A mailslot\net\ntlogon Netlogon SAM Logon Request From Client command is used to
get the name of a dc for a domain. The client must present the correct SID and
define the type of login via the Allowable Account Control bits, ie. Workstation
Trust user account. It will also submit its trusted machine name as user name,
ie. machine$. If the machine is trusted by the NT4-compatible domain, the
response will contain a 13 command - Netlogon SAM Response to SAM Logon Request
containing the machine name of the responding controller. If it is not, it will
receive a 15 command - Netlogon SAM Response when user is unknown. It's toast at
this point.

----- Original Message -----
From: "Christopher R. Hertel" <crhNTS.UMN.EDU>
To: <CIFSDISCUSS.MICROSOFT.COM>
Sent: Monday, February 17, 2003 5:11 PM
Subject: Re: SMB netlogon

On Sun, 16 Feb 2003 16:58:19 -0500, Ravi Noakes <ravishankar145HOTMAIL.COM>
wrote:

> I was wondering if somebody can give me some advice on what is happening
> with the following packet.

It would really help if you could provide more information with such
questions. Eg., which port number you are using (so we can tell if it's
Datagram or Session service).

> I think that a client machine is using a
> mailslot\net\netlogon command to get the name of a dc for a domain, as i
> am new to SMB cold somebody please advice

Since it has both an NBT header and an SMB payload, it must be a datagram
packet. That's port 138. We can verify by breaking it down.

>10 1A 80 04 C1 3F 81 BC 00 8A 00 E2 00 00 20 45 .....?........ E
 10 = DIRECT_UNIQUE DATAGRAM
    1A = This has me confused. The upper nibble of this field is supposed
         to be unused (RFC1002).
         The lower nibble indicates that the node is an M node and this is
         the first packet with none to follow. Hmmm...
          What kind of client are you using? It *may* be that the 0x1A
          value indicates an off-by-one error in the construction of that
          field of the packet. It's likely an H node...
       80 04 = Packet ID 32772.
             C1 3F 81 BC = IP address. Hmmm... your in the UK.
                         00 8A = Source port: 138
                                 Looks like a Windows client. Which
                                 version? (I'd love to catch that
                                 off-by-one error.)
                               00 E2 = Datagram Length (226)
                                     00 00 = Packet offset (0, which is
                                             correct).
                                           20 45 = Start of the source
                                                   NetBIOS name.
                                                   (J4-ITRL-15 <00>)

>4B 44 45 43 4E 45 4A 46 45 46 43 45 4D 43 4E 44 KDECNEJFEFCEMCND
>42 44 46 43 41 43 41 43 41 43 41 43 41 41 41 00 BDFCACACACACAAA.
>20 46 44 45 50 45 44 46 50 46 44 45 46 45 44 46 FDEPEDFPFDEFEDF
>46 46 43 45 4A 46 45 46 4A 43 41 43 41 43 41 42 FFCEJFEFJCACACAB
>4C 00 FF 53 4D 42 25 00 00 00 00 18 03 00 00 00 L..SMB%.........
>00 00 00 00 00 00 00 00 00 00 00 00 FE CA 00 00 ................
>00 00 11 00 00 42 00 02 00 00 00 00 00 02 00 FF .....B..........
>FF FF FF 00 00 00 00 5C 00 42 00 5C 00 03 00 01 .......\.B.\....
>00 00 00 02 00 59 00 5C 4D 41 49 4C 53 4C 4F 54 .....Y.\MAILSLOT
>5C 4E 45 54 5C 4E 45 54 4C 4F 47 4F 4E 00 07 00 \NET\NETLOGON...
>4A 34 2D 49 54 52 4C 2D 31 35 00 5C 4D 41 49 4C J4-ITRL-15.\MAIL
>53 4C 4F 54 5C 4E 45 54 5C 47 45 54 44 43 37 38 SLOT\NET\GETDC78
>35 00 4A 00 34 00 2D 00 49 00 54 00 52 00 4C 00 5.J.4.-.I.T.R.L.
>2D 00 31 00 35 00 00 00 01 00 00 00 FF FF FF FF -.1.5...........

So now you need to start digging into mailslot service. I don't know
specifically what this call does, but I wanted to clear up that it is a
datagram service message, even though it contains an SMB packet. That's
not uncommon.

Also, I note (from decoding the packet) that the destination is
SOC_SECURITY <1B>. The <1B> name is the Domain Master Browser, but if
you are using a Windows DMB then it will also be the PDC.

References: http://ubiqx.org/cifs/NetBIOS.html#NBT.5.3
            http://ubiqx.org/cifs/Appendix-C.html

Chris -)-----

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info including how to unsubscribe. Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info including how to unsubscribe. Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info including how to unsubscribe. Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]