Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.327023, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.327061, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.327068, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 747, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.327074, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.327080, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 160 [2016/04/30 10:52:40.327085, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 160 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 160 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.327117, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 160 [2016/04/30 10:52:40.327123, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.327144, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.327150, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.327155, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.327160, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.327165, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2016/04/30 10:52:40.327170, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.327175, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.327182, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.327190, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.327200, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.327205, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.327289, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.327325, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.327331, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.327335, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.327341, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.327349, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x001e (30) name_size : 0x001e (30) name : * name : 'KeyboardLayout' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000004 (4) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.327403, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.327422, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] [2016/04/30 10:52:40.327428, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.327434, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:316(_winreg_QueryValue) _winreg_QueryValue: reg_queryvalue failed with: WERR_BADFILE [2016/04/30 10:52:40.327439, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000000 (0) data_length : * data_length : 0x00000000 (0) result : WERR_BADFILE [2016/04/30 10:52:40.327468, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.327476, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.327485, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0010 (16) call_id : 0x0000002d (45) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=44 [0000] 14 00 02 00 00 00 00 00 18 00 02 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 1C 00 02 00 00 00 00 00 ........ ........ [0020] 20 00 02 00 00 00 00 00 02 00 00 00 ....... .... [2016/04/30 10:52:40.327589, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.327609, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.327615, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 44 bytes [2016/04/30 10:52:40.327620, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 96 [2016/04/30 10:52:40.327643, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 96 bytes. There is no more data outstanding [2016/04/30 10:52:40.327658, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 96 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.327664, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 96 status NT_STATUS_OK [2016/04/30 10:52:40.327668, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:96] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.327674, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/748/127 [2016/04/30 10:52:40.328057, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.328074, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 748 (position 748) from bitmap [2016/04/30 10:52:40.328079, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 748 [2016/04/30 10:52:40.328085, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.328090, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.328169, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.328201, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.328206, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 748, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.328211, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.328216, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 176 [2016/04/30 10:52:40.328221, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 176 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 176 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.328246, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 176 [2016/04/30 10:52:40.328252, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.328268, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.328273, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.328277, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.328282, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.328286, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 [2016/04/30 10:52:40.328291, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.328295, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.328304, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.328310, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.328316, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.328320, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.328395, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.328426, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.328431, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.328435, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.328440, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.328446, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x0026 (38) name_size : 0x0026 (38) name : * name : 'MinEncryptionLevel' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000004 (4) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.328492, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.328509, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] [2016/04/30 10:52:40.328514, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.328519, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:316(_winreg_QueryValue) _winreg_QueryValue: reg_queryvalue failed with: WERR_BADFILE [2016/04/30 10:52:40.328523, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000000 (0) data_length : * data_length : 0x00000000 (0) result : WERR_BADFILE [2016/04/30 10:52:40.328547, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.328555, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.328562, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0010 (16) call_id : 0x0000002e (46) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=44 [0000] 14 00 02 00 00 00 00 00 18 00 02 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 1C 00 02 00 00 00 00 00 ........ ........ [0020] 20 00 02 00 00 00 00 00 02 00 00 00 ....... .... [2016/04/30 10:52:40.328663, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.328682, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.328689, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 44 bytes [2016/04/30 10:52:40.328693, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 96 [2016/04/30 10:52:40.328715, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 96 bytes. There is no more data outstanding [2016/04/30 10:52:40.328722, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 96 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.328728, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 96 status NT_STATUS_OK [2016/04/30 10:52:40.328733, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:96] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.328739, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/749/127 [2016/04/30 10:52:40.329241, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.329255, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 749 (position 749) from bitmap [2016/04/30 10:52:40.329261, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 749 [2016/04/30 10:52:40.329268, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.329275, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.329364, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.329402, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.329409, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 749, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.329415, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.329421, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.329425, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.329457, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.329463, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.329483, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.329489, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.329494, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.329499, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.329504, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.329513, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.329518, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.329525, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.329532, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.329538, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.329543, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.329628, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.329663, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.329669, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.329674, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x1a - api_rpcTNP: rpc command: WINREG_GETVERSION [2016/04/30 10:52:40.329680, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[26].fn == 0x7f9b33e01300 [2016/04/30 10:52:40.329686, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_GetVersion: struct winreg_GetVersion in: struct winreg_GetVersion handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.329708, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.329727, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_GetVersion: struct winreg_GetVersion out: struct winreg_GetVersion version : * version : 0x00000005 (5) result : WERR_OK [2016/04/30 10:52:40.329742, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.329751, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.329759, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0020 (32) auth_length : 0x0010 (16) call_id : 0x0000002f (47) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000008 (8) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=8 [0000] 05 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.329834, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.329853, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.329859, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 8 bytes [2016/04/30 10:52:40.329864, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 64 [2016/04/30 10:52:40.329887, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 64 bytes. There is no more data outstanding [2016/04/30 10:52:40.329896, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 64 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.329903, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 64 status NT_STATUS_OK [2016/04/30 10:52:40.329908, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:64] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.329914, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/750/127 [2016/04/30 10:52:40.330428, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.330442, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 750 (position 750) from bitmap [2016/04/30 10:52:40.330448, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 750 [2016/04/30 10:52:40.330456, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.330462, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.330548, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.330589, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.330596, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 750, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.330602, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.330608, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 176 [2016/04/30 10:52:40.330613, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 176 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 176 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.330644, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 176 [2016/04/30 10:52:40.330651, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.330670, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.330676, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.330682, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.330687, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.330692, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 [2016/04/30 10:52:40.330697, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.330702, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.330710, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.330717, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.330723, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.330728, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.330816, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.330851, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.330857, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.330862, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0xf - api_rpcTNP: rpc command: WINREG_OPENKEY [2016/04/30 10:52:40.330868, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[15].fn == 0x7f9b33e02fa0 [2016/04/30 10:52:40.330875, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 keyname: struct winreg_String name_len : 0x0046 (70) name_size : 0x0046 (70) name : * name : 'UserOverride\Control Panel\Desktop' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x00020019 (131097) 1: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 1: KEY_ENUMERATE_SUB_KEYS 1: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2016/04/30 10:52:40.330936, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.330960, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [UserOverride] [2016/04/30 10:52:40.330965, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:857(regdb_open) regdb_open: incrementing refcount (2->3) [2016/04/30 10:52:40.330972, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] [2016/04/30 10:52:40.330978, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] [2016/04/30 10:52:40.330986, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.330990, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b33606020 for key [\HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] [2016/04/30 10:52:40.331004, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:1744(regdb_fetch_keys_internal) key [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] not found [2016/04/30 10:52:40.331010, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (3->2) [2016/04/30 10:52:40.331015, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_BADFILE [2016/04/30 10:52:40.331037, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.331046, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.331055, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000030 (48) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 02 00 00 00 ........ [2016/04/30 10:52:40.331145, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.331165, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.331172, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.331177, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.331200, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.331207, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.331213, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.331218, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.331225, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/751/127 [2016/04/30 10:52:40.331601, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.331615, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 751 (position 751) from bitmap [2016/04/30 10:52:40.331621, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 751 [2016/04/30 10:52:40.331629, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.331635, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.331725, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.331762, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.331769, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 751, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.331775, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.331781, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.331786, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.331817, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.331824, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.331843, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.331849, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.331855, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.331859, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.331865, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.331873, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.331878, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.331885, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.331892, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.331899, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.331904, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.331989, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.332165, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.332172, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.332177, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x1a - api_rpcTNP: rpc command: WINREG_GETVERSION [2016/04/30 10:52:40.332183, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[26].fn == 0x7f9b33e01300 [2016/04/30 10:52:40.332189, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_GetVersion: struct winreg_GetVersion in: struct winreg_GetVersion handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.332211, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.332230, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_GetVersion: struct winreg_GetVersion out: struct winreg_GetVersion version : * version : 0x00000005 (5) result : WERR_OK [2016/04/30 10:52:40.332246, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.332255, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.332264, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0020 (32) auth_length : 0x0010 (16) call_id : 0x00000031 (49) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000008 (8) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=8 [0000] 05 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.332338, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.332358, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.332365, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 8 bytes [2016/04/30 10:52:40.332370, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 64 [2016/04/30 10:52:40.332394, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 64 bytes. There is no more data outstanding [2016/04/30 10:52:40.332404, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 64 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.332411, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 64 status NT_STATUS_OK [2016/04/30 10:52:40.332416, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:64] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.332423, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/752/127 [2016/04/30 10:52:40.332835, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.332866, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 752 (position 752) from bitmap [2016/04/30 10:52:40.332871, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 752 [2016/04/30 10:52:40.332878, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.332884, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.332969, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.333008, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.333015, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 752, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.333020, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.333026, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 176 [2016/04/30 10:52:40.333031, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 176 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 176 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.333061, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 176 [2016/04/30 10:52:40.333067, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.333085, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.333091, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.333096, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.333101, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.333106, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 [2016/04/30 10:52:40.333111, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.333116, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.333123, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.333130, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.333136, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.333141, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.333229, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.333264, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.333269, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.333274, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0xf - api_rpcTNP: rpc command: WINREG_OPENKEY [2016/04/30 10:52:40.333280, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[15].fn == 0x7f9b33e02fa0 [2016/04/30 10:52:40.333287, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 keyname: struct winreg_String name_len : 0x0046 (70) name_size : 0x0046 (70) name : * name : 'UserOverride\Control Panel\Desktop' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x00020019 (131097) 1: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 1: KEY_ENUMERATE_SUB_KEYS 1: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2016/04/30 10:52:40.333348, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.333370, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [UserOverride] [2016/04/30 10:52:40.333375, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:857(regdb_open) regdb_open: incrementing refcount (2->3) [2016/04/30 10:52:40.333382, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] [2016/04/30 10:52:40.333387, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] [2016/04/30 10:52:40.333394, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.333399, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b33606020 for key [\HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] [2016/04/30 10:52:40.333409, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:1744(regdb_fetch_keys_internal) key [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\UserOverride] not found [2016/04/30 10:52:40.333415, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (3->2) [2016/04/30 10:52:40.333420, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_BADFILE [2016/04/30 10:52:40.333441, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.333450, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.333458, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000032 (50) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 02 00 00 00 ........ [2016/04/30 10:52:40.333548, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.333568, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.333574, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.333579, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.333602, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.333608, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.333614, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.333619, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.333626, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/753/127 [2016/04/30 10:52:40.334001, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.334014, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 753 (position 753) from bitmap [2016/04/30 10:52:40.334021, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 753 [2016/04/30 10:52:40.334028, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.334035, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.334125, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.334162, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.334169, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 753, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.334174, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.334180, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 160 [2016/04/30 10:52:40.334185, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 160 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 160 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.334216, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 160 [2016/04/30 10:52:40.334223, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.334243, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.334249, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.334254, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.334259, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.334264, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 4 [2016/04/30 10:52:40.334272, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.334277, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.334285, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.334292, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.334298, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.334304, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.334387, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.334422, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.334428, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.334433, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.334439, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.334447, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x001c (28) name_size : 0x001c (28) name : * name : 'NWLogonServer' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000060 (96) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.334500, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.334518, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] [2016/04/30 10:52:40.334524, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.334530, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:316(_winreg_QueryValue) _winreg_QueryValue: reg_queryvalue failed with: WERR_BADFILE [2016/04/30 10:52:40.334535, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000000 (0) data_length : * data_length : 0x00000000 (0) result : WERR_BADFILE [2016/04/30 10:52:40.334562, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.334571, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.334579, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0010 (16) call_id : 0x00000033 (51) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=44 [0000] 14 00 02 00 00 00 00 00 18 00 02 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 1C 00 02 00 00 00 00 00 ........ ........ [0020] 20 00 02 00 00 00 00 00 02 00 00 00 ....... .... [2016/04/30 10:52:40.334684, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.334703, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.334710, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 44 bytes [2016/04/30 10:52:40.334715, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 96 [2016/04/30 10:52:40.334737, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 96 bytes. There is no more data outstanding [2016/04/30 10:52:40.334744, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 96 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.334750, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 96 status NT_STATUS_OK [2016/04/30 10:52:40.334756, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:96] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.334762, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/754/127 [2016/04/30 10:52:40.335241, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.335266, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 754 (position 754) from bitmap [2016/04/30 10:52:40.335272, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 754 [2016/04/30 10:52:40.335280, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.335286, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.335377, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.335416, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.335423, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 754, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.335428, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.335434, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 160 [2016/04/30 10:52:40.335439, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 160 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 160 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.335470, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 160 [2016/04/30 10:52:40.335477, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.335497, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.335503, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.335508, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.335516, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.335521, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2016/04/30 10:52:40.335527, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.335532, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.335539, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.335546, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.335553, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.335558, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.335642, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.335679, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.335685, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.335690, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.335698, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.335706, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x001e (30) name_size : 0x001e (30) name : * name : 'WFHomeDirDrive' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000008 (8) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.335756, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.335775, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] [2016/04/30 10:52:40.335780, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.335786, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:316(_winreg_QueryValue) _winreg_QueryValue: reg_queryvalue failed with: WERR_BADFILE [2016/04/30 10:52:40.335791, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000000 (0) data_length : * data_length : 0x00000000 (0) result : WERR_BADFILE [2016/04/30 10:52:40.335819, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.335827, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.335836, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0010 (16) call_id : 0x00000034 (52) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=44 [0000] 14 00 02 00 00 00 00 00 18 00 02 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 1C 00 02 00 00 00 00 00 ........ ........ [0020] 20 00 02 00 00 00 00 00 02 00 00 00 ....... .... [2016/04/30 10:52:40.335941, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.335960, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.335967, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 44 bytes [2016/04/30 10:52:40.335972, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 96 [2016/04/30 10:52:40.335995, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 96 bytes. There is no more data outstanding [2016/04/30 10:52:40.336006, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 96 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.336013, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 96 status NT_STATUS_OK [2016/04/30 10:52:40.336019, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:96] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.336025, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/755/127 [2016/04/30 10:52:40.336435, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.336466, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 755 (position 755) from bitmap [2016/04/30 10:52:40.336471, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 755 [2016/04/30 10:52:40.336478, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.336488, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.336573, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.336609, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.336616, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 755, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.336621, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.336627, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 160 [2016/04/30 10:52:40.336632, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 160 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 160 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.336662, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 160 [2016/04/30 10:52:40.336668, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.336686, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.336694, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.336700, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.336704, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.336710, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 [2016/04/30 10:52:40.336715, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.336720, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.336727, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.336734, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.336740, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.336745, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.336829, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.336864, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.336872, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.336877, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.336883, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.336890, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x0016 (22) name_size : 0x0016 (22) name : * name : 'ColorDepth' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000004 (4) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.336940, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.336959, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] [2016/04/30 10:52:40.336964, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.336970, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:316(_winreg_QueryValue) _winreg_QueryValue: reg_queryvalue failed with: WERR_BADFILE [2016/04/30 10:52:40.336975, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000000 (0) data_length : * data_length : 0x00000000 (0) result : WERR_BADFILE [2016/04/30 10:52:40.337002, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.337010, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.337018, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0010 (16) call_id : 0x00000035 (53) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=44 [0000] 14 00 02 00 00 00 00 00 18 00 02 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 1C 00 02 00 00 00 00 00 ........ ........ [0020] 20 00 02 00 00 00 00 00 02 00 00 00 ....... .... [2016/04/30 10:52:40.337123, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.337142, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.337149, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 44 bytes [2016/04/30 10:52:40.337154, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 96 [2016/04/30 10:52:40.337175, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 96 bytes. There is no more data outstanding [2016/04/30 10:52:40.337182, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 96 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.337188, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 96 status NT_STATUS_OK [2016/04/30 10:52:40.337193, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:96] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.337199, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/756/127 [2016/04/30 10:52:40.337632, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.337664, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 756 (position 756) from bitmap [2016/04/30 10:52:40.337669, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 756 [2016/04/30 10:52:40.337679, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.337685, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.337771, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.337806, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.337813, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 756, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.337818, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.337824, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 176 [2016/04/30 10:52:40.337829, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 176 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 176 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.337858, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 176 [2016/04/30 10:52:40.337867, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.337884, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.337890, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.337896, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.337900, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.337906, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.337911, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.337915, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.337923, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.337929, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.337936, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.337941, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.338024, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.338062, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.338068, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.338073, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.338079, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.338086, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x0022 (34) name_size : 0x0022 (34) name : * name : 'fDisablePNPRedir' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000004 (4) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.338136, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.338154, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration] [2016/04/30 10:52:40.338160, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.338166, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:316(_winreg_QueryValue) _winreg_QueryValue: reg_queryvalue failed with: WERR_BADFILE [2016/04/30 10:52:40.338171, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000000 (0) data_length : * data_length : 0x00000000 (0) result : WERR_BADFILE [2016/04/30 10:52:40.338200, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.338209, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.338220, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0010 (16) call_id : 0x00000036 (54) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=44 [0000] 14 00 02 00 00 00 00 00 18 00 02 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 1C 00 02 00 00 00 00 00 ........ ........ [0020] 20 00 02 00 00 00 00 00 02 00 00 00 ....... .... [2016/04/30 10:52:40.338322, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.338341, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.338348, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 44 bytes [2016/04/30 10:52:40.338353, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 96 [2016/04/30 10:52:40.338374, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 96 bytes. There is no more data outstanding [2016/04/30 10:52:40.338381, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 96 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.338387, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 96 status NT_STATUS_OK [2016/04/30 10:52:40.338392, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:96] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.338398, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/757/127 [2016/04/30 10:52:40.338840, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.338874, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 757 (position 757) from bitmap [2016/04/30 10:52:40.338880, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 757 [2016/04/30 10:52:40.338887, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.338893, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.338977, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.339013, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.339019, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 757, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.339024, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.339030, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.339035, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.339067, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.339073, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.339090, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.339096, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.339101, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.339106, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.339112, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.339117, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.339121, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.339128, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.339135, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.339141, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.339146, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.339230, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.339268, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.339274, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.339279, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x5 - api_rpcTNP: rpc command: WINREG_CLOSEKEY [2016/04/30 10:52:40.339285, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[5].fn == 0x7f9b33e04880 [2016/04/30 10:52:40.339291, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000030-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.339310, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.339329, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 30 00 00 00 00 00 00 00 24 57 58 72 ....0... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.339346, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2016/04/30 10:52:40.339351, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (2->1) [2016/04/30 10:52:40.339356, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2016/04/30 10:52:40.339377, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.339386, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.339394, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000037 (55) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.339483, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.339503, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.339509, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.339514, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.339536, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.339542, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.339548, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.339554, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.339560, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/758/127 [2016/04/30 10:52:40.340033, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.340042, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 758 (position 758) from bitmap [2016/04/30 10:52:40.340047, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 758 [2016/04/30 10:52:40.340054, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.340063, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.340148, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.340184, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.340190, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 758, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.340196, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1489316331 [2016/04/30 10:52:40.340201, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.340206, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.340235, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.340241, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.340258, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.340267, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.340272, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.340277, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.340282, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.340287, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.340292, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.340299, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.340306, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.340312, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.340317, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.340401, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.340436, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.340444, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.340449, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x5 - api_rpcTNP: rpc command: WINREG_CLOSEKEY [2016/04/30 10:52:40.340455, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[5].fn == 0x7f9b33e04880 [2016/04/30 10:52:40.340460, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000002f-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.340479, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 2F 00 00 00 00 00 00 00 24 57 58 72 ..../... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.340498, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 2F 00 00 00 00 00 00 00 24 57 58 72 ..../... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.340515, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2016/04/30 10:52:40.340520, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (1->0) [2016/04/30 10:52:40.340539, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2016/04/30 10:52:40.340562, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.340571, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.340580, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000038 (56) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.340670, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.340689, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.340696, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.340701, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.340724, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.340730, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.340737, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.340742, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.340748, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/759/127 [2016/04/30 10:52:40.341225, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.341232, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 759 (position 759) from bitmap [2016/04/30 10:52:40.341238, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CLOSE] mid = 759 [2016/04/30 10:52:40.341245, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.341250, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.341339, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.341376, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.341383, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_close.c:227(smbd_smb2_close) smbd_smb2_close: winreg - fnum 1489316331 [2016/04/30 10:52:40.341390, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.341396, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.341403, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 12A2B6D0 [2016/04/30 10:52:40.341411, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353dfc40 [2016/04/30 10:52:40.341420, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 12A2B6D0 [2016/04/30 10:52:40.341425, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.341430, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.341444, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection winreg [2016/04/30 10:52:40.341460, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:554(file_free) freed files structure 1489316331 (1 used) [2016/04/30 10:52:40.341468, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[60] dyn[no:0] at ../source3/smbd/smb2_close.c:144 [2016/04/30 10:52:40.341474, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/760/127 [2016/04/30 10:52:40.342220, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.342234, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 760 (position 760) from bitmap [2016/04/30 10:52:40.342240, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 760 [2016/04/30 10:52:40.342248, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.342254, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.342340, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.342376, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.342384, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_create.c:501(smbd_smb2_create_send) smbd_smb2_create: name[srvsvc] [2016/04/30 10:52:40.342393, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.342399, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.342406, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 3FF693DC [2016/04/30 10:52:40.342412, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353e9610 [2016/04/30 10:52:40.342417, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:587(smbXsrv_open_global_verify_record) smbXsrv_open_global_verify_record: empty value [2016/04/30 10:52:40.342435, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:706(smbXsrv_open_global_store) smbXsrv_open_global_store: key '3FF693DC' stored [2016/04/30 10:52:40.342442, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &global_blob: struct smbXsrv_open_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_open_globalU(case 0) info0 : * info0: struct smbXsrv_open_global0 db_rec : * server_id: struct server_id pid : 0x000000000000990a (39178) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xee090ec3329c23cf (-1294487186361801777) open_global_id : 0x3ff693dc (1073124316) open_persistent_id : 0x000000003ff693dc (1073124316) open_volatile_id : 0x000000003f3a5a58 (1060788824) open_owner : S-1-5-21-1193122258-3968554332-1479395916-1000 open_time : Sat Apr 30 10:52:40 2016 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 [2016/04/30 10:52:40.342512, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 3FF693DC [2016/04/30 10:52:40.342517, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.342522, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.342528, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:880(smbXsrv_open_create) smbXsrv_open_create: global_id (0x3ff693dc) stored [2016/04/30 10:52:40.342533, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &open_blob: struct smbXsrv_openB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_openU(case 0) info0 : * info0: struct smbXsrv_open table : * db_rec : NULL local_id : 0x3f3a5a58 (1060788824) global : * global: struct smbXsrv_open_global0 db_rec : NULL server_id: struct server_id pid : 0x000000000000990a (39178) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xee090ec3329c23cf (-1294487186361801777) open_global_id : 0x3ff693dc (1073124316) open_persistent_id : 0x000000003ff693dc (1073124316) open_volatile_id : 0x000000003f3a5a58 (1060788824) open_owner : S-1-5-21-1193122258-3968554332-1479395916-1000 open_time : Sat Apr 30 10:52:40 2016 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 status : NT_STATUS_OK idle_time : Sat Apr 30 10:52:40 2016 CEST compat : NULL [2016/04/30 10:52:40.342623, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 1060788824 (2 used) [2016/04/30 10:52:40.342630, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:745(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2016/04/30 10:52:40.342639, 4, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:89(make_internal_rpc_pipe_socketpair) Create of internal pipe srvsvc requested [2016/04/30 10:52:40.342679, 8, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/dosmode.c:583(dos_mode) dos_mode: srvsvc [2016/04/30 10:52:40.342688, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_create.c:1303(smbd_smb2_create_send) smbd_smb2_create_send: srvsvc - fnum 1060788824 [2016/04/30 10:52:40.342695, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[88] dyn[yes:0] at ../source3/smbd/smb2_create.c:364 [2016/04/30 10:52:40.342702, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/761/127 [2016/04/30 10:52:40.343233, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.343258, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 761 (position 761) from bitmap [2016/04/30 10:52:40.343265, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 761 [2016/04/30 10:52:40.343272, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.343279, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.343369, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.343406, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.343414, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 761, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.343419, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: srvsvc - fnum 1060788824 [2016/04/30 10:52:40.343427, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.343434, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.343440, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/762/127 [2016/04/30 10:52:40.343793, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.343806, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 762 (position 762) from bitmap [2016/04/30 10:52:40.343813, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 762 [2016/04/30 10:52:40.343820, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.343826, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.343917, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.343954, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.343961, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 762, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.343966, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: srvsvc - fnum 1060788824 [2016/04/30 10:52:40.343973, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.343980, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.343986, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/763/127 [2016/04/30 10:52:40.344213, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.344246, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 763 (position 763) from bitmap [2016/04/30 10:52:40.344252, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 763 [2016/04/30 10:52:40.344259, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.344264, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.344353, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.344389, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.344395, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 763, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.344400, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: srvsvc - fnum 1060788824 [2016/04/30 10:52:40.344407, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.344413, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.344419, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/764/127 [2016/04/30 10:52:40.344852, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.344860, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 764 (position 764) from bitmap [2016/04/30 10:52:40.344866, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_WRITE] mid = 764 [2016/04/30 10:52:40.344872, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.344877, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.344964, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.345000, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.345007, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 764, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.345012, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_write.c:290(smbd_smb2_write_send) smbd_smb2_write: srvsvc - fnum 1060788824 [2016/04/30 10:52:40.345017, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 116 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 116 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.345048, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:0] at ../source3/smbd/smb2_write.c:164 [2016/04/30 10:52:40.345056, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/765/127 [2016/04/30 10:52:40.345078, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.345085, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 11 [2016/04/30 10:52:40.345092, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:728(api_pipe_bind_req) api_pipe_bind_req: srvsvc -> srvsvc rpc service [2016/04/30 10:52:40.345101, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:761(api_pipe_bind_req) api_pipe_bind_req: make response. 761 [2016/04/30 10:52:40.345106, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for srvsvc context_id=0 [2016/04/30 10:52:40.345111, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: srvsvc -> srvsvc rpc service [2016/04/30 10:52:40.345117, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:223(init_pipe_handles) init_pipe_handle_list: created handle list for pipe srvsvc [2016/04/30 10:52:40.345122, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:240(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe srvsvc [2016/04/30 10:52:40.345133, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2016/04/30 10:52:40.345227, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 0 bytes [2016/04/30 10:52:40.345232, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 68 [2016/04/30 10:52:40.345448, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.345479, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 765 (position 765) from bitmap [2016/04/30 10:52:40.345485, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_READ] mid = 765 [2016/04/30 10:52:40.345495, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.345500, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.345585, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.345621, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.345628, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 765, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.345633, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_read.c:463(smbd_smb2_read_send) smbd_smb2_read: srvsvc - fnum 1060788824 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 1 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.345669, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 68 bytes. There is no more data outstanding [2016/04/30 10:52:40.345676, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:68] at ../source3/smbd/smb2_read.c:164 [2016/04/30 10:52:40.345683, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/766/127 [2016/04/30 10:52:40.346215, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.346235, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 766 (position 766) from bitmap [2016/04/30 10:52:40.346250, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 766 [2016/04/30 10:52:40.346257, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.346263, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.346347, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.346382, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.346388, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 766, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.346393, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] srvsvc, fnum 1060788824 [2016/04/30 10:52:40.346398, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 64 [2016/04/30 10:52:40.346403, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 64 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 64 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.346434, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 64 [2016/04/30 10:52:40.346441, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.346458, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.346464, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.346469, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.346476, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.346482, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.346488, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.346572, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.346606, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.346614, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested srvsvc rpc service [2016/04/30 10:52:40.346619, 4, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: srvsvc op 0x15 - api_rpcTNP: rpc command: SRVSVC_NETSRVGETINFO [2016/04/30 10:52:40.346625, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[21].fn == 0x7f9b33dc62d0 [2016/04/30 10:52:40.346632, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) srvsvc_NetSrvGetInfo: struct srvsvc_NetSrvGetInfo in: struct srvsvc_NetSrvGetInfo server_unc : * server_unc : '\\SERWER2' level : 0x00000065 (101) [2016/04/30 10:52:40.346648, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1304(_srvsvc_NetSrvGetInfo) _srvsvc_NetSrvGetInfo: 1304 [2016/04/30 10:52:40.346655, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1382(_srvsvc_NetSrvGetInfo) _srvsvc_NetSrvGetInfo: 1382 [2016/04/30 10:52:40.346660, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) srvsvc_NetSrvGetInfo: struct srvsvc_NetSrvGetInfo out: struct srvsvc_NetSrvGetInfo info : * info : union srvsvc_NetSrvInfo(case 101) info101 : * info101: struct srvsvc_NetSrvInfo101 platform_id : PLATFORM_ID_NT (500) server_name : * server_name : 'SERWER2' version_major : 0x00000006 (6) version_minor : 0x00000001 (1) server_type : 0x00809a2b (8428075) 1: SV_TYPE_WORKSTATION 1: SV_TYPE_SERVER 0: SV_TYPE_SQLSERVER 1: SV_TYPE_DOMAIN_CTRL 0: SV_TYPE_DOMAIN_BAKCTRL 1: SV_TYPE_TIME_SOURCE 0: SV_TYPE_AFP 0: SV_TYPE_NOVELL 0: SV_TYPE_DOMAIN_MEMBER 1: SV_TYPE_PRINTQ_SERVER 0: SV_TYPE_DIALIN_SERVER 1: SV_TYPE_SERVER_UNIX 1: SV_TYPE_NT 0: SV_TYPE_WFW 0: SV_TYPE_SERVER_MFPN 1: SV_TYPE_SERVER_NT 0: SV_TYPE_POTENTIAL_BROWSER 0: SV_TYPE_BACKUP_BROWSER 0: SV_TYPE_MASTER_BROWSER 0: SV_TYPE_DOMAIN_MASTER 0: SV_TYPE_SERVER_OSF 0: SV_TYPE_SERVER_VMS 0: SV_TYPE_WIN95_PLUS 1: SV_TYPE_DFS_SERVER 0: SV_TYPE_ALTERNATE_XPORT 0: SV_TYPE_LOCAL_LIST_ONLY 0: SV_TYPE_DOMAIN_ENUM comment : * comment : 'TS' result : WERR_OK [2016/04/30 10:52:40.346771, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called srvsvc successfully [2016/04/30 10:52:40.346780, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.346788, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x006c (108) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=84 [0000] 65 00 00 00 04 00 02 00 F4 01 00 00 08 00 02 00 e....... ........ [0010] 06 00 00 00 01 00 00 00 2B 9A 80 00 0C 00 02 00 ........ +....... [0020] 08 00 00 00 00 00 00 00 08 00 00 00 53 00 45 00 ........ ....S.E. [0030] 52 00 57 00 45 00 52 00 32 00 00 00 03 00 00 00 R.W.E.R. 2....... [0040] 00 00 00 00 03 00 00 00 54 00 53 00 00 00 00 00 ........ T.S..... [0050] 00 00 00 00 .... [2016/04/30 10:52:40.346924, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 84 bytes [2016/04/30 10:52:40.346929, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 108 [2016/04/30 10:52:40.346950, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 108 bytes. There is no more data outstanding [2016/04/30 10:52:40.346957, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 108 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.346963, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 108 status NT_STATUS_OK [2016/04/30 10:52:40.346968, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:108] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.346975, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/767/127 [2016/04/30 10:52:40.347443, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.347473, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 767 (position 767) from bitmap [2016/04/30 10:52:40.347482, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CLOSE] mid = 767 [2016/04/30 10:52:40.347488, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.347494, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.347580, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.347615, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.347622, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_close.c:227(smbd_smb2_close) smbd_smb2_close: srvsvc - fnum 1060788824 [2016/04/30 10:52:40.347628, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.347633, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.347640, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 3FF693DC [2016/04/30 10:52:40.347646, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353eff60 [2016/04/30 10:52:40.347654, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 3FF693DC [2016/04/30 10:52:40.347659, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.347667, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.347678, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection srvsvc [2016/04/30 10:52:40.347689, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:554(file_free) freed files structure 1060788824 (1 used) [2016/04/30 10:52:40.347696, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[60] dyn[no:0] at ../source3/smbd/smb2_close.c:144 [2016/04/30 10:52:40.347702, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/768/127 [2016/04/30 10:52:40.348548, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.348580, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 768 (position 768) from bitmap [2016/04/30 10:52:40.348585, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 768 [2016/04/30 10:52:40.348591, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.348597, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.348681, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.348719, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.348726, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_create.c:501(smbd_smb2_create_send) smbd_smb2_create: name[winreg] [2016/04/30 10:52:40.348733, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.348738, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.348744, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 69D9A458 [2016/04/30 10:52:40.348751, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353db2b0 [2016/04/30 10:52:40.348756, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:587(smbXsrv_open_global_verify_record) smbXsrv_open_global_verify_record: empty value [2016/04/30 10:52:40.348767, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:706(smbXsrv_open_global_store) smbXsrv_open_global_store: key '69D9A458' stored [2016/04/30 10:52:40.348772, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &global_blob: struct smbXsrv_open_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_open_globalU(case 0) info0 : * info0: struct smbXsrv_open_global0 db_rec : * server_id: struct server_id pid : 0x000000000000990a (39178) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xee090ec3329c23cf (-1294487186361801777) open_global_id : 0x69d9a458 (1775871064) open_persistent_id : 0x0000000069d9a458 (1775871064) open_volatile_id : 0x0000000042f17ffa (1123123194) open_owner : S-1-5-21-1193122258-3968554332-1479395916-1000 open_time : Sat Apr 30 10:52:40 2016 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 [2016/04/30 10:52:40.348840, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 69D9A458 [2016/04/30 10:52:40.348845, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.348850, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.348856, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:880(smbXsrv_open_create) smbXsrv_open_create: global_id (0x69d9a458) stored [2016/04/30 10:52:40.348860, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &open_blob: struct smbXsrv_openB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_openU(case 0) info0 : * info0: struct smbXsrv_open table : * db_rec : NULL local_id : 0x42f17ffa (1123123194) global : * global: struct smbXsrv_open_global0 db_rec : NULL server_id: struct server_id pid : 0x000000000000990a (39178) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xee090ec3329c23cf (-1294487186361801777) open_global_id : 0x69d9a458 (1775871064) open_persistent_id : 0x0000000069d9a458 (1775871064) open_volatile_id : 0x0000000042f17ffa (1123123194) open_owner : S-1-5-21-1193122258-3968554332-1479395916-1000 open_time : Sat Apr 30 10:52:40 2016 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 status : NT_STATUS_OK idle_time : Sat Apr 30 10:52:40 2016 CEST compat : NULL [2016/04/30 10:52:40.348950, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 1123123194 (2 used) [2016/04/30 10:52:40.348957, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:745(file_name_hash) file_name_hash: /tmp/winreg hash 0x718d6f2 [2016/04/30 10:52:40.348964, 4, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:89(make_internal_rpc_pipe_socketpair) Create of internal pipe winreg requested [2016/04/30 10:52:40.348998, 8, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/dosmode.c:583(dos_mode) dos_mode: winreg [2016/04/30 10:52:40.349005, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_create.c:1303(smbd_smb2_create_send) smbd_smb2_create_send: winreg - fnum 1123123194 [2016/04/30 10:52:40.349012, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[88] dyn[yes:0] at ../source3/smbd/smb2_create.c:364 [2016/04/30 10:52:40.349019, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/769/127 [2016/04/30 10:52:40.349428, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.349459, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 769 (position 769) from bitmap [2016/04/30 10:52:40.349464, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 769 [2016/04/30 10:52:40.349471, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.349479, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.349564, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.349601, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.349607, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 769, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.349613, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: winreg - fnum 1123123194 [2016/04/30 10:52:40.349620, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.349626, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.349632, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/770/127 [2016/04/30 10:52:40.350005, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.350024, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 770 (position 770) from bitmap [2016/04/30 10:52:40.350043, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 770 [2016/04/30 10:52:40.350050, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.350055, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.350139, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.350174, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.350180, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 770, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.350185, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: winreg - fnum 1123123194 [2016/04/30 10:52:40.350191, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.350198, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.350204, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/771/127 [2016/04/30 10:52:40.350414, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.350448, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 771 (position 771) from bitmap [2016/04/30 10:52:40.350453, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 771 [2016/04/30 10:52:40.350459, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.350465, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.350549, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.350584, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.350590, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 771, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.350595, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: winreg - fnum 1123123194 [2016/04/30 10:52:40.350601, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.350607, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.350612, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/772/127 [2016/04/30 10:52:40.350930, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.350950, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 772 (position 772) from bitmap [2016/04/30 10:52:40.350966, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_WRITE] mid = 772 [2016/04/30 10:52:40.350972, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.350977, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.351060, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.351094, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.351100, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 772, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.351105, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_write.c:290(smbd_smb2_write_send) smbd_smb2_write: winreg - fnum 1123123194 [2016/04/30 10:52:40.351111, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 164 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 164 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.351144, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:0] at ../source3/smbd/smb2_write.c:164 [2016/04/30 10:52:40.351151, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/773/127 [2016/04/30 10:52:40.351172, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.351179, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 11 [2016/04/30 10:52:40.351185, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:728(api_pipe_bind_req) api_pipe_bind_req: winreg -> winreg rpc service [2016/04/30 10:52:40.351190, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:761(api_pipe_bind_req) api_pipe_bind_req: make response. 761 [2016/04/30 10:52:40.351195, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for winreg context_id=0 [2016/04/30 10:52:40.351200, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: winreg -> winreg rpc service [2016/04/30 10:52:40.351205, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:223(init_pipe_handles) init_pipe_handle_list: created handle list for pipe winreg [2016/04/30 10:52:40.351210, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:240(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe winreg [2016/04/30 10:52:40.351217, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2016/04/30 10:52:40.351222, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.351228, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 0 [2016/04/30 10:52:40.351233, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.351238, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.351242, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.351253, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:484(make_auth_context_subsystem) Making default auth method list for DC [2016/04/30 10:52:40.351260, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:378(load_auth_module) load_auth_module: Attempting to find an auth method to match guest [2016/04/30 10:52:40.351265, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module) load_auth_module: auth method guest has a valid init [2016/04/30 10:52:40.351271, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:378(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2016/04/30 10:52:40.351279, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module) load_auth_module: auth method sam has a valid init [2016/04/30 10:52:40.351284, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:378(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind:trustdomain [2016/04/30 10:52:40.351289, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:378(load_auth_module) load_auth_module: Attempting to find an auth method to match trustdomain [2016/04/30 10:52:40.351294, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module) load_auth_module: auth method trustdomain has a valid init [2016/04/30 10:52:40.351298, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module) load_auth_module: auth method winbind has a valid init [2016/04/30 10:52:40.351318, 5, pid=39178, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC mechanism ntlmssp [2016/04/30 10:52:40.351330, 3, pid=39178, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe20882b7 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_OEM NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_LM_KEY NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP_NEGOTIATE_56 [2016/04/30 10:52:40.351364, 1, pid=39178, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0xe20882b7 (3792208567) 1: NTLMSSP_NEGOTIATE_UNICODE 1: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 1: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 1: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 1: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : NULL WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : NULL Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0) ProductBuild : 0x1772 (6002) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) [2016/04/30 10:52:40.351492, 1, pid=39178, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) challenge: struct CHALLENGE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmChallenge (0x2) TargetNameLen : 0x0014 (20) TargetNameMaxLen : 0x0014 (20) TargetName : * TargetName : 'TRASKOSTAL' NegotiateFlags : 0xe2898235 (3800662581) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 1: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 1: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 1: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 1: NTLMSSP_NEGOTIATE_56 ServerChallenge : 543042cc5b332286 Reserved : 0000000000000000 TargetInfoLen : 0x008e (142) TargetInfoMaxLen : 0x008e (142) TargetInfo : * TargetInfo: struct AV_PAIR_LIST count : 0x00000006 (6) pair: ARRAY(6) pair: struct AV_PAIR AvId : MsvAvNbDomainName (0x2) AvLen : 0x0014 (20) Value : union ntlmssp_AvValue(case 0x2) AvNbDomainName : 'TRASKOSTAL' pair: struct AV_PAIR AvId : MsvAvNbComputerName (0x1) AvLen : 0x000e (14) Value : union ntlmssp_AvValue(case 0x1) AvNbComputerName : 'SERWER2' pair: struct AV_PAIR AvId : MsvAvDnsDomainName (0x4) AvLen : 0x001e (30) Value : union ntlmssp_AvValue(case 0x4) AvDnsDomainName : 'trasko.intranet' pair: struct AV_PAIR AvId : MsvAvDnsComputerName (0x3) AvLen : 0x002e (46) Value : union ntlmssp_AvValue(case 0x3) AvDnsComputerName : 'serwer2.trasko.intranet' pair: struct AV_PAIR AvId : MsvAvTimestamp (0x7) AvLen : 0x0008 (8) Value : union ntlmssp_AvValue(case 0x7) AvTimestamp : Sat Apr 30 10:52:40 2016 CEST pair: struct AV_PAIR AvId : MsvAvEOL (0x0) AvLen : 0x0000 (0) Value : union ntlmssp_AvValue(case 0x0) Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (0x6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (0x1) ProductBuild : 0x0000 (0) Reserved : 000000 NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF) [2016/04/30 10:52:40.351680, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.351691, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x07 (7) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 1: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x00da (218) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\winreg' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2016/04/30 10:52:40.351782, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x00 (0) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=218 [0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 14 00 14 00 NTLMSSP. ........ [0010] 38 00 00 00 35 82 89 E2 54 30 42 CC 5B 33 22 86 8...5... T0B.[3". [0020] 00 00 00 00 00 00 00 00 8E 00 8E 00 4C 00 00 00 ........ ....L... [0030] 06 01 00 00 00 00 00 0F 54 00 52 00 41 00 53 00 ........ T.R.A.S. [0040] 4B 00 4F 00 53 00 54 00 41 00 4C 00 02 00 14 00 K.O.S.T. A.L..... [0050] 54 00 52 00 41 00 53 00 4B 00 4F 00 53 00 54 00 T.R.A.S. K.O.S.T. [0060] 41 00 4C 00 01 00 0E 00 53 00 45 00 52 00 57 00 A.L..... S.E.R.W. [0070] 45 00 52 00 32 00 04 00 1E 00 74 00 72 00 61 00 E.R.2... ..t.r.a. [0080] 73 00 6B 00 6F 00 2E 00 69 00 6E 00 74 00 72 00 s.k.o... i.n.t.r. [0090] 61 00 6E 00 65 00 74 00 03 00 2E 00 73 00 65 00 a.n.e.t. ....s.e. [00A0] 72 00 77 00 65 00 72 00 32 00 2E 00 74 00 72 00 r.w.e.r. 2...t.r. [00B0] 61 00 73 00 6B 00 6F 00 2E 00 69 00 6E 00 74 00 a.s.k.o. ..i.n.t. [00C0] 72 00 61 00 6E 00 65 00 74 00 07 00 08 00 D4 D7 r.a.n.e. t....... [00D0] EC A6 BD A2 D1 01 00 00 00 00 ........ .. [2016/04/30 10:52:40.351982, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 0 bytes [2016/04/30 10:52:40.351987, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 294 [2016/04/30 10:52:40.352011, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.352038, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 773 (position 773) from bitmap [2016/04/30 10:52:40.352057, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_READ] mid = 773 [2016/04/30 10:52:40.352063, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.352077, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.352153, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.352186, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.352192, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 773, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.352196, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_read.c:463(smbd_smb2_read_send) smbd_smb2_read: winreg - fnum 1123123194 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 1 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.352232, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 294 bytes. There is no more data outstanding [2016/04/30 10:52:40.352238, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:294] at ../source3/smbd/smb2_read.c:164 [2016/04/30 10:52:40.352244, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/774/127 [2016/04/30 10:52:40.352781, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.352800, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 774 (position 774) from bitmap [2016/04/30 10:52:40.352815, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_WRITE] mid = 774 [2016/04/30 10:52:40.352821, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.352826, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.352900, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.352935, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.352941, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 774, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.352945, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_write.c:290(smbd_smb2_write_send) smbd_smb2_write: winreg - fnum 1123123194 [2016/04/30 10:52:40.352950, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 450 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 450 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.352976, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:0] at ../source3/smbd/smb2_write.c:164 [2016/04/30 10:52:40.352982, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/775/127 [2016/04/30 10:52:40.353001, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.353006, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 16 [2016/04/30 10:52:40.353011, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:938(api_pipe_bind_auth3) api_pipe_bind_auth3: decode request. 938 [2016/04/30 10:52:40.353024, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2016/04/30 10:52:40.353030, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.353036, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 0 [2016/04/30 10:52:40.353041, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.353045, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.353050, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.353075, 1, pid=39178, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) authenticate: struct AUTHENTICATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmAuthenticate (3) LmChallengeResponseLen : 0x0018 (24) LmChallengeResponseMaxLen: 0x0018 (24) LmChallengeResponse : * LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24) v1: struct LM_RESPONSE Response : 000000000000000000000000000000000000000000000000 NtChallengeResponseLen : 0x00fe (254) NtChallengeResponseMaxLen: 0x00fe (254) NtChallengeResponse : * NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case 254) v2: struct NTLMv2_RESPONSE Response : 10ec5e0291fff9f9e69744e50a4b3e43 Challenge: struct NTLMv2_CLIENT_CHALLENGE RespType : 0x01 (1) HiRespType : 0x01 (1) Reserved1 : 0x0000 (0) Reserved2 : 0x00000000 (0) TimeStamp : Sat Apr 30 10:52:40 2016 CEST ChallengeFromClient : 36f41cc89707c7a0 Reserved3 : 0x00000000 (0) AvPairs: struct AV_PAIR_LIST count : 0x00000008 (8) pair: ARRAY(8) pair: struct AV_PAIR AvId : MsvAvNbDomainName (0x2) AvLen : 0x0014 (20) Value : union ntlmssp_AvValue(case 0x2) AvNbDomainName : 'TRASKOSTAL' pair: struct AV_PAIR AvId : MsvAvNbComputerName (0x1) AvLen : 0x000e (14) Value : union ntlmssp_AvValue(case 0x1) AvNbComputerName : 'SERWER2' pair: struct AV_PAIR AvId : MsvAvDnsDomainName (0x4) AvLen : 0x001e (30) Value : union ntlmssp_AvValue(case 0x4) AvDnsDomainName : 'trasko.intranet' pair: struct AV_PAIR AvId : MsvAvDnsComputerName (0x3) AvLen : 0x002e (46) Value : union ntlmssp_AvValue(case 0x3) AvDnsComputerName : 'serwer2.trasko.intranet' pair: struct AV_PAIR AvId : MsvAvTimestamp (0x7) AvLen : 0x0008 (8) Value : union ntlmssp_AvValue(case 0x7) AvTimestamp : Sat Apr 30 10:52:40 2016 CEST pair: struct AV_PAIR AvId : MsvAvFlags (0x6) AvLen : 0x0004 (4) Value : union ntlmssp_AvValue(case 0x6) AvFlags : 0x00000002 (2) 0: NTLMSSP_AVFLAG_CONSTRAINTED_ACCOUNT 1: NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE 0: NTLMSSP_AVFLAG_TARGET_SPN_FROM_UNTRUSTED_SOURCE pair: struct AV_PAIR AvId : MsvAvSingleHost (0x8) AvLen : 0x0030 (48) Value : union ntlmssp_AvValue(case 0x8) AvSingleHost: struct ntlmssp_SingleHostData Size : 0x00000030 (48) Z4 : 0x00000000 (0) token_info: struct LSAP_TOKEN_INFO_INTEGRITY Flags : 0x00000000 (0) TokenIL : 0x00003000 (12288) MachineId : 366c8a5d29f2ac1a61e0a306dbb7f8712dfb609389ecc7c4b2ce0aaf56c02e5c remaining : DATA_BLOB length=0 pair: struct AV_PAIR AvId : MsvAvEOL (0x0) AvLen : 0x0000 (0) Value : union ntlmssp_AvValue(case 0x0) DomainNameLen : 0x0014 (20) DomainNameMaxLen : 0x0014 (20) DomainName : * DomainName : 'TRASKOSTAL' UserNameLen : 0x000c (12) UserNameMaxLen : 0x000c (12) UserName : * UserName : 'admink' WorkstationLen : 0x0008 (8) WorkstationMaxLen : 0x0008 (8) Workstation : * Workstation : 'TS78' EncryptedRandomSessionKeyLen: 0x0010 (16) EncryptedRandomSessionKeyMaxLen: 0x0010 (16) EncryptedRandomSessionKey: * EncryptedRandomSessionKey: DATA_BLOB length=16 [0000] B2 B9 EC 94 5C 1F E6 85 51 BA DE 3D FF AE D1 B2 ....\... Q..=.... NegotiateFlags : 0xe2888235 (3800597045) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 1: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 1: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 1: NTLMSSP_NEGOTIATE_56 Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0) ProductBuild : 0x1772 (6002) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) [2016/04/30 10:52:40.353413, 3, pid=39178, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:449(ntlmssp_server_preauth) Got user=[admink] domain=[TRASKOSTAL] workstation=[TS78] len1=24 len2=254 [2016/04/30 10:52:40.353423, 10, pid=39178, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:480(ntlmssp_server_preauth) [2016/04/30 10:52:40.353426, 1, pid=39178, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &v2_resp: struct NTLMv2_RESPONSE Response : 10ec5e0291fff9f9e69744e50a4b3e43 Challenge: struct NTLMv2_CLIENT_CHALLENGE RespType : 0x01 (1) HiRespType : 0x01 (1) Reserved1 : 0x0000 (0) Reserved2 : 0x00000000 (0) TimeStamp : Sat Apr 30 10:52:40 2016 CEST ChallengeFromClient : 36f41cc89707c7a0 Reserved3 : 0x00000000 (0) AvPairs: struct AV_PAIR_LIST count : 0x00000008 (8) pair: ARRAY(8) pair: struct AV_PAIR AvId : MsvAvNbDomainName (0x2) AvLen : 0x0014 (20) Value : union ntlmssp_AvValue(case 0x2) AvNbDomainName : 'TRASKOSTAL' pair: struct AV_PAIR AvId : MsvAvNbComputerName (0x1) AvLen : 0x000e (14) Value : union ntlmssp_AvValue(case 0x1) AvNbComputerName : 'SERWER2' pair: struct AV_PAIR AvId : MsvAvDnsDomainName (0x4) AvLen : 0x001e (30) Value : union ntlmssp_AvValue(case 0x4) AvDnsDomainName : 'trasko.intranet' pair: struct AV_PAIR AvId : MsvAvDnsComputerName (0x3) AvLen : 0x002e (46) Value : union ntlmssp_AvValue(case 0x3) AvDnsComputerName : 'serwer2.trasko.intranet' pair: struct AV_PAIR AvId : MsvAvTimestamp (0x7) AvLen : 0x0008 (8) Value : union ntlmssp_AvValue(case 0x7) AvTimestamp : Sat Apr 30 10:52:40 2016 CEST pair: struct AV_PAIR AvId : MsvAvFlags (0x6) AvLen : 0x0004 (4) Value : union ntlmssp_AvValue(case 0x6) AvFlags : 0x00000002 (2) 0: NTLMSSP_AVFLAG_CONSTRAINTED_ACCOUNT 1: NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE 0: NTLMSSP_AVFLAG_TARGET_SPN_FROM_UNTRUSTED_SOURCE pair: struct AV_PAIR AvId : MsvAvSingleHost (0x8) AvLen : 0x0030 (48) Value : union ntlmssp_AvValue(case 0x8) AvSingleHost: struct ntlmssp_SingleHostData Size : 0x00000030 (48) Z4 : 0x00000000 (0) token_info: struct LSAP_TOKEN_INFO_INTEGRITY Flags : 0x00000000 (0) TokenIL : 0x00003000 (12288) MachineId : 366c8a5d29f2ac1a61e0a306dbb7f8712dfb609389ecc7c4b2ce0aaf56c02e5c remaining : DATA_BLOB length=0 pair: struct AV_PAIR AvId : MsvAvEOL (0x0) AvLen : 0x0000 (0) Value : union ntlmssp_AvValue(case 0x0) [2016/04/30 10:52:40.353591, 3, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:3740(lp_load_ex) lp_load_ex: refreshing parameters [2016/04/30 10:52:40.353597, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1322(free_param_opts) Freeing parametrics: [2016/04/30 10:52:40.353627, 3, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:545(init_globals) Initialising global parameters [2016/04/30 10:52:40.353673, 3, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2669(lp_do_section) Processing section "[global]" doing parameter unix charset = UTF-8 doing parameter dos charset = CP852 doing parameter workgroup = TRASKOSTAL doing parameter server string = TS doing parameter obey pam restrictions = Yes doing parameter lanman auth = Yes doing parameter map untrusted to domain = Yes doing parameter log file = /var/log/samba/log.%U.%m doing parameter name resolve order = wins bcast hosts doing parameter time server = Yes doing parameter add user script = /etc/samba/smbuseradd.sh '%u' doing parameter delete user script = /etc/samba/smbuserdel.sh '%u' doing parameter add group script = /etc/samba/smbgrpadd.sh '%g' doing parameter delete group script = /etc/samba/smbgrpdel.sh '%g' doing parameter add user to group script = /etc/samba/smbtogrpadd.sh '%u' '%g' doing parameter delete user from group script = /etc/samba/smbfromgrpdel.sh '%u' '%g' doing parameter set primary group script = /etc/samba/smbsetgrpprime.sh '%u' '%g' doing parameter add machine script = /etc/samba/smbmachadd.sh '%u' doing parameter logon script = general.bat doing parameter domain logons = Yes doing parameter wins support = Yes doing parameter os level = 130 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter local master = Yes doing parameter dns proxy = No doing parameter panic action = /usr/share/samba/panic-action %d doing parameter idmap config * : range = 10000-20000 doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter idmap config * : backend = tdb doing parameter admin users = admink doing parameter map acl inherit = Yes doing parameter use client driver = Yes doing parameter veto files = lost+found/RECYCLER/aquota.group/aquota.user/ doing parameter allow nt4 crypto = yes doing parameter require strong key = false doing parameter winbind sealed pipes = false doing parameter winbind expand groups = 10 doing parameter smb2 leases = yes doing parameter dbwrap_tdb_mutexes:* = yes doing parameter debug level = 10 [2016/04/30 10:52:40.353939, 5, pid=39178, effective(0, 0), real(0, 0)] ../lib/util/debug.c:638(debug_dump_status) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 doing parameter log file = /var/log/samba/debug_%m.log doing parameter max log size = 5000 doing parameter allow dcerpc auth level connect = yes [2016/04/30 10:52:40.353995, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[printers]" doing parameter comment = All Printers doing parameter path = /srv/samba/printers doing parameter create mask = 0777 doing parameter guest ok = Yes doing parameter printable = Yes doing parameter print ok = Yes doing parameter default devmode = No doing parameter browseable = No [2016/04/30 10:52:40.354050, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[print$]" doing parameter comment = Printer Drivers doing parameter path = /var/lib/samba/printers doing parameter write list = root, admink doing parameter read only = No doing parameter guest ok = Yes [2016/04/30 10:52:40.354071, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[netlogon]" doing parameter comment = Zasob administracyjny doing parameter path = /srv/samba/netlogon doing parameter read only = No doing parameter inherit acls = Yes doing parameter acl allow execute always = True [2016/04/30 10:52:40.354095, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[Install]" doing parameter comment = Instalki doing parameter path = /srv/samba/install doing parameter read only = No doing parameter inherit acls = Yes [2016/04/30 10:52:40.354112, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[BLACHY]" doing parameter comment = Dysk sieciowy doing parameter path = /cage/company/Rejestry/Magazyny/Zwroty doing parameter create mask = 0770 doing parameter read only = No doing parameter inherit acls = Yes doing parameter hide unreadable = Yes [2016/04/30 10:52:40.354139, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[COMPANY]" [2016/04/30 10:52:40.354143, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1322(free_param_opts) Freeing parametrics: doing parameter comment = Dysk sieciowy doing parameter path = /cage/company doing parameter create mask = 0770 doing parameter read only = No doing parameter inherit acls = Yes doing parameter hide unreadable = Yes doing parameter vfs objects = recycle doing parameter recycle:keeptree = yes doing parameter recycle:versions = yes doing parameter recycle:repository = /.recycle doing parameter recycle:directory_mode = 0777 doing parameter recycle:subdir_mode = 0777 [2016/04/30 10:52:40.354221, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[ARCHIVE]" doing parameter comment = Dysk sieciowy doing parameter path = /cage/archive doing parameter create mask = 0770 doing parameter read only = No doing parameter inherit acls = Yes doing parameter hide unreadable = Yes doing parameter preexec = echo \"[X] %u connected to %S from %m (%I)\" >> /var/log/samba/company doing parameter postexec = echo \"[X] %u disconnected from %S from %m (%I)\" >> /var/log/samba/company [2016/04/30 10:52:40.354264, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[USER]" [2016/04/30 10:52:40.354269, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1322(free_param_opts) Freeing parametrics: doing parameter comment = Katalog Domowy %u doing parameter path = /cage/users/%u doing parameter writeable = yes doing parameter browseable = yes doing parameter create mask = 700 doing parameter vfs objects = recycle doing parameter recycle:keeptree = yes doing parameter recycle:versions = yes doing parameter recycle:repository = /cage/users/%u/.$RecycleBin doing parameter recycle:directory_mode = 0777 doing parameter recycle:subdir_mode = 0777 [2016/04/30 10:52:40.354343, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[AUSERS]" doing parameter comment = Katalog Uzytkownikow doing parameter path = /cage/users doing parameter create mask = 0770 doing parameter writeable = yes doing parameter browseable = yes doing parameter hide unreadable = Yes doing parameter valid users = admink [2016/04/30 10:52:40.354375, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[GROUPS]" [2016/04/30 10:52:40.354379, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1322(free_param_opts) Freeing parametrics: doing parameter comment = Katalog Grupowy %G doing parameter path = /cage/groups doing parameter create mask = 0770 doing parameter writeable = yes doing parameter browseable = yes doing parameter hide unreadable = Yes doing parameter vfs objects = recycle doing parameter recycle:keeptree = yes doing parameter recycle:versions = yes doing parameter recycle:repository = /.recycle doing parameter recycle:directory_mode = 0777 doing parameter recycle:subdir_mode = 0777 [2016/04/30 10:52:40.354457, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[TEMP]" [2016/04/30 10:52:40.354462, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1322(free_param_opts) Freeing parametrics: doing parameter comment = Temp doing parameter path = /srv/samba/Temp doing parameter create mask = 0777 doing parameter read only = No doing parameter inherit acls = Yes doing parameter vfs objects = default_quota doing parameter default_quota:uid = 1153 doing parameter default_quota:uid nolimit = no doing parameter vfs objects = recycle doing parameter recycle:keeptree = yes doing parameter recycle:versions = yes doing parameter recycle:repository = /.recycle doing parameter recycle:directory_mode = 0777 doing parameter recycle:subdir_mode = 0777 [2016/04/30 10:52:40.354555, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[SKANER]" [2016/04/30 10:52:40.354559, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1322(free_param_opts) Freeing parametrics: doing parameter comment = Kopiarki doing parameter path = /srv/samba/Skaner doing parameter read only = No doing parameter inherit acls = Yes doing parameter vfs objects = default_quota doing parameter default_quota:uid = 1153 doing parameter default_quota:uid nolimit = no [2016/04/30 10:52:40.354600, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[N]" doing parameter comment = NEST doing parameter path = /srv/samba/Nesty doing parameter read only = No doing parameter inherit acls = Yes doing parameter guest ok = Yes [2016/04/30 10:52:40.354622, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[2850ND]" doing parameter comment = Drukarka Sieciowa A4 BW doing parameter path = /srv/samba/printers doing parameter read only = No doing parameter create mask = 0700 doing parameter guest ok = Yes doing parameter printable = Yes doing parameter print ok = Yes doing parameter printer name = 2850ND [2016/04/30 10:52:40.354659, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[KOPIARKA1]" doing parameter comment = Kopiarka Kolorowa - BIUROWIEC doing parameter path = /srv/samba/printers doing parameter read only = No doing parameter create mask = 0700 doing parameter guest ok = Yes doing parameter printable = Yes doing parameter print ok = Yes doing parameter printer name = KOPIARKA1 [2016/04/30 10:52:40.354696, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[KOPIARKA2]" doing parameter comment = Kopiarka Kolorowa - Jakosc doing parameter path = /srv/samba/printers doing parameter read only = No doing parameter create mask = 0700 doing parameter guest ok = Yes doing parameter printable = Yes doing parameter print ok = Yes doing parameter printer name = KOPIARKA2 [2016/04/30 10:52:40.354731, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[KOPIARKA3]" doing parameter comment = Kopiarka Mono -Technologia doing parameter path = /srv/samba/printers doing parameter read only = No doing parameter create mask = 0700 doing parameter guest ok = Yes doing parameter printable = Yes doing parameter print ok = Yes doing parameter printer name = KOPIARKA3 [2016/04/30 10:52:40.354768, 2, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2686(lp_do_section) Processing section "[OCE9400]" doing parameter comment = Ploter A0 doing parameter path = /srv/samba/printers doing parameter read only = No doing parameter create mask = 0700 doing parameter guest ok = Yes doing parameter printable = Yes doing parameter print ok = Yes doing parameter printer name = OCE9400 [2016/04/30 10:52:40.354810, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:3781(lp_load_ex) pm_process() returned Yes [2016/04/30 10:52:40.354821, 7, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:4097(lp_servicenumber) lp_servicenumber: couldn't find homes [2016/04/30 10:52:40.354827, 3, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1586(lp_add_ipc) adding IPC service [2016/04/30 10:52:40.354833, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:117(make_user_info_map) Mapping user [TRASKOSTAL]\[admink] from workstation [TS78] [2016/04/30 10:52:40.354839, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:62(make_user_info) attempting to make a user_info for admink (admink) [2016/04/30 10:52:40.354844, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:70(make_user_info) making strings for admink's user_info struct [2016/04/30 10:52:40.354848, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:108(make_user_info) making blobs for admink's user_info struct [2016/04/30 10:52:40.354853, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) made a user_info for admink (admink) [2016/04/30 10:52:40.354857, 3, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [TRASKOSTAL]\[admink]@[TS78] with the new password interface [2016/04/30 10:52:40.354862, 3, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [TRASKOSTAL]\[admink]@[TS78] [2016/04/30 10:52:40.354866, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2016/04/30 10:52:40.354871, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) challenge is: [2016/04/30 10:52:40.354875, 5, pid=39178, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data) [0000] 54 30 42 CC 5B 33 22 86 T0B.[3". [2016/04/30 10:52:40.354884, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security) Check auth for: [admink] [2016/04/30 10:52:40.354889, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) check_ntlm_password: guest had nothing to say [2016/04/30 10:52:40.354893, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [admink] [2016/04/30 10:52:40.354898, 8, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/util.c:1206(is_myname) is_myname("TRASKOSTAL") returns 0 [2016/04/30 10:52:40.354903, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.354908, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 1 [2016/04/30 10:52:40.354912, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.354916, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.354920, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.354935, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:570(pdb_set_username) pdb_set_username: setting username admink, was [2016/04/30 10:52:40.354943, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:593(pdb_set_domain) pdb_set_domain: setting domain TRASKOSTAL, was [2016/04/30 10:52:40.354947, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:616(pdb_set_nt_username) pdb_set_nt_username: setting nt username , was [2016/04/30 10:52:40.354952, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:639(pdb_set_fullname) pdb_set_full_name: setting full name admink, was [2016/04/30 10:52:40.354956, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:732(pdb_set_homedir) pdb_set_homedir: setting home dir , was [2016/04/30 10:52:40.354961, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:708(pdb_set_dir_drive) pdb_set_dir_drive: setting dir drive , was NULL [2016/04/30 10:52:40.354965, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:662(pdb_set_logon_script) pdb_set_logon_script: setting logon script it.bat, was [2016/04/30 10:52:40.354970, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:685(pdb_set_profile_path) pdb_set_profile_path: setting profile path , was [2016/04/30 10:52:40.354974, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:775(pdb_set_workstations) pdb_set_workstations: setting workstations , was [2016/04/30 10:52:40.354980, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.354984, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.354988, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.354992, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.354996, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355004, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: password history, val: 0 [2016/04/30 10:52:40.355010, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355015, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:495(pdb_set_user_sid) pdb_set_user_sid: setting user sid S-1-5-21-1193122258-3968554332-1479395916-1000 [2016/04/30 10:52:40.355021, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_compat.c:73(pdb_set_user_sid_from_rid) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1193122258-3968554332-1479395916-1000 from rid 1000 [2016/04/30 10:52:40.355030, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355034, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355038, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355042, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355046, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355056, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: maximum password age, val: -1 [2016/04/30 10:52:40.355061, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355066, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user admink [2016/04/30 10:52:40.355071, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is admink [2016/04/30 10:52:40.355077, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [admink]! [2016/04/30 10:52:40.355084, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1015 -> sid S-1-5-21-1193122258-3968554332-1479395916-1004 [2016/04/30 10:52:40.355089, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1624(get_primary_group_sid) do lookup_sid(S-1-5-21-1193122258-3968554332-1479395916-1004) for group of user admink [2016/04/30 10:52:40.355094, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1026(lookup_sid) lookup_sid called for SID 'S-1-5-21-1193122258-3968554332-1479395916-1004' [2016/04/30 10:52:40.355101, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:778(check_dom_sid_to_level) Accepting SID S-1-5-21-1193122258-3968554332-1479395916 in level 1 [2016/04/30 10:52:40.355107, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:539(lookup_rids) lookup_rids called for domain sid 'S-1-5-21-1193122258-3968554332-1479395916' [2016/04/30 10:52:40.355112, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355116, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355120, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355124, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355128, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355135, 5, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_interface.c:1748(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 1004. [2016/04/30 10:52:40.355140, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 4 [2016/04/30 10:52:40.355144, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355148, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 4 [2016/04/30 10:52:40.355152, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355156, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355165, 5, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_tdb.c:658(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 1004 by key RID_000003ec. [2016/04/30 10:52:40.355177, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355182, 5, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_interface.c:1883(pdb_default_lookup_rids) lookup_rids: Informatycy:2 [2016/04/30 10:52:40.355188, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355193, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1061(lookup_sid) Sid S-1-5-21-1193122258-3968554332-1479395916-1004 -> TRASKOSTAL\Informatycy(2) [2016/04/30 10:52:40.355199, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355203, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355207, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355211, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355215, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355223, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: password history, val: 0 [2016/04/30 10:52:40.355228, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355235, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:570(pdb_set_username) pdb_set_username: setting username admink, was [2016/04/30 10:52:40.355239, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:593(pdb_set_domain) pdb_set_domain: setting domain TRASKOSTAL, was [2016/04/30 10:52:40.355244, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:616(pdb_set_nt_username) pdb_set_nt_username: setting nt username , was [2016/04/30 10:52:40.355248, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:639(pdb_set_fullname) pdb_set_full_name: setting full name admink, was [2016/04/30 10:52:40.355252, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:732(pdb_set_homedir) pdb_set_homedir: setting home dir , was [2016/04/30 10:52:40.355256, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:708(pdb_set_dir_drive) pdb_set_dir_drive: setting dir drive , was NULL [2016/04/30 10:52:40.355260, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:662(pdb_set_logon_script) pdb_set_logon_script: setting logon script it.bat, was [2016/04/30 10:52:40.355265, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:685(pdb_set_profile_path) pdb_set_profile_path: setting profile path , was [2016/04/30 10:52:40.355269, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:775(pdb_set_workstations) pdb_set_workstations: setting workstations , was [2016/04/30 10:52:40.355274, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355278, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355282, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355288, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355292, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355300, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: password history, val: 0 [2016/04/30 10:52:40.355305, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355310, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:495(pdb_set_user_sid) pdb_set_user_sid: setting user sid S-1-5-21-1193122258-3968554332-1479395916-1000 [2016/04/30 10:52:40.355315, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_compat.c:73(pdb_set_user_sid_from_rid) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1193122258-3968554332-1479395916-1000 from rid 1000 [2016/04/30 10:52:40.355325, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1004]: value=[1015:G] [2016/04/30 10:52:40.355330, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1004]: id=[1015], endptr=[:G] [2016/04/30 10:52:40.355335, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1522(sid_to_gid) sid S-1-5-21-1193122258-3968554332-1479395916-1004 -> gid 1015 [2016/04/30 10:52:40.355340, 10, pid=39178, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_get_set.c:557(pdb_set_group_sid) pdb_set_group_sid: setting group sid S-1-5-21-1193122258-3968554332-1479395916-1004 [2016/04/30 10:52:40.355348, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.355354, 4, pid=39178, effective(0, 0), real(0, 0)] ../libcli/auth/ntlm_check.c:359(ntlm_password_check) ntlm_password_check: Checking NTLMv2 password with domain [TRASKOSTAL] [2016/04/30 10:52:40.355365, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok) sam_account_ok: Checking SMB password for user admink [2016/04/30 10:52:40.355371, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok) logon_hours_ok: user admink allowed to logon at this time (Sat Apr 30 08:52:40 2016 ) [2016/04/30 10:52:40.355376, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355381, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 1 [2016/04/30 10:52:40.355385, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355389, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355393, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355401, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: maximum password age, val: -1 [2016/04/30 10:52:40.355406, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.355413, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355417, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 1 [2016/04/30 10:52:40.355421, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355425, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355429, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355436, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user admink [2016/04/30 10:52:40.355440, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is admink [2016/04/30 10:52:40.355444, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [admink]! [2016/04/30 10:52:40.355450, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355454, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355458, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355462, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355466, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355473, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: minimum password age, val: 0 [2016/04/30 10:52:40.355479, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355483, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355487, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355491, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2016/04/30 10:52:40.355495, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355499, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355506, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/account_pol.c:362(account_policy_get) account_policy_get: name: maximum password age, val: -1 [2016/04/30 10:52:40.355511, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355516, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user admink [2016/04/30 10:52:40.355522, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is admink [2016/04/30 10:52:40.355527, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [admink]! [2016/04/30 10:52:40.355538, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist) sys_getgrouplist: user [admink] [2016/04/30 10:52:40.355583, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1015 -> sid S-1-5-21-1193122258-3968554332-1479395916-1004 [2016/04/30 10:52:40.355591, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 4 -> sid S-1-22-2-4 [2016/04/30 10:52:40.355597, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 24 -> sid S-1-22-2-24 [2016/04/30 10:52:40.355602, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 27 -> sid S-1-22-2-27 [2016/04/30 10:52:40.355606, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 30 -> sid S-1-22-2-30 [2016/04/30 10:52:40.355611, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 46 -> sid S-1-22-2-46 [2016/04/30 10:52:40.355616, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 110 -> sid S-1-22-2-110 [2016/04/30 10:52:40.355620, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 111 -> sid S-1-22-2-111 [2016/04/30 10:52:40.355625, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1000 -> sid S-1-22-2-1000 [2016/04/30 10:52:40.355630, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1012 -> sid S-1-5-21-1193122258-3968554332-1479395916-512 [2016/04/30 10:52:40.355636, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1013 -> sid S-1-5-21-1193122258-3968554332-1479395916-513 [2016/04/30 10:52:40.355641, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1046 -> sid S-1-5-21-1193122258-3968554332-1479395916-1078 [2016/04/30 10:52:40.355646, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1060 -> sid S-1-5-21-1193122258-3968554332-1479395916-1184 [2016/04/30 10:52:40.355651, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1061 -> sid S-1-5-21-1193122258-3968554332-1479395916-1197 [2016/04/30 10:52:40.355656, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1063 -> sid S-1-5-21-1193122258-3968554332-1479395916-1216 [2016/04/30 10:52:40.355664, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam) make_server_info_sam: made server info for user admink -> admink [2016/04/30 10:52:40.355671, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.355677, 3, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:249(auth_check_ntlm_password) check_ntlm_password: sam authentication for user [admink] succeeded [2016/04/30 10:52:40.355683, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355687, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 1 [2016/04/30 10:52:40.355691, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.355696, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.355702, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.355709, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:483(smb_pam_start) smb_pam_start: PAM: Init user: admink [2016/04/30 10:52:40.358630, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:492(smb_pam_start) smb_pam_start: PAM: setting rhost to: 10.10.10.78 [2016/04/30 10:52:40.358649, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:501(smb_pam_start) smb_pam_start: PAM: setting tty [2016/04/30 10:52:40.358658, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:509(smb_pam_start) smb_pam_start: PAM: Init passed for user: admink [2016/04/30 10:52:40.358666, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:567(smb_pam_account) smb_pam_account: PAM: Account Management for User: admink [2016/04/30 10:52:40.358810, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:586(smb_pam_account) smb_pam_account: PAM: Account OK for User: admink [2016/04/30 10:52:40.359037, 4, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/pampass.c:465(smb_pam_end) smb_pam_end: PAM: PAM_END OK. [2016/04/30 10:52:40.359053, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.359062, 5, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:292(auth_check_ntlm_password) check_ntlm_password: PAM Account for user [admink] succeeded [2016/04/30 10:52:40.359069, 2, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [admink] -> [admink] -> [admink] succeeded [2016/04/30 10:52:40.359078, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:215(auth3_check_password) Got NT session key of length 16 [2016/04/30 10:52:40.359086, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:222(auth3_check_password) Got LM session key of length 8 [2016/04/30 10:52:40.359094, 10, pid=39178, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:818(ntlmssp_server_postauth) ntlmssp_server_auth: Using unmodified nt session key. [2016/04/30 10:52:40.359113, 3, pid=39178, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2016/04/30 10:52:40.359121, 3, pid=39178, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP_NEGOTIATE_56 [2016/04/30 10:52:40.359167, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.359176, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:584(pipe_auth_generic_verify_final) ../source3/rpc_server/srv_pipe.c:584: checking user details [2016/04/30 10:52:40.359186, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.359200, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 0 [2016/04/30 10:52:40.359214, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.359222, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.359229, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.359247, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:224(create_local_nt_token_from_info3) Create local NT token for admink [2016/04/30 10:52:40.359268, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1000]: value=[1000:U] [2016/04/30 10:52:40.359277, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1000]: id=[1000], endptr=[:U] [2016/04/30 10:52:40.359286, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1468(sid_to_uid) sid S-1-5-21-1193122258-3968554332-1479395916-1000 -> uid 1000 [2016/04/30 10:52:40.359325, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/system_smbd.c:176(sys_getgrouplist) sys_getgrouplist: user [admink] [2016/04/30 10:52:40.359392, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1015 -> sid S-1-5-21-1193122258-3968554332-1479395916-1004 [2016/04/30 10:52:40.359405, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 4 -> sid S-1-22-2-4 [2016/04/30 10:52:40.359414, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 24 -> sid S-1-22-2-24 [2016/04/30 10:52:40.359423, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 27 -> sid S-1-22-2-27 [2016/04/30 10:52:40.359432, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 30 -> sid S-1-22-2-30 [2016/04/30 10:52:40.359440, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 46 -> sid S-1-22-2-46 [2016/04/30 10:52:40.359448, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 110 -> sid S-1-22-2-110 [2016/04/30 10:52:40.359457, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 111 -> sid S-1-22-2-111 [2016/04/30 10:52:40.359465, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1000 -> sid S-1-22-2-1000 [2016/04/30 10:52:40.359474, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1012 -> sid S-1-5-21-1193122258-3968554332-1479395916-512 [2016/04/30 10:52:40.359483, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1013 -> sid S-1-5-21-1193122258-3968554332-1479395916-513 [2016/04/30 10:52:40.359493, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1046 -> sid S-1-5-21-1193122258-3968554332-1479395916-1078 [2016/04/30 10:52:40.359502, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1060 -> sid S-1-5-21-1193122258-3968554332-1479395916-1184 [2016/04/30 10:52:40.359511, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1061 -> sid S-1-5-21-1193122258-3968554332-1479395916-1197 [2016/04/30 10:52:40.359520, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1300(gid_to_sid) gid 1063 -> sid S-1-5-21-1193122258-3968554332-1479395916-1216 [2016/04/30 10:52:40.359546, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.359560, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 1 [2016/04/30 10:52:40.359567, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.359575, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.359582, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.359691, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.359704, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-1000] [2016/04/30 10:52:40.359715, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-1004] [2016/04/30 10:52:40.359726, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-512] [2016/04/30 10:52:40.359737, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-513] [2016/04/30 10:52:40.359748, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-1078] [2016/04/30 10:52:40.359759, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-1184] [2016/04/30 10:52:40.359769, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-1197] [2016/04/30 10:52:40.359780, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-1193122258-3968554332-1479395916-1216] [2016/04/30 10:52:40.359790, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-4] [2016/04/30 10:52:40.359800, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-24] [2016/04/30 10:52:40.359810, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-27] [2016/04/30 10:52:40.359819, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-30] [2016/04/30 10:52:40.359829, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-46] [2016/04/30 10:52:40.359839, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-110] [2016/04/30 10:52:40.359848, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-111] [2016/04/30 10:52:40.359858, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-1000] [2016/04/30 10:52:40.359872, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:176(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-1-0 Privilege set: 0x0 [2016/04/30 10:52:40.359884, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2016/04/30 10:52:40.359894, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2016/04/30 10:52:40.359904, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:176(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-5-32-544 Privilege set: 0x1ff0 [2016/04/30 10:52:40.359916, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/privileges.c:98(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-32-545] [2016/04/30 10:52:40.359929, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1000]: value=[1000:U] [2016/04/30 10:52:40.359937, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1000]: id=[1000], endptr=[:U] [2016/04/30 10:52:40.359947, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1004]: value=[1015:G] [2016/04/30 10:52:40.359955, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1004]: id=[1015], endptr=[:G] [2016/04/30 10:52:40.359965, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-512]: value=[1012:G] [2016/04/30 10:52:40.359972, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-512]: id=[1012], endptr=[:G] [2016/04/30 10:52:40.359982, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-513]: value=[1013:G] [2016/04/30 10:52:40.359989, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-513]: id=[1013], endptr=[:G] [2016/04/30 10:52:40.359998, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1078]: value=[1046:G] [2016/04/30 10:52:40.360012, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1078]: id=[1046], endptr=[:G] [2016/04/30 10:52:40.360023, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1184]: value=[1060:G] [2016/04/30 10:52:40.360031, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1184]: id=[1060], endptr=[:G] [2016/04/30 10:52:40.360040, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1197]: value=[1061:G] [2016/04/30 10:52:40.360051, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1197]: id=[1061], endptr=[:G] [2016/04/30 10:52:40.360060, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1216]: value=[1063:G] [2016/04/30 10:52:40.360068, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-21-1193122258-3968554332-1479395916-1216]: id=[1063], endptr=[:G] [2016/04/30 10:52:40.360077, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-1-0]: value=[-1:N] [2016/04/30 10:52:40.360084, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-1-0]: id=[4294967295], endptr=[:N] [2016/04/30 10:52:40.360093, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-2]: value=[-1:N] [2016/04/30 10:52:40.360100, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-2]: id=[4294967295], endptr=[:N] [2016/04/30 10:52:40.360108, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-11]: value=[-1:N] [2016/04/30 10:52:40.360116, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-11]: id=[4294967295], endptr=[:N] [2016/04/30 10:52:40.360124, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-32-544]: value=[10000:G] [2016/04/30 10:52:40.360132, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-32-544]: id=[10000], endptr=[:G] [2016/04/30 10:52:40.360140, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-32-545]: value=[10001:G] [2016/04/30 10:52:40.360147, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid) Parsing value for key [IDMAP/SID2XID/S-1-5-32-545]: id=[10001], endptr=[:G] [2016/04/30 10:52:40.360157, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:609(create_local_token) Could not convert SID S-1-1-0 to gid, ignoring it [2016/04/30 10:52:40.360166, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:609(create_local_token) Could not convert SID S-1-5-2 to gid, ignoring it [2016/04/30 10:52:40.360174, 10, pid=39178, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:609(create_local_token) Could not convert SID S-1-5-11 to gid, ignoring it [2016/04/30 10:52:40.360188, 10, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.360322, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.360377, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.360385, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/dcesrv_auth_generic.c:143(auth_generic_server_get_user_info) ../source3/rpc_server/dcesrv_auth_generic.c:143OK: user: admink domain: TRASKOSTAL [2016/04/30 10:52:40.360413, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.360422, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 775 (position 775) from bitmap [2016/04/30 10:52:40.360430, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 775 [2016/04/30 10:52:40.360441, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.360449, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.360583, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.360637, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.360647, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 775, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.360655, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1123123194 [2016/04/30 10:52:40.360664, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 112 [2016/04/30 10:52:40.360672, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 112 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 112 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.360719, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 112 [2016/04/30 10:52:40.360728, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.360758, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.360767, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.360775, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.360783, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.360791, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2016/04/30 10:52:40.360799, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.360806, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.360817, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.360831, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.360846, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.360854, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.360984, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.361038, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.361048, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.361056, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x2 - api_rpcTNP: rpc command: WINREG_OPENHKLM [2016/04/30 10:52:40.361065, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[2].fn == 0x7f9b33e05020 [2016/04/30 10:52:40.361073, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM in: struct winreg_OpenHKLM system_name : * system_name : 0x48a0 (18592) access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2016/04/30 10:52:40.361128, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [HKLM] [2016/04/30 10:52:40.361142, 4, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(1000, 1015) : sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.361152, 4, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(2421631163) : conn_ctx_stack_ndx = 0 [2016/04/30 10:52:40.361159, 4, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2016/04/30 10:52:40.361166, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:40.361173, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:40.361215, 4, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.361225, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:885(regdb_open) regdb_open: registry db opened. refcount reset (1) [2016/04/30 10:52:40.361234, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM] [2016/04/30 10:52:40.361242, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM] [2016/04/30 10:52:40.361250, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.361257, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b33606020 for key [\HKLM] [2016/04/30 10:52:40.361279, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:2093(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM] [2016/04/30 10:52:40.361300, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../libcli/security/access_check.c:188(se_access_check) se_access_check: MAX desired = 0x2000000, granted = 0xf003f, remaining = 0xf003f [2016/04/30 10:52:40.361310, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:304(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 31 00 00 00 00 00 00 00 24 57 58 72 ....1... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.361340, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM out: struct winreg_OpenHKLM handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000031-0000-0000-2457-58720a990000 result : WERR_OK [2016/04/30 10:52:40.361375, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.361388, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.361402, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 31 00 00 00 00 00 00 00 24 57 58 72 ....1... ....$WXr [0010] 0A 99 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.361544, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.361574, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.361585, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.361592, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.361630, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.361640, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.361650, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.361658, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.361668, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/776/127 [2016/04/30 10:52:40.362026, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.362036, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 776 (position 776) from bitmap [2016/04/30 10:52:40.362044, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 776 [2016/04/30 10:52:40.362060, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.362069, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.362202, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.362257, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.362267, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 776, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.362276, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1123123194 [2016/04/30 10:52:40.362285, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.362292, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.362338, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.362347, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.362379, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.362388, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.362396, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.362404, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.362412, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.362419, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.362427, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.362437, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.362448, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.362458, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.362466, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.362595, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.362654, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.362663, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.362671, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x1a - api_rpcTNP: rpc command: WINREG_GETVERSION [2016/04/30 10:52:40.362680, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[26].fn == 0x7f9b33e01300 [2016/04/30 10:52:40.362689, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_GetVersion: struct winreg_GetVersion in: struct winreg_GetVersion handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000031-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.362719, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 31 00 00 00 00 00 00 00 24 57 58 72 ....1... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.362747, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_GetVersion: struct winreg_GetVersion out: struct winreg_GetVersion version : * version : 0x00000005 (5) result : WERR_OK [2016/04/30 10:52:40.362770, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.362782, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.362795, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0020 (32) auth_length : 0x0010 (16) call_id : 0x00000002 (2) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000008 (8) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=8 [0000] 05 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.362909, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.362942, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.362952, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 8 bytes [2016/04/30 10:52:40.362960, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 64 [2016/04/30 10:52:40.362993, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 64 bytes. There is no more data outstanding [2016/04/30 10:52:40.363003, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 64 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.363013, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 64 status NT_STATUS_OK [2016/04/30 10:52:40.363021, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:64] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.363030, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/777/127 [2016/04/30 10:52:40.363467, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.363490, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 777 (position 777) from bitmap [2016/04/30 10:52:40.363499, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 777 [2016/04/30 10:52:40.363510, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.363519, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.363656, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.363711, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.363721, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 777, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.363729, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1123123194 [2016/04/30 10:52:40.363738, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 192 [2016/04/30 10:52:40.363746, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 192 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 192 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.363791, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 192 [2016/04/30 10:52:40.363800, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.363828, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.363837, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.363845, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.363852, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.363861, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2016/04/30 10:52:40.363868, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.363876, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.363887, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.363902, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.363912, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.363920, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.364058, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.364114, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.364123, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.364131, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0xf - api_rpcTNP: rpc command: WINREG_OPENKEY [2016/04/30 10:52:40.364140, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[15].fn == 0x7f9b33e02fa0 [2016/04/30 10:52:40.364153, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000031-0000-0000-2457-58720a990000 keyname: struct winreg_String name_len : 0x0060 (96) name_size : 0x0060 (96) name : * name : 'SYSTEM\CurrentControlSet\Control\ProductOptions' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2016/04/30 10:52:40.364254, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 31 00 00 00 00 00 00 00 24 57 58 72 ....1... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.364284, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [SYSTEM] [2016/04/30 10:52:40.364292, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:857(regdb_open) regdb_open: incrementing refcount (1->2) [2016/04/30 10:52:40.364301, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM] [2016/04/30 10:52:40.364309, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM] [2016/04/30 10:52:40.364318, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.364325, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b33606020 for key [\HKLM\SYSTEM] [2016/04/30 10:52:40.364345, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:2093(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SYSTEM] [2016/04/30 10:52:40.364363, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [CurrentControlSet] [2016/04/30 10:52:40.364373, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:857(regdb_open) regdb_open: incrementing refcount (2->3) [2016/04/30 10:52:40.364382, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet] [2016/04/30 10:52:40.364389, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet] [2016/04/30 10:52:40.364398, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.364405, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b33606020 for key [\HKLM\SYSTEM\CurrentControlSet] [2016/04/30 10:52:40.364424, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:2093(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SYSTEM\CurrentControlSet] [2016/04/30 10:52:40.364441, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [Control] [2016/04/30 10:52:40.364454, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:857(regdb_open) regdb_open: incrementing refcount (3->4) [2016/04/30 10:52:40.364463, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Control] [2016/04/30 10:52:40.364471, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Control] [2016/04/30 10:52:40.364480, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.364487, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b33606020 for key [\HKLM\SYSTEM\CurrentControlSet\Control] [2016/04/30 10:52:40.364508, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:2093(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SYSTEM\CurrentControlSet\Control] [2016/04/30 10:52:40.364524, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_api.c:143(regkey_open_onelevel) regkey_open_onelevel: name = [ProductOptions] [2016/04/30 10:52:40.364533, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:857(regdb_open) regdb_open: incrementing refcount (4->5) [2016/04/30 10:52:40.364542, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:125(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions] [2016/04/30 10:52:40.364549, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions] [2016/04/30 10:52:40.364559, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2016/04/30 10:52:40.364566, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_cachehook.c:130(reghook_cache_find) reghook_cache_find: found ops 0x7f9b34147a00 for key [\HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions] [2016/04/30 10:52:40.364584, 10, pid=39178, effective(1000, 1015), real(1000, 0)] ../libcli/security/access_check.c:188(se_access_check) se_access_check: MAX desired = 0x2000000, granted = 0xf003f, remaining = 0xf003f [2016/04/30 10:52:40.364595, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (5->4) [2016/04/30 10:52:40.364604, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (4->3) [2016/04/30 10:52:40.364612, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (3->2) [2016/04/30 10:52:40.364620, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:304(create_rpc_handle_internal) Opened policy hnd[2] [0000] 00 00 00 00 32 00 00 00 00 00 00 00 24 57 58 72 ....2... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.364649, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000032-0000-0000-2457-58720a990000 result : WERR_OK [2016/04/30 10:52:40.364687, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.364702, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.364715, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000003 (3) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 32 00 00 00 00 00 00 00 24 57 58 72 ....2... ....$WXr [0010] 0A 99 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.364851, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.364881, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.364891, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.364899, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.364923, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1539(smbd_smb2_request_pending_timer) smbd_smb2_request_pending_queue: opcode[SMB2_OP_IOCTL] mid 777 going async [2016/04/30 10:52:40.364933, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/778/127 [2016/04/30 10:52:40.364942, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1637(smbd_smb2_request_pending_timer) state->vector[0/5].iov_len = 4 state->vector[1/5].iov_len = 0 state->vector[2/5].iov_len = 64 state->vector[3/5].iov_len = 8 state->vector[4/5].iov_len = 1 [2016/04/30 10:52:40.364981, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.364996, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.365006, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.365014, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.365023, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 0, current possible/max 385/512, total granted/max/low/range 127/8192/778/127 [2016/04/30 10:52:40.365453, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.365463, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 778 (position 778) from bitmap [2016/04/30 10:52:40.365471, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 778 [2016/04/30 10:52:40.365482, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.365491, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.365624, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.365680, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.365694, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 778, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.365702, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1123123194 [2016/04/30 10:52:40.365712, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 160 [2016/04/30 10:52:40.365719, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 160 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 160 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.365764, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 160 [2016/04/30 10:52:40.365774, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.365801, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.365810, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.365818, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.365825, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.365834, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 8 [2016/04/30 10:52:40.365841, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.365849, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.365860, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.365871, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.365880, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.365889, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.366025, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.366079, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.366088, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.366096, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: WINREG_QUERYVALUE [2016/04/30 10:52:40.366105, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[17].fn == 0x7f9b33e02820 [2016/04/30 10:52:40.366116, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue in: struct winreg_QueryValue handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000032-0000-0000-2457-58720a990000 value_name : * value_name: struct winreg_String name_len : 0x0018 (24) name_size : 0x0018 (24) name : * name : 'ProductType' type : * type : REG_NONE (0) data : * data: ARRAY(0) data_size : * data_size : 0x00000104 (260) data_length : * data_length : 0x00000000 (0) [2016/04/30 10:52:40.366194, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 32 00 00 00 00 00 00 00 24 57 58 72 ....2... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.366222, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:263(_winreg_QueryValue) _winreg_QueryValue: policy key name = [HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions] [2016/04/30 10:52:40.366233, 7, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/winreg/srv_winreg_nt.c:264(_winreg_QueryValue) _winreg_QueryValue: policy key type = [00000000] [2016/04/30 10:52:40.366241, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_dispatcher.c:151(fetch_reg_values) fetch_reg_values called for key 'HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions' (ops 0x7f9b34147a00) [2016/04/30 10:52:40.366257, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_QueryValue: struct winreg_QueryValue out: struct winreg_QueryValue type : * type : REG_SZ (1) data : * data: ARRAY(18) [0] : 0x4c (76) [1] : 0x00 (0) [2] : 0x61 (97) [3] : 0x00 (0) [4] : 0x6e (110) [5] : 0x00 (0) [6] : 0x6d (109) [7] : 0x00 (0) [8] : 0x61 (97) [9] : 0x00 (0) [10] : 0x6e (110) [11] : 0x00 (0) [12] : 0x4e (78) [13] : 0x00 (0) [14] : 0x54 (84) [15] : 0x00 (0) [16] : 0x00 (0) [17] : 0x00 (0) data_size : * data_size : 0x00000012 (18) data_length : * data_length : 0x00000012 (18) result : WERR_OK [2016/04/30 10:52:40.366368, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.366382, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.366395, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0010 (16) call_id : 0x00000004 (4) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] 14 00 02 00 01 00 00 00 18 00 02 00 12 00 00 00 ........ ........ [0010] 00 00 00 00 12 00 00 00 4C 00 61 00 6E 00 6D 00 ........ L.a.n.m. [0020] 61 00 6E 00 4E 00 54 00 00 00 00 00 1C 00 02 00 a.n.N.T. ........ [0030] 12 00 00 00 20 00 02 00 12 00 00 00 00 00 00 00 .... ... ........ [2016/04/30 10:52:40.366576, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x00 (0) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.366606, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.366617, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 64 bytes [2016/04/30 10:52:40.366624, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 112 [2016/04/30 10:52:40.366659, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 112 bytes. There is no more data outstanding [2016/04/30 10:52:40.366669, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 112 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.366678, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 112 status NT_STATUS_OK [2016/04/30 10:52:40.366686, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:112] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.366696, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/779/127 [2016/04/30 10:52:40.367293, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.367314, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 779 (position 779) from bitmap [2016/04/30 10:52:40.367324, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 779 [2016/04/30 10:52:40.367335, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.367345, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.367485, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.367543, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.367553, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 779, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.367562, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1123123194 [2016/04/30 10:52:40.367571, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.367579, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.367627, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.367638, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.367668, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.367677, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.367685, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.367692, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.367701, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.367709, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.367721, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.367732, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.367743, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.367753, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.367761, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.367892, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.367947, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.367956, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.367964, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x5 - api_rpcTNP: rpc command: WINREG_CLOSEKEY [2016/04/30 10:52:40.367973, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[5].fn == 0x7f9b33e04880 [2016/04/30 10:52:40.367982, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000032-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.368169, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 32 00 00 00 00 00 00 00 24 57 58 72 ....2... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.368189, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 32 00 00 00 00 00 00 00 24 57 58 72 ....2... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.368206, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2016/04/30 10:52:40.368212, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (2->1) [2016/04/30 10:52:40.368217, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2016/04/30 10:52:40.368239, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.368249, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.368258, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000005 (5) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.368346, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.368368, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.368376, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.368381, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.368405, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.368412, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.368418, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.368424, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.368430, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/780/127 [2016/04/30 10:52:40.368865, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.368890, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 780 (position 780) from bitmap [2016/04/30 10:52:40.368897, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 780 [2016/04/30 10:52:40.368904, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.368911, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.369001, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.369038, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.369045, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 780, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.369051, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] winreg, fnum 1123123194 [2016/04/30 10:52:40.369057, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 80 [2016/04/30 10:52:40.369062, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 80 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 80 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.369093, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 80 [2016/04/30 10:52:40.369099, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.369119, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.369125, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.369130, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.369135, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:473(dcerpc_check_auth) Requested Privacy. [2016/04/30 10:52:40.369140, 6, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12 [2016/04/30 10:52:40.369145, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_parse] ../source3/librpc/rpc/dcerpc_helpers.c:533(dcerpc_check_auth) GENSEC auth [2016/04/30 10:52:40.369151, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:371(ntlmssp_unseal_packet) ntlmssp_unseal_packet: seal [2016/04/30 10:52:40.369157, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:255(ntlmssp_check_packet) ntlmssp_check_packet: NTLMSSP signature OK ! [2016/04/30 10:52:40.369165, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.369174, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (1000, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.369179, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.369264, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 1000 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.369300, 5, pid=39178, effective(1000, 1015), real(1000, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(1000,1000), gid=(0,1015) [2016/04/30 10:52:40.369306, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested winreg rpc service [2016/04/30 10:52:40.369311, 4, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: winreg op 0x5 - api_rpcTNP: rpc command: WINREG_CLOSEKEY [2016/04/30 10:52:40.369317, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[5].fn == 0x7f9b33e04880 [2016/04/30 10:52:40.369322, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000031-0000-0000-2457-58720a990000 [2016/04/30 10:52:40.369342, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 31 00 00 00 00 00 00 00 24 57 58 72 ....1... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.369361, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 31 00 00 00 00 00 00 00 24 57 58 72 ....1... ....$WXr [0010] 0A 99 00 00 .... [2016/04/30 10:52:40.369381, 6, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:388(close_policy_hnd) Closed policy [2016/04/30 10:52:40.369387, 10, pid=39178, effective(1000, 1015), real(1000, 0), class=registry] ../source3/registry/reg_backend_db.c:902(regdb_close) regdb_close: decrementing refcount (1->0) [2016/04/30 10:52:40.369400, 1, pid=39178, effective(1000, 1015), real(1000, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2016/04/30 10:52:40.369423, 5, pid=39178, effective(1000, 1015), real(1000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called winreg successfully [2016/04/30 10:52:40.369433, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.369442, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0010 (16) call_id : 0x00000006 (6) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ [2016/04/30 10:52:40.369530, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_NTLMSSP (10) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x08 (8) auth_reserved : 0x00 (0) auth_context_id : 0x00000000 (0) credentials : DATA_BLOB length=0 [2016/04/30 10:52:40.369549, 10, pid=39178, effective(0, 1015), real(0, 0)] ../auth/ntlmssp/ntlmssp_sign.c:287(ntlmssp_seal_packet) ntlmssp_seal_data: seal [2016/04/30 10:52:40.369556, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 24 bytes [2016/04/30 10:52:40.369561, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 80 [2016/04/30 10:52:40.369587, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 80 bytes. There is no more data outstanding [2016/04/30 10:52:40.369594, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 80 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.369601, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 80 status NT_STATUS_OK [2016/04/30 10:52:40.369606, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:80] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.369612, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/781/127 [2016/04/30 10:52:40.370063, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.370088, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 781 (position 781) from bitmap [2016/04/30 10:52:40.370094, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CLOSE] mid = 781 [2016/04/30 10:52:40.370102, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.370108, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.370194, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.370235, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.370243, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_close.c:227(smbd_smb2_close) smbd_smb2_close: winreg - fnum 1123123194 [2016/04/30 10:52:40.370250, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.370255, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.370262, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 69D9A458 [2016/04/30 10:52:40.370268, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353db800 [2016/04/30 10:52:40.370277, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 69D9A458 [2016/04/30 10:52:40.370282, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.370287, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.370299, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection winreg [2016/04/30 10:52:40.370313, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:554(file_free) freed files structure 1123123194 (1 used) [2016/04/30 10:52:40.370320, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[60] dyn[no:0] at ../source3/smbd/smb2_close.c:144 [2016/04/30 10:52:40.370326, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/782/127 [2016/04/30 10:52:40.371143, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.371174, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 782 (position 782) from bitmap [2016/04/30 10:52:40.371180, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 782 [2016/04/30 10:52:40.371186, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.371192, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.371280, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.371316, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.371323, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_create.c:501(smbd_smb2_create_send) smbd_smb2_create: name[wkssvc] [2016/04/30 10:52:40.371330, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.371335, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.371341, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 9B5E34D2 [2016/04/30 10:52:40.371347, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353a3ee0 [2016/04/30 10:52:40.371353, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:587(smbXsrv_open_global_verify_record) smbXsrv_open_global_verify_record: empty value [2016/04/30 10:52:40.371364, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:706(smbXsrv_open_global_store) smbXsrv_open_global_store: key '9B5E34D2' stored [2016/04/30 10:52:40.371370, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &global_blob: struct smbXsrv_open_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_open_globalU(case 0) info0 : * info0: struct smbXsrv_open_global0 db_rec : * server_id: struct server_id pid : 0x000000000000990a (39178) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xee090ec3329c23cf (-1294487186361801777) open_global_id : 0x9b5e34d2 (2606642386) open_persistent_id : 0x000000009b5e34d2 (2606642386) open_volatile_id : 0x00000000ffb9191f (4290320671) open_owner : S-1-5-21-1193122258-3968554332-1479395916-1000 open_time : Sat Apr 30 10:52:40 2016 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 [2016/04/30 10:52:40.371441, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 9B5E34D2 [2016/04/30 10:52:40.371446, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.371451, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.371457, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smbXsrv_open.c:880(smbXsrv_open_create) smbXsrv_open_create: global_id (0x9b5e34d2) stored [2016/04/30 10:52:40.371462, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &open_blob: struct smbXsrv_openB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_openU(case 0) info0 : * info0: struct smbXsrv_open table : * db_rec : NULL local_id : 0xffb9191f (4290320671) global : * global: struct smbXsrv_open_global0 db_rec : NULL server_id: struct server_id pid : 0x000000000000990a (39178) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xee090ec3329c23cf (-1294487186361801777) open_global_id : 0x9b5e34d2 (2606642386) open_persistent_id : 0x000000009b5e34d2 (2606642386) open_volatile_id : 0x00000000ffb9191f (4290320671) open_owner : S-1-5-21-1193122258-3968554332-1479395916-1000 open_time : Sat Apr 30 10:52:40 2016 CEST create_guid : 00000000-0000-0000-0000-000000000000 client_guid : 00000000-0000-0000-0000-000000000000 app_instance_id : 00000000-0000-0000-0000-000000000000 disconnect_time : NTTIME(0) durable_timeout_msec : 0x00000000 (0) durable : 0x00 (0) backend_cookie : DATA_BLOB length=0 status : NT_STATUS_OK idle_time : Sat Apr 30 10:52:40 2016 CEST compat : NULL [2016/04/30 10:52:40.371548, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 4290320671 (2 used) [2016/04/30 10:52:40.371554, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:745(file_name_hash) file_name_hash: /tmp/wkssvc hash 0x2b4dd005 [2016/04/30 10:52:40.371563, 4, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:89(make_internal_rpc_pipe_socketpair) Create of internal pipe wkssvc requested [2016/04/30 10:52:40.371598, 8, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/dosmode.c:583(dos_mode) dos_mode: wkssvc [2016/04/30 10:52:40.371609, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_create.c:1303(smbd_smb2_create_send) smbd_smb2_create_send: wkssvc - fnum 4290320671 [2016/04/30 10:52:40.371616, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[88] dyn[yes:0] at ../source3/smbd/smb2_create.c:364 [2016/04/30 10:52:40.371623, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/783/127 [2016/04/30 10:52:40.372041, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.372054, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 783 (position 783) from bitmap [2016/04/30 10:52:40.372061, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 783 [2016/04/30 10:52:40.372068, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.372075, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.372161, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.372198, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.372205, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 783, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.372215, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: wkssvc - fnum 4290320671 [2016/04/30 10:52:40.372222, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.372229, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.372235, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/784/127 [2016/04/30 10:52:40.372633, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.372658, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 784 (position 784) from bitmap [2016/04/30 10:52:40.372665, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 784 [2016/04/30 10:52:40.372672, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.372679, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.372765, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.372805, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.372813, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 784, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.372818, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: wkssvc - fnum 4290320671 [2016/04/30 10:52:40.372825, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.372832, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.372838, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/785/127 [2016/04/30 10:52:40.373240, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.373265, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 785 (position 785) from bitmap [2016/04/30 10:52:40.373271, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_GETINFO] mid = 785 [2016/04/30 10:52:40.373279, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.373286, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.373371, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.373413, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.373420, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 785, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.373425, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_getinfo.c:272(smbd_smb2_getinfo_send) smbd_smb2_getinfo_send: wkssvc - fnum 4290320671 [2016/04/30 10:52:40.373432, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] || at ../source3/smbd/smb2_getinfo.c:154 [2016/04/30 10:52:40.373439, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_NOT_SUPPORTED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/04/30 10:52:40.373445, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/786/127 [2016/04/30 10:52:40.373862, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.373887, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 786 (position 786) from bitmap [2016/04/30 10:52:40.373893, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_WRITE] mid = 786 [2016/04/30 10:52:40.373901, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.373907, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.373997, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.374034, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.374041, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 786, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.374046, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_write.c:290(smbd_smb2_write_send) smbd_smb2_write: wkssvc - fnum 4290320671 [2016/04/30 10:52:40.374052, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 116 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 116 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.374084, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:0] at ../source3/smbd/smb2_write.c:164 [2016/04/30 10:52:40.374092, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/787/127 [2016/04/30 10:52:40.374117, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.374124, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 11 [2016/04/30 10:52:40.374130, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:728(api_pipe_bind_req) api_pipe_bind_req: wkssvc -> wkssvc rpc service [2016/04/30 10:52:40.374135, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:761(api_pipe_bind_req) api_pipe_bind_req: make response. 761 [2016/04/30 10:52:40.374140, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for wkssvc context_id=0 [2016/04/30 10:52:40.374145, 3, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: wkssvc -> wkssvc rpc service [2016/04/30 10:52:40.374150, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:223(init_pipe_handles) init_pipe_handle_list: created handle list for pipe wkssvc [2016/04/30 10:52:40.374155, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:240(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe wkssvc [2016/04/30 10:52:40.374165, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\wkssvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2016/04/30 10:52:40.374262, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 0 bytes [2016/04/30 10:52:40.374267, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 68 [2016/04/30 10:52:40.374634, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.374660, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 787 (position 787) from bitmap [2016/04/30 10:52:40.374666, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_READ] mid = 787 [2016/04/30 10:52:40.374674, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.374680, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.374771, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.374809, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.374816, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 787, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.374821, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_read.c:463(smbd_smb2_read_send) smbd_smb2_read: wkssvc - fnum 4290320671 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 48 req->in.vector[4].iov_len = 1 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.374859, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 68 bytes. There is no more data outstanding [2016/04/30 10:52:40.374867, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[16] dyn[yes:68] at ../source3/smbd/smb2_read.c:164 [2016/04/30 10:52:40.374874, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/788/127 [2016/04/30 10:52:40.375219, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.375227, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 788 (position 788) from bitmap [2016/04/30 10:52:40.375232, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_IOCTL] mid = 788 [2016/04/30 10:52:40.375239, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.375245, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.375334, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.375370, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.375376, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:1908(smbd_smb2_request_verify_creditcharge) mid 788, CreditCharge: 1, NeededCharge: 1 [2016/04/30 10:52:40.375381, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:394(smbd_smb2_ioctl_send) smbd_smb2_ioctl: ctl_code[0x0011c017] wkssvc, fnum 4290320671 [2016/04/30 10:52:40.375387, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:61(smb2_ioctl_named_pipe) smbd_smb2_ioctl_send: np_write_send of size 64 [2016/04/30 10:52:40.375392, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:172(np_write_send) np_write_send: len: 64 smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 56 req->in.vector[4].iov_len = 64 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:40.375421, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:119(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: received 64 [2016/04/30 10:52:40.375428, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:140(smbd_smb2_ioctl_pipe_write_done) smbd_smb2_ioctl_pipe_write_done: issuing np_read_send of size 1024 [2016/04/30 10:52:40.375446, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:441(named_pipe_packet_process) PDU is in Little Endian format! [2016/04/30 10:52:40.375452, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1685(process_complete_pdu) Processing packet type 0 [2016/04/30 10:52:40.375457, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1554(dcesrv_auth_request) Checking request auth. [2016/04/30 10:52:40.375464, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 1015) : sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.375473, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 1 [2016/04/30 10:52:40.375479, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.375563, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.375597, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.375603, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request) Requested wkssvc rpc service [2016/04/30 10:52:40.375607, 4, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP) api_rpcTNP: wkssvc op 0x0 - api_rpcTNP: rpc command: WKSSVC_NETWKSTAGETINFO [2016/04/30 10:52:40.375613, 6, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP) api_rpc_cmds[0].fn == 0x7f9b33cb6bb0 [2016/04/30 10:52:40.375620, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wkssvc_NetWkstaGetInfo: struct wkssvc_NetWkstaGetInfo in: struct wkssvc_NetWkstaGetInfo server_name : * server_name : '\\SERWER2' level : 0x00000064 (100) [2016/04/30 10:52:40.375637, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wkssvc_NetWkstaGetInfo: struct wkssvc_NetWkstaGetInfo out: struct wkssvc_NetWkstaGetInfo info : * info : union wkssvc_NetWkstaInfo(case 100) info100 : * info100: struct wkssvc_NetWkstaInfo100 platform_id : PLATFORM_ID_NT (500) server_name : * server_name : 'SERWER2' domain_name : * domain_name : 'TRASKOSTAL' version_major : 0x00000006 (6) version_minor : 0x00000001 (1) result : WERR_OK [2016/04/30 10:52:40.375680, 5, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1496(api_rpcTNP) api_rpcTNP: called wkssvc successfully [2016/04/30 10:52:40.375689, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.375696, 1, pid=39178, effective(0, 1015), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0078 (120) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000060 (96) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=96 [0000] 64 00 00 00 04 00 02 00 F4 01 00 00 08 00 02 00 d....... ........ [0010] 0C 00 02 00 06 00 00 00 01 00 00 00 08 00 00 00 ........ ........ [0020] 00 00 00 00 08 00 00 00 53 00 45 00 52 00 57 00 ........ S.E.R.W. [0030] 45 00 52 00 32 00 00 00 0B 00 00 00 00 00 00 00 E.R.2... ........ [0040] 0B 00 00 00 54 00 52 00 41 00 53 00 4B 00 4F 00 ....T.R. A.S.K.O. [0050] 53 00 54 00 41 00 4C 00 00 00 00 00 00 00 00 00 S.T.A.L. ........ [2016/04/30 10:52:40.375838, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:509(named_pipe_packet_process) Sending 1 fragments in a total of 96 bytes [2016/04/30 10:52:40.375843, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/rpc_server/rpc_server.c:514(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 120 [2016/04/30 10:52:40.375865, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe_hnd.c:417(np_read_recv) Received 120 bytes. There is no more data outstanding [2016/04/30 10:52:40.375871, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl_named_pipe.c:169(smbd_smb2_ioctl_pipe_read_done) smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = 120 is_data_outstanding = 0, status = NT_STATUS_OK [2016/04/30 10:52:40.375878, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 120 status NT_STATUS_OK [2016/04/30 10:52:40.375883, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[48] dyn[yes:120] at ../source3/smbd/smb2_ioctl.c:358 [2016/04/30 10:52:40.375889, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/789/127 [2016/04/30 10:52:40.376427, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:40.376462, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 789 (position 789) from bitmap [2016/04/30 10:52:40.376467, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CLOSE] mid = 789 [2016/04/30 10:52:40.376474, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:40.376480, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:40.376565, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:40.376601, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:40.376608, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_close.c:227(smbd_smb2_close) smbd_smb2_close: wkssvc - fnum 4290320671 [2016/04/30 10:52:40.376615, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.376620, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_open_global.tdb 2: 3: [2016/04/30 10:52:40.376627, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key 9B5E34D2 [2016/04/30 10:52:40.376637, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353d72d0 [2016/04/30 10:52:40.376647, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key 9B5E34D2 [2016/04/30 10:52:40.376652, 5, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2016/04/30 10:52:40.376657, 10, pid=39178, effective(0, 1015), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:40.376668, 10, pid=39178, effective(0, 1015), real(0, 0), class=rpc_srv] ../source3/rpc_server/rpc_handles.c:418(close_policy_by_pipe) Deleted handle list for RPC connection wkssvc [2016/04/30 10:52:40.376678, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/files.c:554(file_free) freed files structure 4290320671 (1 used) [2016/04/30 10:52:40.376685, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[60] dyn[no:0] at ../source3/smbd/smb2_close.c:144 [2016/04/30 10:52:40.376691, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/790/127 [2016/04/30 10:52:44.517888, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/lib/events.c:426(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(deadtime) (nil) called [2016/04/30 10:52:44.517911, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/lib/events.c:437(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(deadtime) (nil) rescheduled [2016/04/30 10:52:44.517920, 10, pid=39178, effective(0, 1015), real(0, 0)] ../source3/lib/events.c:426(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(housekeeping) (nil) called [2016/04/30 10:52:44.517925, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/process.c:2812(housekeeping_fn) housekeeping [2016/04/30 10:52:44.517931, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:44.517937, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:44.517943, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:44.517966, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2016/04/30 10:52:44.517990, 6, pid=39178, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2224(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Sat Apr 30 10:03:39 2016 [2016/04/30 10:52:44.518005, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/lib/events.c:437(smbd_idle_event_handler) smbd_idle_event_handler: idle_evt(housekeeping) (nil) rescheduled [2016/04/30 10:52:52.321362, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/04/30 10:52:52.321404, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 790 (position 790) from bitmap [2016/04/30 10:52:52.321423, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_TDIS] mid = 790 [2016/04/30 10:52:52.321460, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 1015) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:52.321478, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (31): SID[ 0]: S-1-5-21-1193122258-3968554332-1479395916-1000 SID[ 1]: S-1-5-21-1193122258-3968554332-1479395916-1004 SID[ 2]: S-1-5-21-1193122258-3968554332-1479395916-512 SID[ 3]: S-1-5-21-1193122258-3968554332-1479395916-513 SID[ 4]: S-1-5-21-1193122258-3968554332-1479395916-1078 SID[ 5]: S-1-5-21-1193122258-3968554332-1479395916-1184 SID[ 6]: S-1-5-21-1193122258-3968554332-1479395916-1197 SID[ 7]: S-1-5-21-1193122258-3968554332-1479395916-1216 SID[ 8]: S-1-22-2-4 SID[ 9]: S-1-22-2-24 SID[ 10]: S-1-22-2-27 SID[ 11]: S-1-22-2-30 SID[ 12]: S-1-22-2-46 SID[ 13]: S-1-22-2-110 SID[ 14]: S-1-22-2-111 SID[ 15]: S-1-22-2-1000 SID[ 16]: S-1-1-0 SID[ 17]: S-1-5-2 SID[ 18]: S-1-5-11 SID[ 19]: S-1-5-32-544 SID[ 20]: S-1-5-32-545 SID[ 21]: S-1-22-1-1000 SID[ 22]: S-1-22-2-1015 SID[ 23]: S-1-22-2-1012 SID[ 24]: S-1-22-2-1013 SID[ 25]: S-1-22-2-1046 SID[ 26]: S-1-22-2-1060 SID[ 27]: S-1-22-2-1061 SID[ 28]: S-1-22-2-1063 SID[ 29]: S-1-22-2-10000 SID[ 30]: S-1-22-2-10001 Privileges (0x 1FF0): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeIncreaseQuotaPrivilege Rights (0x 0): [2016/04/30 10:52:52.321706, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 1015 and contains 17 supplementary groups Group[ 0]: 1015 Group[ 1]: 1012 Group[ 2]: 1013 Group[ 3]: 1046 Group[ 4]: 1060 Group[ 5]: 1061 Group[ 6]: 1063 Group[ 7]: 4 Group[ 8]: 24 Group[ 9]: 27 Group[ 10]: 30 Group[ 11]: 46 Group[ 12]: 110 Group[ 13]: 111 Group[ 14]: 1000 Group[ 15]: 10000 Group[ 16]: 10001 [2016/04/30 10:52:52.321808, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/uid.c:363(change_to_user_internal) Impersonated user: uid=(0,0), gid=(0,1015) [2016/04/30 10:52:52.321826, 4, pid=39178, effective(0, 1015), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:52.321839, 5, pid=39178, effective(0, 1015), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:52.321851, 5, pid=39178, effective(0, 1015), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:52.321872, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) smbd_smb2_request_pending_queue: req->current_idx = 1 req->in.vector[0].iov_len = 0 req->in.vector[1].iov_len = 0 req->in.vector[2].iov_len = 64 req->in.vector[3].iov_len = 4 req->in.vector[4].iov_len = 0 req->out.vector[0].iov_len = 4 req->out.vector[1].iov_len = 0 req->out.vector[2].iov_len = 64 req->out.vector[3].iov_len = 8 req->out.vector[4].iov_len = 0 [2016/04/30 10:52:52.321945, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:52.321959, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:52.321972, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:52.321998, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2016/04/30 10:52:52.322014, 5, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2016/04/30 10:52:52.322027, 10, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1:/var/run/samba/smbXsrv_tcon_global.tdb 2: 3: [2016/04/30 10:52:52.322045, 10, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Locking key B10F79CB [2016/04/30 10:52:52.322065, 10, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal) Allocated locked data 0x0x7f9b353cafe0 [2016/04/30 10:52:52.322089, 10, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key) Unlocking key B10F79CB [2016/04/30 10:52:52.322102, 5, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2016/04/30 10:52:52.322114, 10, pid=39178, effective(0, 0), real(0, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order) lock order: 1: 2: 3: [2016/04/30 10:52:52.322132, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:52.322144, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:52.322155, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:52.322174, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2016/04/30 10:52:52.322187, 3, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:1140(close_cnum) ts78 (ipv4:10.10.10.78:54318) closed connection to service IPC$ [2016/04/30 10:52:52.322209, 4, pid=39178, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:844(vfs_ChDir) vfs_ChDir to / [2016/04/30 10:52:52.322235, 4, pid=39178, effective(0, 0), real(0, 0), class=vfs] ../source3/smbd/vfs.c:855(vfs_ChDir) vfs_ChDir got / [2016/04/30 10:52:52.322249, 4, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2016/04/30 10:52:52.322261, 5, pid=39178, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2016/04/30 10:52:52.322272, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2016/04/30 10:52:52.322291, 5, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2016/04/30 10:52:52.322315, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[4] dyn[no:0] at ../source3/smbd/smb2_tcon.c:517 [2016/04/30 10:52:52.322334, 10, pid=39178, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/791/127