accepted socket 17 process_request: request fn INTERFACE_VERSION [ 3274]: request interface version process_request: request fn WINBINDD_PRIV_PIPE_DIR [ 3274]: request location of privileged pipe accepted socket 23 process_request: request fn GETGRNAM [ 3274]: getgrnam DIALOG-Domänen-Admins child daemon request 21 child_process_request: request fn LOOKUPNAME [ 3244]: lookupname Domänen-Admins name_to_sid: [Cached] - doing backend query for name for domain DIALOG rpc: name_to_sid name=Domänen\Admins name_to_sid [rpc] Domänen\Admins for domain Domänen lsa_LookupNames: struct lsa_LookupNames in: struct lsa_LookupNames handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5517fe0e-46ea-4387-93e3-fdc3e48657c1 num_names : 0x00000001 (1) names: ARRAY(1) names: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Domänen\Admins' sids : * sids: struct lsa_TransSidArray count : 0x00000000 (0) sids : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00a0 000a auth_len : 0020 000c call_id : 00000017 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000005c 0014 context_id: 0000 0016 opnum : 000e 000078 smb_io_rpc_hdr_auth hdr_auth 0078 auth_type : 44 0079 auth_level : 06 007a auth_pad_len : 04 007b auth_reserved: 00 007c auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=6 SCHANNEL: schannel_encode seq_num=6 data_len=96 000080 smb_io_rpc_auth_schannel_chk 0080 sig : 77 00 7a 00 ff ff 00 00 0088 seq_num: 67 5a af 25 5c e1 35 9e 0090 packet_digest: d6 0b 3a 99 7e 1a 2a b5 0098 confounder: 25 ef b2 75 32 d9 90 dd rpc_api_pipe: Remote machine NEO pipe \lsarpc fnum 0x1807 size=242 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2 smb_pid=3245 smb_uid=63490 smb_mid=40 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 160 (0xA0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 160 (0xA0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 6151 (0x1807) smb_bcc=175 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 A0 00 20 00 17 00 00 00 5C .......  . .....\ [020] 00 00 00 00 00 0E 00 5D 61 82 DD FA A1 C0 E2 94 .......] a.Ýú¡Àâ. [030] C5 AA 46 4D C0 E4 9E 1C 87 B8 EE 51 19 2E 55 BD ŪFMÀä.. .¸îQ..U½ [040] 1F 76 4F 41 DE 83 4C 4B 4E 04 34 02 88 55 2D 9E .vOAÞ.LK N.4..U-. [050] F6 A8 D7 85 02 BB 10 76 3C F9 A7 AD E3 93 21 6A ö¨×..».v <ù§­ã.!j [060] BD FB D2 55 70 AB B1 A4 69 FE 88 5C 33 00 D0 91 ½ûÒUp«±¤ iþ.\3.Ð. [070] 32 3C 2F BC AC A8 8D 5A D5 C1 1F F2 C3 79 CA F1 2...¦Ê4. [070] 12 . size=168 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=2 smb_pid=3245 smb_uid=63490 smb_mid=40 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 112 (0x70) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=113 [000] A0 05 00 02 03 10 00 00 00 70 00 20 00 17 00 00  ....... .p. .... [010] 00 30 00 00 00 00 00 00 00 FC 12 16 02 32 01 81 .0...... .ü...2.. [020] F5 A3 21 5F 14 24 9E 3B 08 72 26 7F E1 85 BB BE õ£!_.$.; .r&.á.»¾ [030] C7 D0 81 8D 11 02 EF 9A 72 32 06 BD 04 E2 A9 31 ÇÐ....ï. r2.½.â©1 [040] FD 66 74 62 A4 7C BD 4C 83 44 06 00 00 01 00 00 ýftb¤|½L .D...... [050] 00 77 00 7A 00 FF FF 00 00 B1 24 45 0E 86 87 43 .w.z.ÿÿ. .±$E...C [060] CA BC CD DE 14 44 7E D5 3E 1A 81 81 A6 CA 34 1D ʼÍÞ.D~Õ >...¦Ê4. [070] 12 . 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0070 000a auth_len : 0020 000c call_id : 00000017 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000030 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000048 smb_io_rpc_hdr_auth hdr_auth 0048 auth_type : 44 0049 auth_level : 06 004a auth_pad_len : 00 004b auth_reserved: 00 004c auth_context_id: 00000001 000050 smb_io_rpc_auth_schannel_chk 0050 sig : 77 00 7a 00 ff ff 00 00 0058 seq_num: b1 24 45 0e 86 87 43 ca 0060 packet_digest: bc cd de 14 44 7e d5 3e 0068 confounder: 1a 81 81 a6 ca 34 1d 12 SCHANNEL: schannel_decode seq_num=7 data_len=48 SCHANNEL: schannel_decode seq_num=7 data_len=48 cli_pipe_validate_current_pdu: got pdu len 112, data_len 48, ss_len 0 rpc_api_pipe: got PDU len of 112 at offset 0 rpc_api_pipe: Remote machine NEO pipe \lsarpc fnum 0x1807 returned 96 bytes. lsa_LookupNames: struct lsa_LookupNames out: struct lsa_LookupNames domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000000 (0) domains : NULL max_size : 0x00000000 (0) sids : * sids: struct lsa_TransSidArray count : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_TranslatedSid sid_type : SID_NAME_UNKNOWN (8) rid : 0x00000000 (0) sid_index : 0xffffffff (4294967295) count : * count : 0x00000000 (0) result : NT_STATUS_NONE_MAPPED refresh_sequence_number: DIALOG time ok refresh_sequence_number: DIALOG seq number is now 384038 wcache_save_name_to_sid: Domänen\ADMINS -> S-0-0 (NT_STATUS_NONE_MAPPED) wcache_save_sid_to_name: S-0-0 -> admins (NT_STATUS_NONE_MAPPED) Storing response for pid 3245, len 3496 Destroying timed event 9d678e8 "async_request_timeout" Retrieving response for pid 3245 lookupname_recv: unable to determine forest root getgrnam_recv: lookupname failed!