


-------------- next part --------------
A non-text attachment was scrubbed...
Name: frs_replication4
Type: application/octet-stream
Size: 31749 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110801/84a7e576/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: frs_replication3
Type: application/octet-stream
Size: 7218 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110801/84a7e576/attachment-0001.obj>

More information about the samba-technical mailing list