[Samba] Please help me decipher a two-packet NetBT conversation...

David Black dave at jamsoft.com
Thu Jan 20 16:33:36 GMT 2005


My clients are Windows XP SP1 and SP2, members of a Samba-PDC NT domain 
(tested 3.0.7 and 3.0.10, same result).    Attached is ethereal output 
of a two packet client-server exchange that takes place when an offline 
files sync is done.   SP1 quickly does this exchange twice - first 
broadcast, then unicast (as attached) and goes on its way.  SP2 tries, 
pauses many seconds, tries again, finally giving up and completing the sync.

Basically the client is attempting a SAM logon request with an empty 
user name.  Samba responds with user unknown.   Even at high log levels, 
I get nothing in the Samba logs.   I found one other reference to this 
sort of issue, on an earlier Samba list post in 2002, then a follow-up 
in 8/04, both unanswered.

I'd be happy to look at the Samba code to better understand how/why this 
is happening, but don't know where to start.  Advice is much appreciated.

Regards,
David Black
-------------- next part --------------
No.     Time            Source                Destination           Protocol Info
   4191 14:45:44.739000 dblack-pc.magnalynx.com ha1.magnalynx.com     NETLOGON SAM LOGON request from client

Frame 4191 (281 bytes on wire, 281 bytes captured)
    Arrival Time: Jan 19, 2005 14:45:44.739000000
    Time delta from previous packet: 0.000003000 seconds
    Time since reference or first frame: 1238.005492000 seconds
    Frame Number: 4191
    Packet Length: 281 bytes
    Capture Length: 281 bytes
Ethernet II, Src: 00:0d:60:af:59:fc, Dst: 00:0d:60:0f:01:d6
    Destination: 00:0d:60:0f:01:d6 (ha1.magnalynx.com)
    Source: 00:0d:60:af:59:fc (dblack-pc.magnalynx.com)
    Type: IP (0x0800)
Internet Protocol, Src Addr: dblack-pc.magnalynx.com (192.168.10.151), Dst Addr: ha1.magnalynx.com (192.168.10.230)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 267
    Identification: 0x31b6 (12726)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x715e (correct)
    Source: dblack-pc.magnalynx.com (192.168.10.151)
    Destination: ha1.magnalynx.com (192.168.10.230)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
    Source port: netbios-dgm (138)
    Destination port: netbios-dgm (138)
    Length: 247
    Checksum: 0x7e57 (correct)
NetBIOS Datagram Service
    Message Type: Direct_group datagram (17)
    More fragments follow: No
    This is first fragment: Yes
    Node Type: P node (1)
    Datagram ID: 0x8022
    Source IP: dblack-pc.magnalynx.com (192.168.10.151)
    Source Port: 138
    Datagram length: 225 bytes
    Packet offset: 0 bytes
    Source name: DBLACK-PC<00> (Workstation/Redirector)
    Destination name: MAGNALYNX<1c> (Domain Controllers)
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        SMB Command: Trans (0x25)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x00
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 0... = Case Sensitivity: Path names are case sensitive
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0x0000
            0... .... .... .... = Unicode Strings: Strings are ASCII
            .0.. .... .... .... = Error Code Type: Error codes are DOS error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are not supported
            .... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0
        Process ID: 0
        User ID: 0
        Multiplex ID: 0
    Trans Request (0x25)
        Word Count (WCT): 17
        Total Parameter Count: 0
        Total Data Count: 65
        Max Parameter Count: 0
        Max Data Count: 0
        Max Setup Count: 0
        Reserved: 00
        Flags: 0x0000
            .... .... .... ..0. = One Way Transaction: Two way transaction
            .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
        Timeout: 1 second
        Reserved: 0000
        Parameter Count: 0
        Parameter Offset: 0
        Data Count: 65
        Data Offset: 92
        Setup Count: 3
        Reserved: 00
        Byte Count (BCC): 88
        Transaction Name: \MAILSLOT\NET\NETLOGON
SMB MailSlot Protocol
    Opcode: Write Mail Slot (1)
    Priority: 1
    Class: Unreliable & Broadcast (2)
    Size: 88
    Mailslot Name: \MAILSLOT\NET\NETLOGON
Microsoft Windows Logon Protocol
    Command: SAM LOGON request from client (0x12)
    Request Count: 0
    Unicode Computer Name: DBLACK-PC
    User Name: 
    Mailslot Name: \MAILSLOT\NET\GETDC808
    Account control  = 0x0000
        .... .... .... .... .... .0.. .... .... = Autolock: User account NOT auto-locked
        .... .... .... .... .... ..0. .... .... = Expire: User password will expire
        .... .... .... .... .... ...0 .... .... = Server Trust: NOT a Server Trust user account
        .... .... .... .... .... .... 0... .... = Workstation Trust: NOT a Workstation Trust user account
        .... .... .... .... .... .... .0.. .... = Interdomain Trust: NOT a Inter-domain Trust user account
        .... .... .... .... .... .... ..0. .... = MNS User: NOT a MNS Logon user account
        .... .... .... .... .... .... ...0 .... = Normal User: NOT a normal user account
        .... .... .... .... .... .... .... 0... = Temp Duplicate User: NOT a temp duplicate user account
        .... .... .... .... .... .... .... .0.. = Password: Password required
        .... .... .... .... .... .... .... ..0. = Homedir: Homedir required
        .... .... .... .... .... .... .... ...0 = Enabled: User account disabled
    Domain SID Size: 0
    NT Version: 11
    LMNT Token: 0xffff (Windows NT Networking)
    LM20 Token: 0xffff (LanMan 2.0 or higher)

No.     Time            Source                Destination           Protocol Info
   4192 14:45:44.739035 ha1.magnalynx.com     dblack-pc.magnalynx.com NETLOGON SAM Response - user unknown

Frame 4192 (260 bytes on wire, 260 bytes captured)
    Arrival Time: Jan 19, 2005 14:45:44.739035000
    Time delta from previous packet: 0.000035000 seconds
    Time since reference or first frame: 1238.005527000 seconds
    Frame Number: 4192
    Packet Length: 260 bytes
    Capture Length: 260 bytes
Ethernet II, Src: 00:0d:60:0f:01:d6, Dst: 00:0d:60:af:59:fc
    Destination: 00:0d:60:af:59:fc (dblack-pc.magnalynx.com)
    Source: 00:0d:60:0f:01:d6 (ha1.magnalynx.com)
    Type: IP (0x0800)
Internet Protocol, Src Addr: ha1.magnalynx.com (192.168.10.230), Dst Addr: dblack-pc.magnalynx.com (192.168.10.151)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 246
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xa329 (correct)
    Source: ha1.magnalynx.com (192.168.10.230)
    Destination: dblack-pc.magnalynx.com (192.168.10.151)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
    Source port: netbios-dgm (138)
    Destination port: netbios-dgm (138)
    Length: 226
    Checksum: 0xc68f (correct)
NetBIOS Datagram Service
    Message Type: Direct_unique datagram (16)
    More fragments follow: No
    This is first fragment: Yes
    Node Type: M node (2)
    Datagram ID: 0x1978
    Source IP: ha1.magnalynx.com (192.168.10.230)
    Source Port: 138
    Datagram length: 204 bytes
    Packet offset: 0 bytes
    Source name: PDC<00> (Workstation/Redirector)
    Destination name: DBLACK-PC<00> (Workstation/Redirector)
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        SMB Command: Trans (0x25)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x00
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 0... = Case Sensitivity: Path names are case sensitive
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0x0000
            0... .... .... .... = Unicode Strings: Strings are ASCII
            .0.. .... .... .... = Error Code Type: Error codes are DOS error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are not supported
            .... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0
        Process ID: 0
        User ID: 0
        Multiplex ID: 0
    Trans Request (0x25)
        Word Count (WCT): 17
        Total Parameter Count: 0
        Total Data Count: 44
        Max Parameter Count: 0
        Max Data Count: 0
        Max Setup Count: 0
        Reserved: 00
        Flags: 0x0000
            .... .... .... ..0. = One Way Transaction: Two way transaction
            .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
        Timeout: Return immediately (0)
        Reserved: 0000
        Parameter Count: 0
        Parameter Offset: 0
        Data Count: 44
        Data Offset: 92
        Setup Count: 3
        Reserved: 00
        Byte Count (BCC): 67
        Transaction Name: \MAILSLOT\NET\GETDC808
SMB MailSlot Protocol
    Opcode: Write Mail Slot (1)
    Priority: 1
    Class: Unreliable & Broadcast (2)
    Size: 67
    Mailslot Name: \MAILSLOT\NET\GETDC808
Microsoft Windows Logon Protocol
    Command: SAM Response - user unknown (0x15)
    Data (42 bytes)


More information about the samba mailing list