[Samba] Please help me decipher a two-packet NetBT conversation...
David Black
dave at jamsoft.com
Thu Jan 20 16:33:36 GMT 2005
My clients are Windows XP SP1 and SP2, members of a Samba-PDC NT domain
(tested 3.0.7 and 3.0.10, same result). Attached is ethereal output
of a two packet client-server exchange that takes place when an offline
files sync is done. SP1 quickly does this exchange twice - first
broadcast, then unicast (as attached) and goes on its way. SP2 tries,
pauses many seconds, tries again, finally giving up and completing the sync.
Basically the client is attempting a SAM logon request with an empty
user name. Samba responds with user unknown. Even at high log levels,
I get nothing in the Samba logs. I found one other reference to this
sort of issue, on an earlier Samba list post in 2002, then a follow-up
in 8/04, both unanswered.
I'd be happy to look at the Samba code to better understand how/why this
is happening, but don't know where to start. Advice is much appreciated.
Regards,
David Black
-------------- next part --------------
No. Time Source Destination Protocol Info
4191 14:45:44.739000 dblack-pc.magnalynx.com ha1.magnalynx.com NETLOGON SAM LOGON request from client
Frame 4191 (281 bytes on wire, 281 bytes captured)
Arrival Time: Jan 19, 2005 14:45:44.739000000
Time delta from previous packet: 0.000003000 seconds
Time since reference or first frame: 1238.005492000 seconds
Frame Number: 4191
Packet Length: 281 bytes
Capture Length: 281 bytes
Ethernet II, Src: 00:0d:60:af:59:fc, Dst: 00:0d:60:0f:01:d6
Destination: 00:0d:60:0f:01:d6 (ha1.magnalynx.com)
Source: 00:0d:60:af:59:fc (dblack-pc.magnalynx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: dblack-pc.magnalynx.com (192.168.10.151), Dst Addr: ha1.magnalynx.com (192.168.10.230)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 267
Identification: 0x31b6 (12726)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x715e (correct)
Source: dblack-pc.magnalynx.com (192.168.10.151)
Destination: ha1.magnalynx.com (192.168.10.230)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
Source port: netbios-dgm (138)
Destination port: netbios-dgm (138)
Length: 247
Checksum: 0x7e57 (correct)
NetBIOS Datagram Service
Message Type: Direct_group datagram (17)
More fragments follow: No
This is first fragment: Yes
Node Type: P node (1)
Datagram ID: 0x8022
Source IP: dblack-pc.magnalynx.com (192.168.10.151)
Source Port: 138
Datagram length: 225 bytes
Packet offset: 0 bytes
Source name: DBLACK-PC<00> (Workstation/Redirector)
Destination name: MAGNALYNX<1c> (Domain Controllers)
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Trans Request (0x25)
Word Count (WCT): 17
Total Parameter Count: 0
Total Data Count: 65
Max Parameter Count: 0
Max Data Count: 0
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: 1 second
Reserved: 0000
Parameter Count: 0
Parameter Offset: 0
Data Count: 65
Data Offset: 92
Setup Count: 3
Reserved: 00
Byte Count (BCC): 88
Transaction Name: \MAILSLOT\NET\NETLOGON
SMB MailSlot Protocol
Opcode: Write Mail Slot (1)
Priority: 1
Class: Unreliable & Broadcast (2)
Size: 88
Mailslot Name: \MAILSLOT\NET\NETLOGON
Microsoft Windows Logon Protocol
Command: SAM LOGON request from client (0x12)
Request Count: 0
Unicode Computer Name: DBLACK-PC
User Name:
Mailslot Name: \MAILSLOT\NET\GETDC808
Account control = 0x0000
.... .... .... .... .... .0.. .... .... = Autolock: User account NOT auto-locked
.... .... .... .... .... ..0. .... .... = Expire: User password will expire
.... .... .... .... .... ...0 .... .... = Server Trust: NOT a Server Trust user account
.... .... .... .... .... .... 0... .... = Workstation Trust: NOT a Workstation Trust user account
.... .... .... .... .... .... .0.. .... = Interdomain Trust: NOT a Inter-domain Trust user account
.... .... .... .... .... .... ..0. .... = MNS User: NOT a MNS Logon user account
.... .... .... .... .... .... ...0 .... = Normal User: NOT a normal user account
.... .... .... .... .... .... .... 0... = Temp Duplicate User: NOT a temp duplicate user account
.... .... .... .... .... .... .... .0.. = Password: Password required
.... .... .... .... .... .... .... ..0. = Homedir: Homedir required
.... .... .... .... .... .... .... ...0 = Enabled: User account disabled
Domain SID Size: 0
NT Version: 11
LMNT Token: 0xffff (Windows NT Networking)
LM20 Token: 0xffff (LanMan 2.0 or higher)
No. Time Source Destination Protocol Info
4192 14:45:44.739035 ha1.magnalynx.com dblack-pc.magnalynx.com NETLOGON SAM Response - user unknown
Frame 4192 (260 bytes on wire, 260 bytes captured)
Arrival Time: Jan 19, 2005 14:45:44.739035000
Time delta from previous packet: 0.000035000 seconds
Time since reference or first frame: 1238.005527000 seconds
Frame Number: 4192
Packet Length: 260 bytes
Capture Length: 260 bytes
Ethernet II, Src: 00:0d:60:0f:01:d6, Dst: 00:0d:60:af:59:fc
Destination: 00:0d:60:af:59:fc (dblack-pc.magnalynx.com)
Source: 00:0d:60:0f:01:d6 (ha1.magnalynx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: ha1.magnalynx.com (192.168.10.230), Dst Addr: dblack-pc.magnalynx.com (192.168.10.151)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 246
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xa329 (correct)
Source: ha1.magnalynx.com (192.168.10.230)
Destination: dblack-pc.magnalynx.com (192.168.10.151)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
Source port: netbios-dgm (138)
Destination port: netbios-dgm (138)
Length: 226
Checksum: 0xc68f (correct)
NetBIOS Datagram Service
Message Type: Direct_unique datagram (16)
More fragments follow: No
This is first fragment: Yes
Node Type: M node (2)
Datagram ID: 0x1978
Source IP: ha1.magnalynx.com (192.168.10.230)
Source Port: 138
Datagram length: 204 bytes
Packet offset: 0 bytes
Source name: PDC<00> (Workstation/Redirector)
Destination name: DBLACK-PC<00> (Workstation/Redirector)
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Trans Request (0x25)
Word Count (WCT): 17
Total Parameter Count: 0
Total Data Count: 44
Max Parameter Count: 0
Max Data Count: 0
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 0
Data Count: 44
Data Offset: 92
Setup Count: 3
Reserved: 00
Byte Count (BCC): 67
Transaction Name: \MAILSLOT\NET\GETDC808
SMB MailSlot Protocol
Opcode: Write Mail Slot (1)
Priority: 1
Class: Unreliable & Broadcast (2)
Size: 67
Mailslot Name: \MAILSLOT\NET\GETDC808
Microsoft Windows Logon Protocol
Command: SAM Response - user unknown (0x15)
Data (42 bytes)
More information about the samba
mailing list