David Black
2005-Jan-20 16:34 UTC
[Samba] Please help me decipher a two-packet NetBT conversation...
My clients are Windows XP SP1 and SP2, members of a Samba-PDC NT domain
(tested 3.0.7 and 3.0.10, same result). Attached is ethereal output
of a two packet client-server exchange that takes place when an offline
files sync is done. SP1 quickly does this exchange twice - first
broadcast, then unicast (as attached) and goes on its way. SP2 tries,
pauses many seconds, tries again, finally giving up and completing the sync.
Basically the client is attempting a SAM logon request with an empty
user name. Samba responds with user unknown. Even at high log levels,
I get nothing in the Samba logs. I found one other reference to this
sort of issue, on an earlier Samba list post in 2002, then a follow-up
in 8/04, both unanswered.
I'd be happy to look at the Samba code to better understand how/why this
is happening, but don't know where to start. Advice is much appreciated.
Regards,
David Black
-------------- next part --------------
No. Time Source Destination Protocol
Info
4191 14:45:44.739000 dblack-pc.magnalynx.com ha1.magnalynx.com NETLOGON
SAM LOGON request from client
Frame 4191 (281 bytes on wire, 281 bytes captured)
Arrival Time: Jan 19, 2005 14:45:44.739000000
Time delta from previous packet: 0.000003000 seconds
Time since reference or first frame: 1238.005492000 seconds
Frame Number: 4191
Packet Length: 281 bytes
Capture Length: 281 bytes
Ethernet II, Src: 00:0d:60:af:59:fc, Dst: 00:0d:60:0f:01:d6
Destination: 00:0d:60:0f:01:d6 (ha1.magnalynx.com)
Source: 00:0d:60:af:59:fc (dblack-pc.magnalynx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: dblack-pc.magnalynx.com (192.168.10.151), Dst Addr:
ha1.magnalynx.com (192.168.10.230)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 267
Identification: 0x31b6 (12726)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x715e (correct)
Source: dblack-pc.magnalynx.com (192.168.10.151)
Destination: ha1.magnalynx.com (192.168.10.230)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
Source port: netbios-dgm (138)
Destination port: netbios-dgm (138)
Length: 247
Checksum: 0x7e57 (correct)
NetBIOS Datagram Service
Message Type: Direct_group datagram (17)
More fragments follow: No
This is first fragment: Yes
Node Type: P node (1)
Datagram ID: 0x8022
Source IP: dblack-pc.magnalynx.com (192.168.10.151)
Source Port: 138
Datagram length: 225 bytes
Packet offset: 0 bytes
Source name: DBLACK-PC<00> (Workstation/Redirector)
Destination name: MAGNALYNX<1c> (Domain Controllers)
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been
posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error
codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if
execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended
security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not
long file names
.... .... .... .0.. = Security Signatures: Security signatures are
not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are
not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not
allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Trans Request (0x25)
Word Count (WCT): 17
Total Parameter Count: 0
Total Data Count: 65
Max Parameter Count: 0
Max Data Count: 0
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: 1 second
Reserved: 0000
Parameter Count: 0
Parameter Offset: 0
Data Count: 65
Data Offset: 92
Setup Count: 3
Reserved: 00
Byte Count (BCC): 88
Transaction Name: \MAILSLOT\NET\NETLOGON
SMB MailSlot Protocol
Opcode: Write Mail Slot (1)
Priority: 1
Class: Unreliable & Broadcast (2)
Size: 88
Mailslot Name: \MAILSLOT\NET\NETLOGON
Microsoft Windows Logon Protocol
Command: SAM LOGON request from client (0x12)
Request Count: 0
Unicode Computer Name: DBLACK-PC
User Name:
Mailslot Name: \MAILSLOT\NET\GETDC808
Account control = 0x0000
.... .... .... .... .... .0.. .... .... = Autolock: User account NOT
auto-locked
.... .... .... .... .... ..0. .... .... = Expire: User password will
expire
.... .... .... .... .... ...0 .... .... = Server Trust: NOT a Server
Trust user account
.... .... .... .... .... .... 0... .... = Workstation Trust: NOT a
Workstation Trust user account
.... .... .... .... .... .... .0.. .... = Interdomain Trust: NOT a
Inter-domain Trust user account
.... .... .... .... .... .... ..0. .... = MNS User: NOT a MNS Logon user
account
.... .... .... .... .... .... ...0 .... = Normal User: NOT a normal user
account
.... .... .... .... .... .... .... 0... = Temp Duplicate User: NOT a
temp duplicate user account
.... .... .... .... .... .... .... .0.. = Password: Password required
.... .... .... .... .... .... .... ..0. = Homedir: Homedir required
.... .... .... .... .... .... .... ...0 = Enabled: User account disabled
Domain SID Size: 0
NT Version: 11
LMNT Token: 0xffff (Windows NT Networking)
LM20 Token: 0xffff (LanMan 2.0 or higher)
No. Time Source Destination Protocol
Info
4192 14:45:44.739035 ha1.magnalynx.com dblack-pc.magnalynx.com NETLOGON
SAM Response - user unknown
Frame 4192 (260 bytes on wire, 260 bytes captured)
Arrival Time: Jan 19, 2005 14:45:44.739035000
Time delta from previous packet: 0.000035000 seconds
Time since reference or first frame: 1238.005527000 seconds
Frame Number: 4192
Packet Length: 260 bytes
Capture Length: 260 bytes
Ethernet II, Src: 00:0d:60:0f:01:d6, Dst: 00:0d:60:af:59:fc
Destination: 00:0d:60:af:59:fc (dblack-pc.magnalynx.com)
Source: 00:0d:60:0f:01:d6 (ha1.magnalynx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: ha1.magnalynx.com (192.168.10.230), Dst Addr:
dblack-pc.magnalynx.com (192.168.10.151)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 246
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xa329 (correct)
Source: ha1.magnalynx.com (192.168.10.230)
Destination: dblack-pc.magnalynx.com (192.168.10.151)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
Source port: netbios-dgm (138)
Destination port: netbios-dgm (138)
Length: 226
Checksum: 0xc68f (correct)
NetBIOS Datagram Service
Message Type: Direct_unique datagram (16)
More fragments follow: No
This is first fragment: Yes
Node Type: M node (2)
Datagram ID: 0x1978
Source IP: ha1.magnalynx.com (192.168.10.230)
Source Port: 138
Datagram length: 204 bytes
Packet offset: 0 bytes
Source name: PDC<00> (Workstation/Redirector)
Destination name: DBLACK-PC<00> (Workstation/Redirector)
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been
posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error
codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if
execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended
security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not
long file names
.... .... .... .0.. = Security Signatures: Security signatures are
not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are
not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not
allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Trans Request (0x25)
Word Count (WCT): 17
Total Parameter Count: 0
Total Data Count: 44
Max Parameter Count: 0
Max Data Count: 0
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 0
Parameter Offset: 0
Data Count: 44
Data Offset: 92
Setup Count: 3
Reserved: 00
Byte Count (BCC): 67
Transaction Name: \MAILSLOT\NET\GETDC808
SMB MailSlot Protocol
Opcode: Write Mail Slot (1)
Priority: 1
Class: Unreliable & Broadcast (2)
Size: 67
Mailslot Name: \MAILSLOT\NET\GETDC808
Microsoft Windows Logon Protocol
Command: SAM Response - user unknown (0x15)
Data (42 bytes)
Gerald (Jerry) Carter
2005-Jan-20 18:01 UTC
[Samba] Please help me decipher a two-packet NetBT conversation...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Black wrote: | My clients are Windows XP SP1 and SP2, members of a Samba-PDC NT domain | (tested 3.0.7 and 3.0.10, same result). Attached is ethereal output | of a two packet client-server exchange that takes place when an offline | files sync is done. SP1 quickly does this exchange twice - first | broadcast, then unicast (as attached) and goes on its way. SP2 tries, | pauses many seconds, tries again, finally giving up and completing the | sync. | | Basically the client is attempting a SAM logon request with an empty | user name. Samba responds with user unknown. Even at high log levels, | I get nothing in the Samba logs. I found one other reference to this | sort of issue, on an earlier Samba list post in 2002, then a follow-up | in 8/04, both unanswered. | This is the correct response based on my memory of the network traffic. You could be running down the wrong trail here. I haven't dug in to the offline caching support so I can't comment on that too much. But the response code in your trace was right as far as I know. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB7/HEIR7qMdg1EfYRAlB2AKDkkQ1mfVXEbXwhk4JPrCfwi6qKpgCeILdr kKnH2vT7i3VNhrJwQ5s9tZc=Jz3Z -----END PGP SIGNATURE-----
Andrew Bartlett
2005-Jan-21 06:51 UTC
[Samba] Please help me decipher a two-packet NetBT conversation...
On Thu, 2005-01-20 at 10:33 -0600, David Black wrote:> My clients are Windows XP SP1 and SP2, members of a Samba-PDC NT domain > (tested 3.0.7 and 3.0.10, same result). Attached is ethereal output > of a two packet client-server exchange that takes place when an offline > files sync is done. SP1 quickly does this exchange twice - first > broadcast, then unicast (as attached) and goes on its way. SP2 tries, > pauses many seconds, tries again, finally giving up and completing the sync. > > Basically the client is attempting a SAM logon request with an empty > user name. Samba responds with user unknown.Before you spend too much time barking up the wrong tree, my understating is that the username in this UDP SamLogon request is not honoured by any modern operating system, and user-unknown is the correct reply. Giving out this information would confirm/deny a given username without authentication, which is considered a bad thing. Samba has always left it up to the logon process to actually decide this. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050121/a7c506fe/attachment.bin