thr3ads.net - samba - [Samba] Migration: server with smb 2.2 -> new server, 2.2 too, weird issues [Jul 2005]

If this information is useful, please help other people find it:
Share via:
Alejandro Hernández
2005-Jul-07 08:13 UTC
[Samba] Migration: server with smb 2.2 -> new server, 2.2 too, weird issues

Hello all at the samba list.

The other day there was a migration of server; the old one had Samba 2.2 
(.6) working normally. Every user logged in the domain without problems, 
their SIDs and the domain SID were right, everything was ideal. But a 
server update was needed, and a new server was installed, also with 
Samba 2.2 (.12). The difference in version is not important this time as 
other steps have come from far older versions.

They have chosen not to use Samba 3. Don't ask me why, they don't want 
Samba 3.

We have a mechanism of transparent domain migration that implies zero 
notices to the user. It consists on re-creation, on unix level, of the 
same accounts existing on the old server: user & machine names, IDs, 
homes, shell, etc. via a script shell that exports and imports passwd 
file values. Then, at Samba level, the server is configured with the 
same values it had on the older server at smb.conf, another few values 
put, and finally the old server secrets.tdb and smbpasswd files are 
copied and left alone. They never know we change servers. Only if they 
notice more speed, and they never tell us.

But this time something went wrong. First of all, we didn't do the 
migration and were not asked to intervene in the migration. Thus, they 
used their own method. They overwrote the new /etc/passwd file with the 
old /etc/passwd (a typical cp). The old one used shadow, the new 
doesn't. It took the teams involved (we were called later in the 
process) 3 hours to minimally correct the accounts so anyone could log 
in without problems.

It's clear it was not correct right from this moment onwards. At this 
stage, nobody could join the domain. I was not at work (my mates left at 
2:00 AM) so next day I could correct it. Just by putting the two main 
Samba files a lot of machines & users (from 300 machines in total), 
about 100, could start working. After some hours of tuning and 
correcting smb files more than 200 could finally work. The problem lays 
in the rest; they are not a lot but critical.

Before I put back the couple of samba files, the message they were 
getting was that of "the domain is unavailable or the machine account 
does not exist" or something like that. Seen it thousands of times but 
can't remember. After putting the files, the message was something
"User
or password incorrect, check caps lock key, or try to type better, etc". 
You may know the message, again I can't remember.

The password and user is not for sure. I tested with one user, changing 
her password. Nothing. Unconceivable. This last step is never needed. 
Between this and that, restarting samba 3 or 5 times (I know 99% of the 
time it's not needed and in these cases it isn't but...). I even brought
MACHINE.SID. Nothing at all. Once, I can't remember well, the user 
logged in with the old password re-set (sure the MACHINE.SID and a samba 
restart had to do) but couldn't use the remote profile (the typical 
messages... again very seen) that gets corrected with "profile acls = 
yes" and by changing the marvellous setting MS put on recent SPs of 
their fabulous OS. Users could use their profiles. So I won a dozen more 
or so and the defective number was decreasing but not disappearing.

It was ok for an user. For the rest of network users on the machine 
(local profiles are used), no solution. None can log in the domain. 
None. In other machines, no user can log in anyhow, and of course it 
happens in the most important. Make it or not the trick of before. The 
message I get is it of the "User or password incorrect" which is not 
true. It must refer to something deeeeeep in.

It may be by the differences between PCs... but they are all "kits" 
designed here so they all have the same configuration. Worth another 
look into anyway.

Before going into logs and config files, has anybody suffered from 
something like this? Is or has been there anybody with the same 
headaches? Should I use only roaming profiles with no local storing?

I have attached some files: smb.conf, some smb.log of users (traces 
varied from 1 to 3 with no explicit at all messages, like other cases 
that helped me a lot) and a regmon (sysinternals.com) log file that has 
given me some clues.

############ SMB.CONF

# Global parameters
[global]
         workgroup = SERVER_SMB
         netbios name = SERVER
         encrypt passwords = Yes
         null passwords = Yes
         smb passwd file = /etc/samba/lib/smbpasswd
         log file = /tmp/%m_%U
         time server = Yes
         socket options = TCP_NODELAY SO_RCVBUF=8576 SO_SNDBUF=8576
         add user script = /etc/samba/bin/crea_maquina.sh %m
         logon script = %G.bat
         logon path = \\SERVER\perfiles\%G\%U
         logon drive = C:
         domain logons = Yes
         os level = 64
         preferred master = Yes
         domain master = Yes
         dns proxy = No
         wins support = Yes
         lock dir = /var/opt/samba/locks
         include = /etc/samba/lib/LOCAL_smb.conf

.
.
.

[perfiles]

         path = /path/perfiles
         read only = No
         create mask = 0777
         directory mask = 0777
         browseable = No
	profile acls = yes


##################### USER LOG FILE

[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7267 of length 152
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBsesssetupX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(893)
   Domain=[]  NativeOS=[Windows 2002 2600 Service Pack 1] 
NativeLanMan=[Windows 2002 5.1]
[2005/07/05 15:35:23, 3] smbd/reply.c:(904)
   sesssetupX:name=[]
[2005/07/05 15:35:23, 3] param/loadparm.c:(1307)
   Initialising global parameters
[2005/07/05 15:35:23, 3] param/params.c:(626)
   params.c:pm_process() - Processing configuration file 
"/etc/opt/samba/smb.conf"
[2005/07/05 15:35:23, 3] param/loadparm.c:(3102)
   Processing section "[global]"
[2005/07/05 15:35:23, 3] param/params.c:(626)
   params.c:pm_process() - Processing configuration file 
"/etc/samba/lib/DECAPM0_smb.conf"
[2005/07/05 15:35:23, 3] param/loadparm.c:(3102)
   Processing section "[global]"
[2005/07/05 15:35:23, 1] lib/debug.c:(256)
   INFO: Debug class all level = 3   (pid 26434 from pid 26434)
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[perfiles]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[netlogon]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[perfiles]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[HOMES]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[grupo]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[comun]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[logon]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[W]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[das]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[etc]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[mindocu]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[minforms]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[docu]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[forms]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[we]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[printers]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[jetadmin]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[inventario]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
   Processing section "[logs]"
[2005/07/05 15:35:23, 3] param/loadparm.c:(2075)
   adding IPC service IPC$
[2005/07/05 15:35:23, 3] param/loadparm.c:(2075)
   adding IPC service ADMIN$
[2005/07/05 15:35:23, 3] param/loadparm.c:(2109)
   adding printer service guardia2
[2005/07/05 15:35:23, 3] param/loadparm.c:(2109)
   adding printer service guardia1
[2005/07/05 15:35:23, 3] param/loadparm.c:(2109)
   adding printer service jddva1
[2005/07/05 15:35:23, 2] lib/interface.c:(81)
   added interface ip=10.44.36.13 bcast=10.44.37.255 nmask=255.255.254.0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
   fetch sid from uid cache 512 -> 
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 50 -> 
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 6 -> 
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] smbd/password.c:(336)
   uid 512 registered to name gerencia
[2005/07/05 15:35:23, 3] smbd/password.c:(338)
   Clearing default real name
[2005/07/05 15:35:23, 3] smbd/password.c:(340)
   User name: gerencia   Real name: Usuario LIBRA
[2005/07/05 15:35:23, 3] smbd/process.c:(1003)
   Chained message
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBtconX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/password.c:(576)
   Account for user 'gerencia' has no password and null passwords are 
allowed.
[2005/07/05 15:35:23, 3] smbd/password.c:(774)
   authorise_login: ACCEPTED: given username (gerencia) password ok
[2005/07/05 15:35:23, 3] smbd/service.c:(487)
   Connect path is /tmp
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
   fetch sid from uid cache 512 -> 
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 50 -> 
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 6 -> 
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(273)
   se_access_check: user sid is 
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-1-0
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-2
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-32-546
[2005/07/05 15:35:23, 3] smbd/vfs.c:(123)
   Initialising default vfs hooks
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
   2 user groups:
   50 6
[2005/07/05 15:35:23, 3] smbd/vfs.c:(600)
   vfs_ChDir to /tmp
[2005/07/05 15:35:23, 3] smbd/service.c:(636)
   xba0687 (10.44.37.199) connect to service IPC$ as user gerencia 
(uid=512, gid=50) (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(396)
   tconX service=ipc$ user=gerencia
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7268 of length 97
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBntcreateX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
   2 user groups:
   50 6
[2005/07/05 15:35:23, 3] smbd/nttrans.c:(559)
   nt_open_pipe: Known pipe NETLOGON opening.
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7269 of length 140
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(796)
   api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74a9 nwritten=72
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7270 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74a9 min=1024 max=1024 nread=68
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7271 of length 364
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29865 rpc command: NET_SAMLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 668
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74a9 nwritten=296
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7272 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74a9 min=1024 max=1024 nread=56
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7273 of length 45
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBclose (pid 26434)
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7274 of length 97
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBntcreateX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/nttrans.c:(559)
   nt_open_pipe: Known pipe NETLOGON opening.
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7275 of length 140
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(796)
   api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74aa nwritten=72
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7276 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74aa min=1024 max=1024 nread=68
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7277 of length 164
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29866 rpc command: NET_REQCHAL
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
   push_sec_ctx(512, 50) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
   push_conn_ctx(117) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
   pop_sec_ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 36
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74aa nwritten=96
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7278 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74aa min=1024 max=1024 nread=36
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7279 of length 200
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74aa nwritten=132
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7280 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74aa min=1024 max=1024 nread=32
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7281 of length 200
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29866 rpc command: NET_AUTH2
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 54
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74aa nwritten=132
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7282 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74aa min=1024 max=1024 nread=40
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7283 of length 152
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBsesssetupX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(893)
   Domain=[]  NativeOS=[Windows 2002 2600 Service Pack 1] 
NativeLanMan=[Windows 2002 5.1]
[2005/07/05 15:35:23, 3] smbd/reply.c:(904)
   sesssetupX:name=[]
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
   fetch sid from uid cache 512 -> 
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 50 -> 
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 6 -> 
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] smbd/password.c:(336)
   uid 512 registered to name gerencia
[2005/07/05 15:35:23, 3] smbd/password.c:(338)
   Clearing default real name
[2005/07/05 15:35:23, 3] smbd/password.c:(340)
   User name: gerencia   Real name: Usuario LIBRA
[2005/07/05 15:35:23, 3] smbd/process.c:(1003)
   Chained message
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBtconX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/password.c:(576)
   Account for user 'gerencia' has no password and null passwords are 
allowed.
[2005/07/05 15:35:23, 3] smbd/password.c:(774)
   authorise_login: ACCEPTED: given username (gerencia) password ok
[2005/07/05 15:35:23, 3] smbd/service.c:(487)
   Connect path is /tmp
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
   get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
   fetch sid from uid cache 512 -> 
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 50 -> 
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
   fetch sid from gid cache 6 -> 
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(273)
   se_access_check: user sid is 
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-1-0
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-2
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
   se_access_check: also S-1-5-32-546
[2005/07/05 15:35:23, 3] smbd/vfs.c:(123)
   Initialising default vfs hooks
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
   2 user groups:
   50 6
[2005/07/05 15:35:23, 3] smbd/service.c:(636)
   xba0687 (10.44.37.199) connect to service IPC$ as user gerencia 
(uid=512, gid=50) (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(396)
   tconX service=ipc$ user=gerencia
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7284 of length 95
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBntcreateX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
   2 user groups:
   50 6
[2005/07/05 15:35:23, 3] smbd/nttrans.c:(559)
   nt_open_pipe: Known pipe lsarpc opening.
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7285 of length 140
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(796)
   api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsass
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74ab nwritten=72
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7286 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74ab min=1024 max=1024 nread=68
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7287 of length 156
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\lsarpc
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29867 rpc command: LSA_OPENPOLICY2
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 20
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74ab nwritten=88
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7288 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74ab min=1024 max=1024 nread=48
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7289 of length 120
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\lsarpc
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29867 rpc command: LSA_ENUMTRUSTDOM
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74ab nwritten=52
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7290 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74ab min=1024 max=1024 nread=40
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7291 of length 112
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\lsarpc
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29867 rpc command: LSA_CLOSE
[2005/07/05 15:35:23, 3] rpc_server/srv_lsa_hnd.c:(197)
   Closed policy
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74ab nwritten=44
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7292 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74ab min=1024 max=1024 nread=48
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7293 of length 45
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBclose (pid 26434)
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7294 of length 364
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
   2 user groups:
   50 6
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
   Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
   api_rpcTNP: pipe 29866 rpc command: NET_SAMLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_netlog_nt.c:(618)
   SAM Logon (Interactive). Domain:[DECAPM0_MJU_SMB].  User:[paula]
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
   push_sec_ctx(512, 50) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
   push_conn_ctx(117) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
   pop_sec_ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] rpc_server/srv_util.c:(187)
   domain group access  513/7  granted
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
   free_pipe_context: destroying talloc pool of size 4788
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
   writeX-IPC pnum=74aa nwritten=296
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
   Transaction 7295 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
   switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
   readX-IPC pnum=74aa min=1024 max=1024 nread=616
[2005/07/05 15:35:34, 3] smbd/process.c:(858)
   Transaction 7296 of length 43
[2005/07/05 15:35:34, 3] smbd/process.c:(696)
   switch message SMBulogoffX (pid 26434)
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/reply.c:(1838)
   ulogoffX vuid=118
[2005/07/05 15:35:34, 3] smbd/process.c:(858)
   Transaction 7297 of length 39
[2005/07/05 15:35:34, 3] smbd/process.c:(696)
   switch message SMBtdis (pid 26434)
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/service.c:(675)
   xba0687 (10.44.37.199) closed connection to service IPC$
[2005/07/05 15:35:34, 3] smbd/connection.c:(48)
   Yielding connection to IPC$
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/vfs.c:(600)
   vfs_ChDir to /
[2005/07/05 15:35:53, 3] smbd/process.c:(858)
   Transaction 7298 of length 45
[2005/07/05 15:35:53, 3] smbd/process.c:(696)
   switch message SMBclose (pid 26434)
[2005/07/05 15:35:53, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:53, 3] smbd/sec_ctx.c:(334)
   2 user groups:
   50 6
[2005/07/05 15:35:53, 3] smbd/vfs.c:(600)
   vfs_ChDir to /tmp
[2005/07/05 15:36:04, 3] smbd/process.c:(858)
   Transaction 7299 of length 43
[2005/07/05 15:36:04, 3] smbd/process.c:(696)
   switch message SMBulogoffX (pid 26434)
[2005/07/05 15:36:04, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:36:04, 3] smbd/reply.c:(1838)
   ulogoffX vuid=117
[2005/07/05 15:36:04, 3] smbd/process.c:(858)
   Transaction 7300 of length 39
[2005/07/05 15:36:04, 3] smbd/process.c:(696)
   switch message SMBtdis (pid 26434)
[2005/07/05 15:36:04, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:36:04, 3] smbd/sec_ctx.c:(328)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:36:04, 3] smbd/service.c:(675)
   xba0687 (10.44.37.199) closed connection to service IPC$
[2005/07/05 15:36:04, 3] smbd/connection.c:(48)

################### SYSINTERNALS.COM REGMON LOG

It's an attached file.


-------------- next part --------------
Sysinternals.com regmon is the program I use to monitor registry activity on
processes. I managed to log the Windoze authentication process with 2 tries of
one user (I only show the first as the second puts the same values) and another,
successful, and I have compared the data. There are some distinctive keys and
values and what the system gets from them.

It seems to me that in the Cache keys it looks for a certain SID. I think
something could be written or modified there (I might be crazy, of course, but
when the issue is so bitchy that a flamethrower is behind you, what can you try
to do?), so I need some kind of clue here.

This log file has been cut by some fields and of course from a lot of lines. The
original is 988KB size and this one is about 26KB. I still maintain the big one
in case somebody could help me with this issue and wants information of it. Some
data like real domain name or real users has been modified for anonimity
reasons.


### Here it seems the authentication process starts...

lsass.exe:568	OpenKey	HKLM\SECURITY\Policy	SUCCESS	Access: 0x2001F 
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$3	SUCCESS	0E 00 1E 00 0E 00 00
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$2	SUCCESS	0E 00 1E 00 0E 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$1	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$10	SUCCESS	0E 00 1E 00 0E 00 00
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$9	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$8	BUFFER OVERFLOW	
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$8	SUCCESS	0E 00 1E 00 0E 00 44
00 ...
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$7	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$6	SUCCESS	06 00 1E 00 06 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$5	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$4	BUFFER OVERFLOW	

### It has searched in every node of Cache and seems it hasn't found
anything...
### And now, some (?) less important keys...

lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	
winlogon.exe:512	OpenKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x1
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceFriendlyUI	NOT FOUND
winlogon.exe:512	CloseKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS	Access:
0x1
winlogon.exe:512	QueryValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI
NOT FOUND
winlogon.exe:512	CloseKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS

### lsass returns and does some more checking.... The keys and values seem
interesting...

lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$4	SUCCESS	0E 00 1E 00 0E 00 44
00 ...
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x1
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous	SUCCESS	0x0
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC	SUCCESS	Access:
0x2001F
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default)	BUFFER OVERFLOW
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal	SUCCESS
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal	SUCCESS
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal	SUCCESS
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal\(Default)	BUFFER OVERFLOW
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CupdTime	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CupdTime\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CupdTime
SUCCESS
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x1
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous	SUCCESS	0x0
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	ACCESS
DENIED	Access: 0x20019
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
ACCESS DENIED	Access: 0x20019
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x1
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous	SUCCESS	0x0
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName
SUCCESS	"XBA0668"
lsass.exe:568	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\ComputerName
SUCCESS
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
SUCCESS	Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname	SUCCESS
"XBA0668"
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
SUCCESS
lsass.exe:568	OpenKey	HKLM\Software\Policies\Microsoft\System\DNSclient	NOT
FOUND
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
SUCCESS	Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain	SUCCESS
""
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
SUCCESS
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x1
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous	SUCCESS	0x0
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	

### You see it's repeating the process, quite typical of their
programming... :/

lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$3	SUCCESS	0E 00 1E 00 0E 00 00
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$2	SUCCESS	0E 00 1E 00 0E 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$1	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$10	SUCCESS	0E 00 1E 00 0E 00 00
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$9	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$8	BUFFER OVERFLOW	
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$8	SUCCESS	0E 00 1E 00 0E 00 44
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$7	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$6	SUCCESS	06 00 1E 00 06 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$5	SUCCESS	0C 00 1E 00 0C 00 1A
00 ...
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$4	BUFFER OVERFLOW	
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$4	SUCCESS	0E 00 1E 00 0E 00 44
00 ...
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName
SUCCESS	"XBA0668"
lsass.exe:568	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\ComputerName
SUCCESS
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName
SUCCESS	"XBA0668"
lsass.exe:568	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\ComputerName
SUCCESS

### Here looks for one user. It is the one with problems. It's curious none
of the names are found.

lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Builtin\Groups\Names\juans	NOT FOUND	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Builtin\Aliases\Names\juans	NOT FOUND
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Builtin\Users\Names\juans	NOT FOUND	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Account\Groups\Names\juans	NOT FOUND	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Account\Aliases\Names\juans	NOT FOUND
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Account\Users\Names\juans	NOT FOUND	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName
SUCCESS	"XBA0668"
lsass.exe:568	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\ComputerName
SUCCESS
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy	SUCCESS	Access: 0x2001F 
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Builtin\Groups\Names\juans	NOT FOUND	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Builtin\Aliases\Names\juans	NOT FOUND
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Builtin\Users\Names\juans	NOT FOUND	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Account\Groups\Names\juans	NOT FOUND	
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Account\Aliases\Names\juans	NOT FOUND
lsass.exe:568	OpenKey	HKLM\SAM\SAM\DOMAINS\Account\Users\Names\juans	NOT FOUND	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	

### Here comes a definitive data: the user SID of the old domain.

lsass.exe:568	OpenKey
HKLM\Security\Recovery\S-1-5-21-1517441303-804621452-1457755469-2368	NOT FOUND

### As it fails, it looks like lsass "gives up". Returns user and
password incorrect and then the system
### continues its way.

winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey	HKCU	SUCCESS	Access: 0x80000000 
winlogon.exe:512	CloseKey	HKCU	SUCCESS	
winlogon.exe:512	OpenKey	HKCU	SUCCESS	Access: 0x80000000 
winlogon.exe:512	CloseKey	HKCU	SUCCESS	
svchost.exe:792	OpenKey	HKLM\Software\Microsoft\COM3	SUCCESS	Access: 0x20019 
svchost.exe:792	QueryValue	HKLM\Software\Microsoft\COM3\REGDBVersion	SUCCESS	07
00 00 00 00 00 00 00
svchost.exe:792	CloseKey	HKLM\Software\Microsoft\COM3	SUCCESS	
svchost.exe:792	OpenKey	HKLM\Software\Microsoft\COM3	SUCCESS	Access: 0x20019 
.
.
.
.
.

### Blah blah blah. Next cut is the result of a successful login. There are
plenty of differences.

lsass.exe:568	OpenKey	HKLM\SECURITY\Policy	SUCCESS	Access: 0x2001F 
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	
winlogon.exe:512	OpenKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x1
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceFriendlyUI	NOT FOUND
winlogon.exe:512	CloseKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS	Access:
0x1
winlogon.exe:512	QueryValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI
NOT FOUND
winlogon.exe:512	CloseKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS
winlogon.exe:512	OpenKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x1
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\NoDomainUI	NOT FOUND
winlogon.exe:512	CloseKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x80000000
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\RasDisable	NOT FOUND
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\DisableCAD	SUCCESS	0x0
winlogon.exe:512	OpenKey
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System	SUCCESS	Access:
0x20019
winlogon.exe:512	QueryValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD	NOT
FOUND
winlogon.exe:512	CloseKey
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System	SUCCESS
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy	SUCCESS	Access: 0x2001F 
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	
winlogon.exe:512	OpenKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x1
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceFriendlyUI	NOT FOUND
winlogon.exe:512	CloseKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS	Access:
0x1
winlogon.exe:512	QueryValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI
NOT FOUND
winlogon.exe:512	CloseKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS

### It seems it's an important data. While in the previous test lsass looks
in each key of 'cache',
### here it does it only once. Looks like he is happy with what he has found.

lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$3	SUCCESS	0E 00 1E 00 0E 00 00
00 ...

### Then, lsass starts to act as usual.

lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner	SUCCESS	0x1
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName
SUCCESS	"XBA0668"
lsass.exe:568	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\ComputerName
SUCCESS

### Winlogon gets everything he wants so the system knows this user really
exists and has everything he needs
### to let the user log on.

winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList	SUCCESS	Access: 0x20019
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368
SUCCESS	Access: 0x2001F
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368\NextLogonCacheable
NOT FOUND
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList	SUCCESS
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368
SUCCESS
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\winlogon	SUCCESS	Access: 0x20019
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\winlogon\SyncForegroundPolicy	NOT FOUND
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\winlogon	SUCCESS
winlogon.exe:512	OpenKey	HKLM\Software\Policies\Microsoft\Windows
NT\CurrentVersion\winlogon	NOT FOUND
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368	SUCCESS	Access:
0x20019
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshMode
SUCCESS	0x2
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshReason
SUCCESS	0x0
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368	SUCCESS
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368	SUCCESS	Access:
0x20019
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshMode
SUCCESS	0x2
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshReason
SUCCESS	0x0
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368	SUCCESS

### lsass gets some policies and values...

lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x1
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous	SUCCESS	0x0
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	
lsass.exe:568	QueryValue	HKLM\SECURITY\Cache\NL$3	SUCCESS	0E 00 1E 00 0E 00 00
00 ...
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy	SUCCESS	Access: 0x2001F 
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	Access:
0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner	SUCCESS	0x1
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\Lsa	SUCCESS	
lsass.exe:568	OpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	OpenKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
Access: 0x20019
lsass.exe:568	QueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName
SUCCESS	"XBA0668"
lsass.exe:568	CloseKey
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	SUCCESS
lsass.exe:568	CloseKey	HKLM\System\CurrentControlSet\Control\ComputerName
SUCCESS

### ... and winlogon gets more values.

winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList	SUCCESS	Access: 0x20019
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368
SUCCESS	Access: 0x2001F
winlogon.exe:512	SetValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368\OptimizedLogonStatus
SUCCESS	0x8
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList	SUCCESS
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368
SUCCESS
winlogon.exe:512	OpenKey
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System	SUCCESS	Access:
0x20019
winlogon.exe:512	QueryValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption	NOT
FOUND
winlogon.exe:512	CloseKey
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System	SUCCESS
winlogon.exe:512	QueryKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	BUFFER OVERFLOW
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\RestrictShell	NOT FOUND
winlogon.exe:512	QueryKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	BUFFER OVERFLOW
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption	SUCCESS	"0"
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	CreateKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x2000F

### here it goes. The user name.

winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DefaultUserName	BUFFER OVERFLOW
winlogon.exe:512	SetValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DefaultUserName	SUCCESS	"username"
winlogon.exe:512	QueryKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	BUFFER OVERFLOW
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DefaultDomainName	BUFFER OVERFLOW
winlogon.exe:512	SetValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DefaultDomainName	SUCCESS	"DOMAIN_SMB"
winlogon.exe:512	SetValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AltDefaultUserName	SUCCESS	"username"
winlogon.exe:512	QueryKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	BUFFER OVERFLOW
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AltDefaultDomainName	BUFFER OVERFLOW
winlogon.exe:512	SetValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AltDefaultDomainName	SUCCESS	"DOMAIN_SMB"
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\DisableCAD	SUCCESS	0x0
winlogon.exe:512	OpenKey
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System	SUCCESS	Access:
0x20019
winlogon.exe:512	QueryValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD	NOT
FOUND
winlogon.exe:512	CloseKey
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System	SUCCESS
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy	SUCCESS	Access: 0x2001F 
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	OpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Access: 0x20019 
lsass.exe:568	QueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	NONE
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
lsass.exe:568	CloseKey	HKLM\SECURITY\Policy	SUCCESS	
winlogon.exe:512	OpenKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x1
winlogon.exe:512	QueryValue	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceFriendlyUI	NOT FOUND
winlogon.exe:512	CloseKey	HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS	Access:
0x1
winlogon.exe:512	QueryValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI
NOT FOUND
winlogon.exe:512	CloseKey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	SUCCESS
winlogon.exe:512	OpenKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x2000000
winlogon.exe:512	QueryValue	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning	SUCCESS	0xE
winlogon.exe:512	CloseKey	HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	OpenKey	HKCU	NOT FOUND	
winlogon.exe:512	OpenKey	HKU\.Default	SUCCESS	Access: 0x2000000 
winlogon.exe:512	CreateKey	HKU\.Default\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS	Access: 0x2001F
winlogon.exe:512	QueryValue	HKU\.Default\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ReportDC	SUCCESS	0x0
winlogon.exe:512	SetValue	HKU\.Default\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ReportDC	SUCCESS	0x0
winlogon.exe:512	CloseKey	HKU\.Default\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon	SUCCESS
winlogon.exe:512	CloseKey	HKU\.Default	SUCCESS	

### I think the rest is not relevant. The system allows the log on and builds
the environment.
### I chose the previous lines because of all the registry I have seen (and I
have seen A LOT!)
### these values pose a weird thing to me.
Possibly Parallel Threads

Search for more maybe matching threads
samba - Jul 2005 - Migration: server with smb 2.2 -> new server, 2.2 too, weird issues

[Samba] Migration: server with smb 2.2 -> new server, 2.2 too, weird issues

Possibly Parallel Threads

Wisdom of the Ancients
