Total dcerpc response payload more than 0x400000

Andrew Bartlett abartlet at
Fri Jun 17 01:11:14 UTC 2016

On Fri, 2016-06-03 at 03:16 +0300, Evgeny Sinelnikov wrote:
> Hello,
> during join Samba DC (version 4.4.3) into existing Windows domain ()
> we got next problem:
> ...
> Replicated 72 objects (12 linked attributes) for DC=xx,DC=xxx,DC=ru
> Unexpected total payload 0x4010E0 > 0x400000 dcerpc response
> ERROR(runtime): uncaught exception - (-1073610723, 'An RPC protocol
> error occurred.')
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/",
> line 175, in _run
>     return*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/",
> line 651, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
>   File "/usr/lib64/python2.7/site-packages/samba/", line 1192,
> in join_DC
>     ctx.do_join()
>   File "/usr/lib64/python2.7/site-packages/samba/", line 1096,
> in do_join
>     ctx.join_replicate()
>   File "/usr/lib64/python2.7/site-packages/samba/", line 838,
> in join_replicate
>     replica_flags=ctx.domain_replica_flags)
>   File "/usr/lib64/python2.7/site-packages/samba/", line
> 253, in replicate
>     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
> req_level, req)
> checking sAMAccountName
> ...
> After some search queries, we found next links:
> -
> -
> services/samba36/patches/022-CVE-2015-5370-v3-6.patch
> So we could think, that constant
> DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
> is not absolutelly right.
> It would be correct to simply increase this constant?


I totally agree.  Thanks for filing the bug about this, as this is a
serious regression in the DRS replication case.

What happens here is that we stop being able to replicate in any domain
where an object is more than 4MB, or indeed any domains where each
object is more than 10k on average, which will break on say a domain
with a jpegPhoto.  Indeed, a jpegPhoto of 4MB is not unreasonable to
expect, given the default from a camera these days.

We need to remove this limit, or change it to more like 240MB (talloc
won't allocate larger the 256MB at the moment). 

The limit makes sense thought of from the context of simple
administrative calls, but it is also used for bulk data transport,
server->client.  I've not changed the client->server direction, but I
have heard of spoolss calls where the windows client would send over
16MB of zeros in a in/out buffer, so we may need to fix that also. 

Also, at the point when we get this, if the connection is
authenticated, then the authentication has been checked, and the packet
is already in memory, so we can be generous here.

Metze: Can you please ACK this change?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-librpc-Change-the-RPC-client-lib-to-permit-larger.patch
Type: text/x-patch
Size: 2258 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list