winbindd version 3.3.2-1.33 started. Copyright Andrew Tridgell and the Samba Team 1992-2009 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter realm = CHILD03.EIGHTAD6.TESTING.COM doing parameter workgroup = CHILD03 doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter passdb backend = tdbsam doing parameter client ntlmv2 auth = yes doing parameter load printers = yes doing parameter cups options = raw pm_process() returned Yes lp_servicenumber: couldn't find homes set_server_role: role = ROLE_DOMAIN_MEMBER Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter realm = CHILD03.EIGHTAD6.TESTING.COM doing parameter workgroup = CHILD03 doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter passdb backend = tdbsam doing parameter client ntlmv2 auth = yes doing parameter load printers = yes doing parameter cups options = raw Processing section "[homes]" add_a_service: Creating snum = 0 for homes hash_a_service: creating servicehash hash_a_service: hashing index 0 for service name homes doing parameter comment = Home Directories doing parameter browseable = no doing parameter writable = yes Processing section "[printers]" add_a_service: Creating snum = 1 for printers hash_a_service: hashing index 1 for service name printers doing parameter comment = All Printers doing parameter path = /var/spool/samba doing parameter browseable = no doing parameter guest ok = no doing parameter writable = no doing parameter printable = yes pm_process() returned Yes add_a_service: Creating snum = 2 for IPC$ hash_a_service: hashing index 2 for service name IPC$ adding IPC service set_server_role: role = ROLE_DOMAIN_MEMBER Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=fe80::230:48ff:fe57:b116%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth1 ip=fe80::230:48ff:fe57:b117%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff:: added interface eth1 ip=192.168.12.81 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=192.168.152.81 bcast=192.168.152.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="ALTAIR" added interface eth0 ip=fe80::230:48ff:fe57:b116%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth1 ip=fe80::230:48ff:fe57:b117%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff:: added interface eth1 ip=192.168.12.81 bcast=192.168.12.255 netmask=255.255.255.0 added interface eth0 ip=192.168.152.81 bcast=192.168.152.255 netmask=255.255.255.0 Opening cache file at /var/lib/samba/gencache.tdb namecache_enable: enabling netbios namecache, timeout 660 seconds fcntl_lock fd=7 op=6 offset=0 count=1 type=1 fcntl_lock: Lock call successful TimeInit: Serverzone is -19800 initialize_winbindd_cache: clearing cache and re-creating with version number 1 claiming [] Locking key 79260000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Allocated locked data 0x0x2ab26bad4ce0 Unlocking key 79260000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Overriding messaging pointer for type 1 - private_data=(nil) wcache_tdc_add_domain: Adding domain BUILTIN (), SID S-1-5-32, flags = 0x0, attributes = 0x0, type = 0x0 pack_tdc_domains: Packing 1 trusted domains pack_tdc_domains: Packing domain BUILTIN () idmap config BUILTIN : range = not defined Added domain BUILTIN S-1-5-32 wcache_tdc_add_domain: Adding domain ALTAIR (), SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attributes = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 pack_tdc_domains: Packing 2 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain ALTAIR () idmap config ALTAIR : range = not defined Added domain ALTAIR S-1-5-21-981045367-1446913133-3103150389 wcache_tdc_add_domain: Adding domain CHILD03 (CHILD03.EIGHTAD6.TESTING.COM), SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x0, attributes = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 pack_tdc_domains: Packing 3 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain ALTAIR () pack_tdc_domains: Packing domain CHILD03 (CHILD03.EIGHTAD6.TESTING.COM) idmap config CHILD03 : range = not defined Added domain CHILD03 CHILD03.EIGHTAD6.TESTING.COM S-1-5-21-1527705246-3463401961-2594329352 set_domain_online_request: called for domain CHILD03 set_domain_online_request: domain CHILD03 was globally offline. Added timed event "check_domain_online_handler": 2ab26bad70a0 open_winbindd_socket: opened socket fd 11 open_winbindd_priv_socket: opened socket fd 12 Sending request to child pid 0 (domain=CHILD03) fork_domain_child called for domain 'CHILD03' Child process 9850 Deregistering messaging pointer for type 769 - private_data=(nil) Deregistering messaging pointer for type 13 - private_data=(nil) Deregistering messaging pointer for type 1028 - private_data=(nil) Deregistering messaging pointer for type 1027 - private_data=(nil) timed_events_timeout: 4/999019 Deregistering messaging pointer for type 1029 - private_data=(nil) Deregistering messaging pointer for type 1280 - private_data=(nil) Added timed event "async_request_timeout_handler": 2ab26ba8e520 timed_events_timeout: 4/998782 Deregistering messaging pointer for type 1033 - private_data=(nil) Deregistering messaging pointer for type 1 - private_data=(nil) Destroying timed event 2ab26bad70a0 "check_domain_online_handler" set_domain_online_request: called for domain CHILD03 set_domain_online_request: domain CHILD03 was globally offline. Added timed event "check_domain_online_handler": 2ab26bad6040 machine password still valid until: Wed, 02 Dec 2009 18:29:39 IST Added timed event "machine_password_change_handler": 2ab26bad4ce0 timed_events_timeout: 4/999651 select will use timeout of 4.999651 seconds child daemon request 48 child_process_request: request fn INIT_CONNECTION connection_ok: Connection to for domain CHILD03 has NULL cli! Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "CHILD03" domain Cache entry with key = NEG_CONN_CACHE/CHILD03,norma.child03.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain CHILD03 server norma.child03.eightad6.testing.com cm_open_connection: saf_servername is 'norma.child03.eightad6.testing.com' for domain CHILD03 cm_open_connection: dcname is 'norma.child03.eightad6.testing.com' for domain CHILD03 Cache entry with key = NEG_CONN_CACHE/CHILD03,norma.child03.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain CHILD03 server norma.child03.eightad6.testing.com Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning expired cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:31:20 2009 no entry for norma.child03.eightad6.testing.com#20 found. resolve_lmhosts: Attempting lmhosts lookup for name norma.child03.eightad6.testing.com<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost resolve_wins: Attempting wins lookup for name norma.child03.eightad6.testing.com<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name norma.child03.eightad6.testing.com<0x20> remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for norma.child03.eightad6.testing.com#20: 192.168.12.172 Adding cache entry with key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20; value = 192.168.12.172:0 and timeout = Wed Nov 25 18:42:25 2009 (660 seconds ahead) internal_resolve_name: returning 1 addresses: 192.168.12.172:0 cm_prepare_connection: connecting to DC norma.child03.eightad6.testing.com for domain CHILD03 write_socket(16,194) write_socket(16,194) wrote 194 got smb length of 192 size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9850 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=27264 (0x6A80) smb_vwv[12]=54963 (0xD6B3) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9850 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=27264 (0x6A80) smb_vwv[12]=54963 (0xD6B3) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM connecting to norma.child03.eightad6.testing.com from ALTAIR with kerberos principal [ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM] and realm [CHILD03.EIGHTAD6.TESTING.COM] winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Doing spnego session setup (blob length=123) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=norma$@CHILD03.EIGHTAD6.TESTING.COM kerberos_kinit_password: as ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM using [MEMORY:cliconnect] as ccache and config [(null)] Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Doing kerberos session setup ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 26 Nov 2009 04:31:28 IST ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:cliconnect) is valid until: (Thu, 26 Nov 2009 04:31:28 IST - 1259190088) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT Got KRB5 session key of length 16 cli_session_setup_blob: Remaining (0) sending (2550) current (2550) write_socket(16,2636) write_socket(16,2636) wrote 2636 got smb length of 197 size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9850 smb_uid=10242 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 ED 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9850 smb_uid=10242 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 ED 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key [000] 10 65 20 28 A6 F2 C5 B1 86 2B B0 A6 9E 70 D2 D9 .e (.... .+...p.. cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 74 B6 4F C5 AE C9 43 3C t.O...C< store_sequence_for_reply: stored seq = 1 mid = 2 get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 58 09 F5 9A 5E D7 7C 11 X...^.|. cli_init_creds: user ALTAIR$ domain CHILD03 saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) saf_store: domain = [CHILD03.EIGHTAD6.TESTING.COM], server = [norma.child03.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 01 6E 62 4D 40 3F 9B BF .nbM@?.. store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(16,136) write_socket(16,136) wrote 136 got smb length of 56 size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=3 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]= 511 (0x1FF) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 511 (0x1FF) smb_vwv[ 6]= 0 (0x0) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 3C A6 BB 34 CF 02 96 5F <..4..._ winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 set_global_winbindd_state_online: online requested. set_global_winbindd_state_online: rejecting. set_domain_online: called for domain CHILD03 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Destroying timed event 2ab26bad6040 "check_domain_online_handler" set_dc_type_and_flags: setting up flags for primary domain set_dc_type_and_flags_connect: domain CHILD03 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 94 AE CF B7 FD 4C 09 90 .....L.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(16,104) write_socket(16,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3072 (0xC00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] EC F9 F2 19 76 28 7E D9 ....v(~. Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] 9D D3 AA 4B 39 FD 9A 9A ...K9... store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 99 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] F8 8C AD F1 2D 63 46 BB ....-cF. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 99 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c returned 68 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00007099 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. dssetup_DsRoleGetPrimaryDomainInformation: struct dssetup_DsRoleGetPrimaryDomainInformation in: struct dssetup_DsRoleGetPrimaryDomainInformation level : DS_ROLE_BASIC_INFORMATION (1) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000002 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] D8 B1 4C 71 6E 01 36 90 ..Lqn.6. store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(16,112) write_socket(16,112) wrote 112 got smb length of 284 size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 63 00 15 00 00 00 00 00 00 .o.m...c ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 6E .n.g...c .o.m...n [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 03 66 E6 18 25 E8 36 73 .f..%.6s size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 63 00 15 00 00 00 00 00 00 .o.m...c ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 6E .n.g...c .o.m...n [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00e4 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000cc 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 228, data_len 204, ss_len 0 rpc_api_pipe: got PDU len of 228 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c returned 408 bytes. dssetup_DsRoleGetPrimaryDomainInformation: struct dssetup_DsRoleGetPrimaryDomainInformation out: struct dssetup_DsRoleGetPrimaryDomainInformation info : * info : union dssetup_DsRoleInfo(case 1) basic: struct dssetup_DsRolePrimaryDomInfoBasic role : DS_ROLE_PRIMARY_DC (5) flags : 0x01000001 (16777217) 1: DS_ROLE_PRIMARY_DS_RUNNING 0: DS_ROLE_PRIMARY_DS_MIXED_MODE 0: DS_ROLE_UPGRADE_IN_PROGRESS 1: DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT domain : * domain : 'CHILD03' dns_domain : * dns_domain : 'child03.eightad6.testing.com' forest : * forest : 'eightad6.testing.com' domain_guid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 result : WERR_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] A9 8B 56 6A 2E 07 C9 FC ..Vj.... store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=7 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 7 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] 67 C2 9B A3 2F 7C 4B E5 g.../|K. rpc_pipe_destructor: closed host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800c simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] B9 94 84 05 57 45 6E CA ....WEn. store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(16,104) write_socket(16,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3328 (0xD00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] C5 8F 31 D6 C7 9A D2 B2 ..1..... Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32781 (0x800D) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 29 A4 84 A2 69 DF 05 0C )...i... store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 9A 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 5D 79 A4 9B 6C 3E 23 A8 ]y..l>#. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 9A 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d returned 68 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000709a 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. init_lsa_sec_qos init_lsa_obj_attr lsa_OpenPolicy2: struct lsa_OpenPolicy2 in: struct lsa_OpenPolicy2 system_name : * system_name : '\\NORMA.CHILD03.EIGHTAD6.TESTING.COM' attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0098 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000080 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d size=234 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 152 (0x98) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 152 (0x98) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32781 (0x800D) smb_bcc=167 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 98 00 00 00 04 00 00 00 80 ........ ........ [020] 00 00 00 00 00 2C 00 00 00 02 00 25 00 00 00 00 .....,.. ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 4E 00 4F 00 52 ...%...\ .\.N.O.R [040] 00 4D 00 41 00 2E 00 43 00 48 00 49 00 4C 00 44 .M.A...C .H.I.L.D [050] 00 30 00 33 00 2E 00 45 00 49 00 47 00 48 00 54 .0.3...E .I.G.H.T [060] 00 41 00 44 00 36 00 2E 00 54 00 45 00 53 00 54 .A.D.6.. .T.E.S.T [070] 00 49 00 4E 00 47 00 2E 00 43 00 4F 00 4D 00 00 .I.N.G.. .C.O.M.. [080] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [090] 00 00 00 00 00 00 00 04 00 02 00 0C 00 00 00 02 ........ ........ [0A0] 00 01 00 00 00 00 02 ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 5C 42 C2 ED FD A5 AF FF \B...... store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(16,238) write_socket(16,238) wrote 238 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 DB B7 8E ........ ........ [020] CF 25 ED 16 4D 9A D1 80 15 10 B0 9C 36 00 00 00 .%..M... ....6... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] D1 57 6C 66 68 8A D9 92 .Wlfh... size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 DB B7 8E ........ ........ [020] CF 25 ED 16 4D 9A D1 80 15 10 B0 9C 36 00 00 00 .%..M... ....6... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 rpc_api_pipe: got PDU len of 48 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d returned 48 bytes. lsa_OpenPolicy2: struct lsa_OpenPolicy2 out: struct lsa_OpenPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : cf8eb7db-ed25-4d16-9ad1-801510b09c36 result : NT_STATUS_OK lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : cf8eb7db-ed25-4d16-9ad1-801510b09c36 level : LSA_POLICY_INFO_DNS (12) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000016 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32781 (0x800D) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 DB B7 8E CF 25 ........ .......% [030] ED 16 4D 9A D1 80 15 10 B0 9C 36 0C 00 ..M..... ..6.. simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] 5C 13 DA 96 6C CF 84 91 \...l... store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(16,132) write_socket(16,132) wrote 132 got smb length of 312 size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 23 B6 1D 00 00 00 00 00 00 .D.0.3.# ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 9E 33 67 BE 88 7C F0 36 .3g..|.6 size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 23 B6 1D 00 00 00 00 00 00 .D.0.3.# ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0100 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000e8 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 256, data_len 232, ss_len 0 rpc_api_pipe: got PDU len of 256 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d returned 464 bytes. lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'CHILD03' dns_domain: struct lsa_StringLarge length : 0x0038 (56) size : 0x003a (58) string : * string : 'child03.eightad6.testing.com' dns_forest: struct lsa_StringLarge length : 0x0028 (40) size : 0x002a (42) string : * string : 'eightad6.testing.com' domain_guid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 sid : * sid : S-1-5-21-1527705246-3463401961-2594329352 result : NT_STATUS_OK set_dc_type_and_flags_connect: domain CHILD03 is in native mode. set_dc_type_and_flags_connect: domain CHILD03 is running active directory. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 0F 09 8F 3F 64 C8 31 D5 ...?d.1. store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] DC B3 C6 84 37 C8 1A 7C ....7..| rpc_pipe_destructor: closed host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0x800d Storing response for pid 9850, len 3496 timed_events_timeout: 604693/600737 select will use timeout of 604693.600737 seconds Destroying timed event 2ab26ba8e520 "async_request_timeout_handler" Retrieving response for pid 9850 Received child initialization response for domain CHILD03 connection_ok: Connection to for domain CHILD03 has NULL cli! Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "CHILD03" domain Cache entry with key = NEG_CONN_CACHE/CHILD03,norma.child03.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain CHILD03 server norma.child03.eightad6.testing.com cm_open_connection: saf_servername is 'norma.child03.eightad6.testing.com' for domain CHILD03 cm_open_connection: dcname is 'norma.child03.eightad6.testing.com' for domain CHILD03 Cache entry with key = NEG_CONN_CACHE/CHILD03,norma.child03.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain CHILD03 server norma.child03.eightad6.testing.com Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE cm_prepare_connection: connecting to DC norma.child03.eightad6.testing.com for domain CHILD03 write_socket(16,194) write_socket(16,194) wrote 194 got smb length of 192 size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9849 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=47744 (0xBA80) smb_vwv[12]=57398 (0xE036) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9849 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=47744 (0xBA80) smb_vwv[12]=57398 (0xE036) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM connecting to norma.child03.eightad6.testing.com from ALTAIR with kerberos principal [ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM] and realm [child03.eightad6.testing.com] winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Doing spnego session setup (blob length=123) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=norma$@CHILD03.EIGHTAD6.TESTING.COM kerberos_kinit_password: as ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM using [MEMORY:cliconnect] as ccache and config [(null)] Doing kerberos session setup ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 26 Nov 2009 04:31:28 IST ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:cliconnect) is valid until: (Thu, 26 Nov 2009 04:31:28 IST - 1259190088) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT Got KRB5 session key of length 16 cli_session_setup_blob: Remaining (0) sending (2550) current (2550) write_socket(16,2636) write_socket(16,2636) wrote 2636 got smb length of 197 size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9849 smb_uid=10242 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 00 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9849 smb_uid=10242 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 00 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key [000] 8C 37 3D 59 3A FD A4 77 99 1F BE AE 91 8B 14 36 .7=Y:..w .......6 cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 06 AB C8 A6 A8 AF 97 14 ........ store_sequence_for_reply: stored seq = 1 mid = 2 get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 2A F8 E2 C4 E1 E0 F8 CE *....... cli_init_creds: user ALTAIR$ domain CHILD03 saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) saf_store: domain = [child03.eightad6.testing.com], server = [norma.child03.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 7F C7 48 DF 28 B3 CA E3 ..H.(... store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(16,136) write_socket(16,136) wrote 136 got smb length of 56 size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=3 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]= 511 (0x1FF) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 511 (0x1FF) smb_vwv[ 6]= 0 (0x0) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 65 81 86 6C 15 5A EA 36 e..l.Z.6 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 set_global_winbindd_state_online: online requested. set_global_winbindd_state_online: rejecting. set_domain_online: called for domain CHILD03 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Destroying timed event 2ab26bad70a0 "check_domain_online_handler" set_dc_type_and_flags: setting up flags for primary domain set_dc_type_and_flags_connect: domain CHILD03 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 41 31 EB 43 C4 43 06 E6 A1.C.C.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(16,104) write_socket(16,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1024 (0x400) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] C5 55 D5 F4 57 81 AE 8D .U..W... Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49156 (0xC004) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] 30 C9 96 4E 03 C8 6B 8E 0..N..k. store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 9B 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 80 15 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] 3B A4 B7 5B D9 B9 9B 4F ;..[...O size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 9B 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 80 15 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 returned 68 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000709b 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. dssetup_DsRoleGetPrimaryDomainInformation: struct dssetup_DsRoleGetPrimaryDomainInformation in: struct dssetup_DsRoleGetPrimaryDomainInformation level : DS_ROLE_BASIC_INFORMATION (1) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000002 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49156 (0xC004) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 41 47 C7 74 FB 6F F6 D4 AG.t.o.. store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(16,112) write_socket(16,112) wrote 112 got smb length of 284 size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 63 00 15 00 00 00 00 00 00 .o.m...c ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 6E .n.g...c .o.m...n [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 54 F0 BB E5 08 8E 2A C5 T.....*. size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 63 00 15 00 00 00 00 00 00 .o.m...c ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 6E .n.g...c .o.m...n [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00e4 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000cc 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 228, data_len 204, ss_len 0 rpc_api_pipe: got PDU len of 228 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 returned 408 bytes. dssetup_DsRoleGetPrimaryDomainInformation: struct dssetup_DsRoleGetPrimaryDomainInformation out: struct dssetup_DsRoleGetPrimaryDomainInformation info : * info : union dssetup_DsRoleInfo(case 1) basic: struct dssetup_DsRolePrimaryDomInfoBasic role : DS_ROLE_PRIMARY_DC (5) flags : 0x01000001 (16777217) 1: DS_ROLE_PRIMARY_DS_RUNNING 0: DS_ROLE_PRIMARY_DS_MIXED_MODE 0: DS_ROLE_UPGRADE_IN_PROGRESS 1: DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT domain : * domain : 'CHILD03' dns_domain : * dns_domain : 'child03.eightad6.testing.com' forest : * forest : 'eightad6.testing.com' domain_guid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 result : WERR_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] D0 7E 72 29 35 8C 6E 4F .~r)5.nO store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=7 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 7 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] 12 8F 6C 98 34 BD 5E 66 ..l.4.^f rpc_pipe_destructor: closed host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc004 simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 1E 95 71 28 37 A3 26 77 ..q(7.&w store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(16,104) write_socket(16,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1280 (0x500) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] 6D 89 A8 67 3B 6F 34 D3 m..g;o4. Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49157 (0xC005) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 03 71 CE 1B C1 08 C4 F4 .q...... store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 9C 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 85 6A 17 DE 44 D8 E0 0A .j..D... size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 9C 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 returned 68 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000709c 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. init_lsa_sec_qos init_lsa_obj_attr lsa_OpenPolicy2: struct lsa_OpenPolicy2 in: struct lsa_OpenPolicy2 system_name : * system_name : '\\NORMA.CHILD03.EIGHTAD6.TESTING.COM' attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0098 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000080 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 size=234 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 152 (0x98) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 152 (0x98) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49157 (0xC005) smb_bcc=167 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 98 00 00 00 04 00 00 00 80 ........ ........ [020] 00 00 00 00 00 2C 00 00 00 02 00 25 00 00 00 00 .....,.. ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 4E 00 4F 00 52 ...%...\ .\.N.O.R [040] 00 4D 00 41 00 2E 00 43 00 48 00 49 00 4C 00 44 .M.A...C .H.I.L.D [050] 00 30 00 33 00 2E 00 45 00 49 00 47 00 48 00 54 .0.3...E .I.G.H.T [060] 00 41 00 44 00 36 00 2E 00 54 00 45 00 53 00 54 .A.D.6.. .T.E.S.T [070] 00 49 00 4E 00 47 00 2E 00 43 00 4F 00 4D 00 00 .I.N.G.. .C.O.M.. [080] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [090] 00 00 00 00 00 00 00 04 00 02 00 0C 00 00 00 02 ........ ........ [0A0] 00 01 00 00 00 00 02 ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] BA 2A 12 57 3E 45 42 3B .*.W>EB; store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(16,238) write_socket(16,238) wrote 238 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 87 8C 5C ........ .......\ [020] 99 FA A0 09 46 94 94 E4 AE C7 FE C4 D6 00 00 00 ....F... ........ [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] 38 30 74 29 AA 33 21 09 80t).3!. size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 87 8C 5C ........ .......\ [020] 99 FA A0 09 46 94 94 E4 AE C7 FE C4 D6 00 00 00 ....F... ........ [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 rpc_api_pipe: got PDU len of 48 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 returned 48 bytes. lsa_OpenPolicy2: struct lsa_OpenPolicy2 out: struct lsa_OpenPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 995c8c87-a0fa-4609-9494-e4aec7fec4d6 result : NT_STATUS_OK lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 995c8c87-a0fa-4609-9494-e4aec7fec4d6 level : LSA_POLICY_INFO_DNS (12) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000016 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49157 (0xC005) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 87 8C 5C 99 FA ........ .....\.. [030] A0 09 46 94 94 E4 AE C7 FE C4 D6 0C 00 ..F..... ..... simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] 0E BF FC 0E AA 29 D6 4E .....).N store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(16,132) write_socket(16,132) wrote 132 got smb length of 312 size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 67 00 1D 00 00 00 00 00 00 .D.0.3.g ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 5B C9 2B 9E 5E 43 49 A5 [.+.^CI. size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 67 00 1D 00 00 00 00 00 00 .D.0.3.g ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0100 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000e8 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 256, data_len 232, ss_len 0 rpc_api_pipe: got PDU len of 256 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 returned 464 bytes. lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'CHILD03' dns_domain: struct lsa_StringLarge length : 0x0038 (56) size : 0x003a (58) string : * string : 'child03.eightad6.testing.com' dns_forest: struct lsa_StringLarge length : 0x0028 (40) size : 0x002a (42) string : * string : 'eightad6.testing.com' domain_guid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 sid : * sid : S-1-5-21-1527705246-3463401961-2594329352 result : NT_STATUS_OK set_dc_type_and_flags_connect: domain CHILD03 is in native mode. set_dc_type_and_flags_connect: domain CHILD03 is running active directory. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 0B 88 9F 85 C7 F7 8E AD ........ store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] 1E 07 55 42 2F F4 C7 E6 ..UB/... rpc_pipe_destructor: closed host norma.child03.eightad6.testing.com, pipe \lsarpc, fnum 0xc005 Sending request to child pid 9850 (domain=CHILD03) Added timed event "async_request_timeout_handler": 2ab26bafadb0 timed_events_timeout: 299/999929 child daemon request 19 child_process_request: request fn LIST_TRUSTDOM [ 9849]: list trusted domains get_cache: Setting ADS methods for domain CHILD03 fetch_cache_seqnum: invalid data size key [SEQNUM/CHILD03] ads: fetch sequence_number for CHILD03 ads_cached_connection Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: domain=CHILD03 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : NULL password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: (cldap) looking for realm 'child03.eightad6.testing.com' get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning expired cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:31:20 2009 no entry for child03.eightad6.testing.com#1C found. resolve_ads: Attempting to resolve DCs for child03.eightad6.testing.com using DNS ads_dns_lookup_srv: 1 records returned in the answer section. ads_dns_parse_rr_srv: Parsed norma.child03.eightad6.testing.com [0, 100, 389] remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for child03.eightad6.testing.com#1c: 192.168.12.172 Adding cache entry with key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C; value = 192.168.12.172:389 and timeout = Wed Nov 25 18:42:25 2009 (660 seconds ahead) internal_resolve_name: returning 1 addresses: 192.168.12.172:389 Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000001f9 (505) 1: NBT_SERVER_PDC 0: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 forest : 'eightad6.testing.com' dns_domain : 'child03.eightad6.testing.com' pdc_dns_name : 'norma.child03.eightad6.testing.com' domain : 'CHILD03' pdc_name : 'NORMA' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [CHILD03], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) sitename_store: realm = [child03.eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) Successfully contacted LDAP server 192.168.12.172 ads_connect: leaving with: Success ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.172' flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x000001f9 (505) 1: DS_SERVER_PDC 0: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'CHILD03.EIGHTAD6.TESTING.COM' bind_path : 'dc=CHILD03,dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'norma.child03.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : 192.168.12.172 last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_closest_dc: NBT_SERVER_CLOSEST flag set create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = child03.eightad6.testing.com, domain = CHILD03 Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename (null)) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 get_kdc_ip_string: Returning kdc = 192.168.12.172 create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC list = kdc = 192.168.12.172 ads_dc_name: using server='NORMA.CHILD03.EIGHTAD6.TESTING.COM' IP=192.168.12.172 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000000 (0) 0: ADS_AUTH_DISABLE_KERBEROS 0: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : Sat 31 Jan 1970 05:30:00 AM IST IST ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads_find_dc: (ldap) looking for realm 'child03.eightad6.testing.com' Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: domain=CHILD03 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : NULL password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: (cldap) looking for realm 'child03.eightad6.testing.com' get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000001f9 (505) 1: NBT_SERVER_PDC 0: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 forest : 'eightad6.testing.com' dns_domain : 'child03.eightad6.testing.com' pdc_dns_name : 'norma.child03.eightad6.testing.com' domain : 'CHILD03' pdc_name : 'NORMA' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [CHILD03], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) sitename_store: realm = [child03.eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) Successfully contacted LDAP server 192.168.12.172 ads_connect: leaving with: Success ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.172' flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x000001f9 (505) 1: DS_SERVER_PDC 0: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'CHILD03.EIGHTAD6.TESTING.COM' bind_path : 'dc=CHILD03,dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'norma.child03.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : 192.168.12.172 last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_closest_dc: NBT_SERVER_CLOSEST flag set create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = child03.eightad6.testing.com, domain = CHILD03 Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename (null)) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 get_kdc_ip_string: Returning kdc = 192.168.12.172 create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC list = kdc = 192.168.12.172 ads_dc_name: using server='NORMA.CHILD03.EIGHTAD6.TESTING.COM' IP=192.168.12.172 ads_try_connect: sending CLDAP request to NORMA.CHILD03.EIGHTAD6.TESTING.COM (realm: child03.eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000001f9 (505) 1: NBT_SERVER_PDC 0: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 forest : 'eightad6.testing.com' dns_domain : 'child03.eightad6.testing.com' pdc_dns_name : 'norma.child03.eightad6.testing.com' domain : 'CHILD03' pdc_name : 'NORMA' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [CHILD03], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) sitename_store: realm = [child03.eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) Successfully contacted LDAP server 192.168.12.172 Opening connection to LDAP server 'norma.child03.eightad6.testing.com:389', timeout 15 seconds Connected to LDAP server 'norma.child03.eightad6.testing.com:389' Connected to LDAP server norma.child03.eightad6.testing.com ads_closest_dc: NBT_SERVER_CLOSEST flag set saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) saf_store: domain = [child03.eightad6.testing.com], server = [norma.child03.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) time offset is 3 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name = norma$@CHILD03.EIGHTAD6.TESTING.COM ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit kerberos_kinit_password: as ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM using [MEMORY:winbind_ccache] as ccache and config [/var/lib/samba/smb_krb5/krb5.conf.CHILD03] ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 26 Nov 2009 04:31:28 IST ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:winbind_ccache) is valid until: (Thu, 26 Nov 2009 04:31:28 IST - 1259190088) ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT Got KRB5 session key of length 16 ads_connect: leaving with: Success ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.172' flags : 0x00000000 (0) 0: ADS_AUTH_DISABLE_KERBEROS 0: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000003 (3) tgt_expire : Thu 26 Nov 2009 04:31:28 AM IST IST tgs_expire : Thu 26 Nov 2009 04:31:28 AM IST IST renewable : Sat 31 Jan 1970 05:30:00 AM IST IST ads: struct config flags : 0x000001f9 (505) 1: DS_SERVER_PDC 0: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'CHILD03.EIGHTAD6.TESTING.COM' bind_path : 'dc=CHILD03,dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'norma.child03.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : Wed 25 Nov 2009 06:31:28 PM IST IST schema_path : NULL config_path : NULL ads: struct ldap ld : * ss : 192.168.12.172 last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : * wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Search for (objectclass=*) in <> gave 1 replies store_cache_seqnum: success [CHILD03][13991 @ 1259154085] refresh_sequence_number: CHILD03 seq number is now 13991 trusted_domains: [Cached] - doing backend query for info for domain CHILD03 ads: trusted_domains simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] 4A B0 1F B4 AC F3 17 DD J....... store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=13 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] 1F D5 59 B3 E9 0F 48 98 ..Y...H. Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=14 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32782 (0x800E) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 24 client_sign_outgoing_message: sent SMB signature of [000] 86 A2 39 F1 CA B4 00 92 ..9..... store_sequence_for_reply: stored seq = 25 mid = 14 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 9D 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 E4 AE 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 25 mid = 14 simple_packet_signature: sequence number 25 client_check_incoming_message: seq 25: got good SMB signature of [000] 29 59 FA BE 7F 9D C7 D7 )Y...... size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 9D 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 E4 AE 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 25 mid = 14 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e returned 68 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000709d 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com and bound anonymously. netr_ServerReqChallenge: struct netr_ServerReqChallenge in: struct netr_ServerReqChallenge server_name : * server_name : '\\norma.child03.eightad6.testing.com' computer_name : 'ALTAIR' credentials : * credentials: struct netr_Credential data : d2e637991b3c9a96 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0096 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007e 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e size=232 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=15 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 150 (0x96) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 150 (0x96) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32782 (0x800E) smb_bcc=165 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 96 00 00 00 07 00 00 00 7E ........ .......~ [020] 00 00 00 00 00 04 00 00 00 02 00 25 00 00 00 00 ........ ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 41 ........ .......A [090] 00 4C 00 54 00 41 00 49 00 52 00 00 00 D2 E6 37 .L.T.A.I .R.....7 [0A0] 99 1B 3C 9A 96 ..<.. simple_packet_signature: sequence number 26 client_sign_outgoing_message: sent SMB signature of [000] D6 22 37 FF A7 D9 FF 59 ."7....Y store_sequence_for_reply: stored seq = 27 mid = 15 write_socket(16,236) write_socket(16,236) wrote 236 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 96 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 3F A9 C6 7A 9D D4 75 ........ .?..z..u [020] 48 00 00 00 00 H.... get_sequence_for_reply: found seq = 27 mid = 15 simple_packet_signature: sequence number 27 client_check_incoming_message: seq 27: got good SMB signature of [000] 2E 94 EC 5B 84 D7 86 48 ...[...H size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 96 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 3F A9 C6 7A 9D D4 75 ........ .?..z..u [020] 48 00 00 00 00 H.... get_sequence_for_reply: found seq = 27 mid = 15 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 rpc_api_pipe: got PDU len of 36 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e returned 24 bytes. netr_ServerReqChallenge: struct netr_ServerReqChallenge out: struct netr_ServerReqChallenge return_credentials : * return_credentials: struct netr_Credential data : 3fa9c67a9dd47548 result : NT_STATUS_OK creds_client_init: neg_flags : 600fffff creds_client_init: client chal : D2E637991B3C9A96 creds_client_init: server chal : 3FA9C67A9DD47548 creds_init_128 clnt_chal_in: D2E637991B3C9A96 srv_chal_in : 3FA9C67A9DD47548 creds_client_init: clnt : 2329182CB1D52A61 creds_client_init: server : 0DFDEB3B3DA90ADF creds_client_init: seed : 2329182CB1D52A61 netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 in: struct netr_ServerAuthenticate2 server_name : * server_name : '\\norma.child03.eightad6.testing.com' account_name : 'ALTAIR$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : 'ALTAIR' credentials : * credentials: struct netr_Credential data : 2329182cb1d52a61 negotiate_flags : * negotiate_flags : 0x600fffff (1611661311) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 1: NETLOGON_NEG_GENERIC_PASSTHROUGH 1: NETLOGON_NEG_CONCURRENT_RPC 1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_128BIT 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_SCHANNEL 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00bc 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 000000a4 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e size=270 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=16 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 188 (0xBC) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 188 (0xBC) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32782 (0x800E) smb_bcc=203 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 BC 00 00 00 08 00 00 00 A4 ........ ........ [020] 00 00 00 00 00 0F 00 00 00 02 00 25 00 00 00 00 ........ ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 41 ........ .......A [090] 00 4C 00 54 00 41 00 49 00 52 00 24 00 00 00 02 .L.T.A.I .R.$.... [0A0] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 41 ........ .......A [0B0] 00 4C 00 54 00 41 00 49 00 52 00 00 00 23 29 18 .L.T.A.I .R...#). [0C0] 2C B1 D5 2A 61 00 00 FF FF 0F 60 ,..*a... ..` simple_packet_signature: sequence number 28 client_sign_outgoing_message: sent SMB signature of [000] AC 7F CC 4B 9A 0F 7C 1B ...K..|. store_sequence_for_reply: stored seq = 29 mid = 16 write_socket(16,274) write_socket(16,274) wrote 274 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] BC 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 0D FD EB 3B 3D A9 0A ........ ....;=.. [020] DF FF FF 0F 60 00 00 00 00 ....`... . get_sequence_for_reply: found seq = 29 mid = 16 simple_packet_signature: sequence number 29 client_check_incoming_message: seq 29: got good SMB signature of [000] 4C 3B F7 20 46 BB F2 BA L;. F... size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] BC 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 0D FD EB 3B 3D A9 0A ........ ....;=.. [020] DF FF FF 0F 60 00 00 00 00 ....`... . get_sequence_for_reply: found seq = 29 mid = 16 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 rpc_api_pipe: got PDU len of 40 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e returned 32 bytes. netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 out: struct netr_ServerAuthenticate2 return_credentials : * return_credentials: struct netr_Credential data : 0dfdeb3b3da90adf negotiate_flags : * negotiate_flags : 0x600fffff (1611661311) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 1: NETLOGON_NEG_GENERIC_PASSTHROUGH 1: NETLOGON_NEG_CONCURRENT_RPC 1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_128BIT 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_SCHANNEL result : NT_STATUS_OK netlogon_creds_client_check: credentials check OK. rpccli_netlogon_setup_creds: server norma.child03.eightad6.testing.com credential chain established. simple_packet_signature: sequence number 30 client_sign_outgoing_message: sent SMB signature of [000] E7 9E A7 97 BC 42 29 FA .....B). store_sequence_for_reply: stored seq = 31 mid = 17 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=17 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3840 (0xF00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 31 mid = 17 simple_packet_signature: sequence number 31 client_check_incoming_message: seq 31: got good SMB signature of [000] 2A D0 22 1A BF 26 90 F7 *."..&.. Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f auth_type 2, auth_level 6 000000 smb_io_rpc_auth_schannel_neg schannel_neg 0000 type1: 00000000 0004 type2: 00000003 [000] 43 48 49 4C 44 30 33 CHILD03 [000] 41 4C 54 41 49 52 ALTAIR 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0067 000a auth_len : 0017 000c call_id : 00000009 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 000048 smb_io_rpc_hdr_auth hdr_auth 0048 auth_type : 44 0049 auth_level : 06 004a auth_pad_len : 00 004b auth_reserved: 00 004c auth_context_id: 00000001 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f size=185 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=18 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 103 (0x67) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32783 (0x800F) smb_bcc=118 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 67 00 17 00 09 00 00 00 B8 .......g ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 06 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 43 48 49 4C 44 30 33 00 41 .......C HILD03.A [070] 4C 54 41 49 52 00 LTAIR. simple_packet_signature: sequence number 32 client_sign_outgoing_message: sent SMB signature of [000] C7 1E 13 C7 37 78 99 E9 ....7x.. store_sequence_for_reply: stored seq = 33 mid = 18 write_socket(16,189) write_socket(16,189) wrote 189 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 67 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 g....... .X...... [010] 00 B8 10 B8 10 9E 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 E4 AE 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 36 00 .......6 . get_sequence_for_reply: found seq = 33 mid = 18 simple_packet_signature: sequence number 33 client_check_incoming_message: seq 33: got good SMB signature of [000] 51 71 7B D3 2F 0C 2D 80 Qq{./.-. size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 67 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 g....... .X...... [010] 00 B8 10 B8 10 9E 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 E4 AE 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 36 00 .......6 . get_sequence_for_reply: found seq = 33 mid = 18 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 rpc_api_pipe: got PDU len of 88 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f returned 88 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000709e 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com for domain CHILD03 and bound using schannel. simple_packet_signature: sequence number 34 client_sign_outgoing_message: sent SMB signature of [000] 42 0F C2 9D B0 5A 44 A9 B....ZD. store_sequence_for_reply: stored seq = 35 mid = 19 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=19 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 35 mid = 19 simple_packet_signature: sequence number 35 client_check_incoming_message: seq 35: got good SMB signature of [000] 14 39 93 48 1C FF 4C 80 .9.H..L. rpc_pipe_destructor: closed host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800e netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts in: struct netr_DsrEnumerateDomainTrusts server_name : * server_name : 'norma.child03.eightad6.testing.com' trust_flags : 0x00000023 (35) 1: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00a0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000005c 0014 context_id: 0000 0016 opnum : 0028 000078 smb_io_rpc_hdr_auth hdr_auth 0078 auth_type : 44 0079 auth_level : 06 007a auth_pad_len : 04 007b auth_reserved: 00 007c auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=0 SCHANNEL: schannel_encode seq_num=0 data_len=96 000080 smb_io_rpc_auth_schannel_chk 0080 sig : 77 00 7a 00 ff ff 00 00 0088 seq_num: e8 0a a0 5c b2 9b 73 ed 0090 packet_digest: 9b 75 44 df 19 2b b7 a4 0098 confounder: a1 ea 1d ae ff 31 9e a5 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f size=242 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=20 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 160 (0xA0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 160 (0xA0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32783 (0x800F) smb_bcc=175 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 A0 00 20 00 0A 00 00 00 5C ........ . .....\ [020] 00 00 00 00 00 28 00 8F A0 48 1C 6F FE F5 6E B9 .....(.. .H.o..n. [030] B8 DC A4 DD DF 96 D8 1A 58 8B 59 6A F7 C1 60 FB ........ X.Yj..`. [040] 68 3A 23 F3 96 43 F1 A3 AF E8 D3 92 1C AC 88 B1 h:#..C.. ........ [050] 7D 3E 08 62 9C E3 EA 14 F1 94 64 D8 2E 12 E5 0D }>.b.... ..d..... [060] 89 82 71 36 C4 DE 3F B9 72 B9 41 88 5C A0 A3 ED ..q6..?. r.A.\... [070] 2E 4A 26 95 A9 25 82 24 7A DF F9 E6 3A 15 00 55 .J&..%.$ z...:..U [080] 30 19 E4 84 AC C6 5A 44 06 04 00 01 00 00 00 77 0.....ZD .......w [090] 00 7A 00 FF FF 00 00 E8 0A A0 5C B2 9B 73 ED 9B .z...... ..\..s.. [0A0] 75 44 DF 19 2B B7 A4 A1 EA 1D AE FF 31 9E A5 uD..+... ....1.. simple_packet_signature: sequence number 36 client_sign_outgoing_message: sent SMB signature of [000] F9 BE 26 0B 35 77 2D 9F ..&.5w-. store_sequence_for_reply: stored seq = 37 mid = 20 write_socket(16,246) write_socket(16,246) wrote 246 got smb length of 472 size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 D0 75 C7 84 52 9A E2 .\...... ..u..R.. [020] 94 D0 4C 8A 5F F9 04 D6 26 44 A3 21 E3 2C AD 29 ..L._... &D.!.,.) [030] BD F9 39 7C 67 20 03 C2 C5 5B B0 7C 66 1A DD 36 ..9|g .. .[.|f..6 [040] C7 1F 8A B3 75 EE EB 47 BD 9E 89 DB 15 1C 18 E2 ....u..G ........ [050] 08 B5 0B 94 DB 8B E6 74 CD 8A 36 FA 12 B1 50 A2 .......t ..6...P. [060] 31 4E CF E0 E6 23 0A 6B C7 0E 5E 94 18 69 C0 12 1N...#.k ..^..i.. [070] 0C D0 3A 3D 85 DA AE 03 64 DB 50 48 8E 27 5C 1E ..:=.... d.PH.'\. [080] 67 1F 7C DC 7D 44 20 9C 8D 1A 9E 35 D1 54 C5 22 g.|.}D . ...5.T." [090] E5 57 65 EE F6 FD 40 26 86 C6 40 9E B3 69 81 EA .We...@& ..@..i.. [0A0] 8C B8 5D 6D 49 4A 4C A8 D7 F9 F1 13 66 76 4F 73 ..]mIJL. ....fvOs [0B0] 09 34 98 C1 16 84 B9 60 62 14 61 39 C6 1F 59 D4 .4.....` b.a9..Y. [0C0] 88 E6 34 02 5D AD 12 45 1E 12 D0 A0 02 61 9F 42 ..4.]..E .....a.B [0D0] DA 44 38 EB 4B 6B D4 BD FF 20 88 26 FD 1E 75 16 .D8.Kk.. . .&..u. [0E0] 8B D1 19 1B 71 DB 27 D5 C0 EE 61 A4 7F 32 43 1C ....q.'. ..a..2C. [0F0] 3E 73 ED A0 74 73 01 D0 6B E6 E9 CE 2C F0 B7 09 >s..ts.. k...,... [100] 98 42 ED 2F 89 D2 56 3C 2A CC EC 08 81 A8 03 E5 .B./..V< *....... [110] DD 19 23 4F D8 5B 4F 53 55 BF 9B 71 12 02 09 34 ..#O.[OS U..q...4 [120] 72 24 47 10 3A B8 43 A9 F2 BA 32 E7 3B 0A EE 0D r$G.:.C. ..2.;... [130] BA 46 90 DF 45 E9 3E BB 0A 0C C1 67 1B 8B C5 68 .F..E.>. ...g...h [140] 26 B4 74 D7 D0 03 27 A4 8A 73 B9 D2 ED 6B BB E4 &.t...'. .s...k.. [150] 08 35 BF 19 AD 3F F5 8F 5D 51 92 C3 33 05 5D 04 .5...?.. ]Q..3.]. [160] F5 6F F9 44 5A BB 38 99 AF 85 3F 3C 3B FC EF DB .o.DZ.8. ..?<;... [170] 38 BA BA EA 22 46 43 BD 13 44 06 04 00 01 00 00 8..."FC. .D...... [180] 00 77 00 7A 00 FF FF 00 00 A8 55 DD 69 8F 22 74 .w.z.... ..U.i."t [190] B6 FC 38 A9 17 26 95 BB 73 CE D3 AE B2 57 52 BF ..8..&.. s....WR. [1A0] EC . get_sequence_for_reply: found seq = 37 mid = 20 simple_packet_signature: sequence number 37 client_check_incoming_message: seq 37: got good SMB signature of [000] BE 43 C4 C3 CC 7C 6A 64 .C...|jd size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 D0 75 C7 84 52 9A E2 .\...... ..u..R.. [020] 94 D0 4C 8A 5F F9 04 D6 26 44 A3 21 E3 2C AD 29 ..L._... &D.!.,.) [030] BD F9 39 7C 67 20 03 C2 C5 5B B0 7C 66 1A DD 36 ..9|g .. .[.|f..6 [040] C7 1F 8A B3 75 EE EB 47 BD 9E 89 DB 15 1C 18 E2 ....u..G ........ [050] 08 B5 0B 94 DB 8B E6 74 CD 8A 36 FA 12 B1 50 A2 .......t ..6...P. [060] 31 4E CF E0 E6 23 0A 6B C7 0E 5E 94 18 69 C0 12 1N...#.k ..^..i.. [070] 0C D0 3A 3D 85 DA AE 03 64 DB 50 48 8E 27 5C 1E ..:=.... d.PH.'\. [080] 67 1F 7C DC 7D 44 20 9C 8D 1A 9E 35 D1 54 C5 22 g.|.}D . ...5.T." [090] E5 57 65 EE F6 FD 40 26 86 C6 40 9E B3 69 81 EA .We...@& ..@..i.. [0A0] 8C B8 5D 6D 49 4A 4C A8 D7 F9 F1 13 66 76 4F 73 ..]mIJL. ....fvOs [0B0] 09 34 98 C1 16 84 B9 60 62 14 61 39 C6 1F 59 D4 .4.....` b.a9..Y. [0C0] 88 E6 34 02 5D AD 12 45 1E 12 D0 A0 02 61 9F 42 ..4.]..E .....a.B [0D0] DA 44 38 EB 4B 6B D4 BD FF 20 88 26 FD 1E 75 16 .D8.Kk.. . .&..u. [0E0] 8B D1 19 1B 71 DB 27 D5 C0 EE 61 A4 7F 32 43 1C ....q.'. ..a..2C. [0F0] 3E 73 ED A0 74 73 01 D0 6B E6 E9 CE 2C F0 B7 09 >s..ts.. k...,... [100] 98 42 ED 2F 89 D2 56 3C 2A CC EC 08 81 A8 03 E5 .B./..V< *....... [110] DD 19 23 4F D8 5B 4F 53 55 BF 9B 71 12 02 09 34 ..#O.[OS U..q...4 [120] 72 24 47 10 3A B8 43 A9 F2 BA 32 E7 3B 0A EE 0D r$G.:.C. ..2.;... [130] BA 46 90 DF 45 E9 3E BB 0A 0C C1 67 1B 8B C5 68 .F..E.>. ...g...h [140] 26 B4 74 D7 D0 03 27 A4 8A 73 B9 D2 ED 6B BB E4 &.t...'. .s...k.. [150] 08 35 BF 19 AD 3F F5 8F 5D 51 92 C3 33 05 5D 04 .5...?.. ]Q..3.]. [160] F5 6F F9 44 5A BB 38 99 AF 85 3F 3C 3B FC EF DB .o.DZ.8. ..?<;... [170] 38 BA BA EA 22 46 43 BD 13 44 06 04 00 01 00 00 8..."FC. .D...... [180] 00 77 00 7A 00 FF FF 00 00 A8 55 DD 69 8F 22 74 .w.z.... ..U.i."t [190] B6 FC 38 A9 17 26 95 BB 73 CE D3 AE B2 57 52 BF ..8..&.. s....WR. [1A0] EC . get_sequence_for_reply: found seq = 37 mid = 20 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 01a0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000015c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000178 smb_io_rpc_hdr_auth hdr_auth 0178 auth_type : 44 0179 auth_level : 06 017a auth_pad_len : 04 017b auth_reserved: 00 017c auth_context_id: 00000001 000180 smb_io_rpc_auth_schannel_chk 0180 sig : 77 00 7a 00 ff ff 00 00 0188 seq_num: a8 55 dd 69 8f 22 74 b6 0190 packet_digest: fc 38 a9 17 26 95 bb 73 0198 confounder: ce d3 ae b2 57 52 bf ec SCHANNEL: schannel_decode seq_num=1 data_len=352 SCHANNEL: schannel_decode seq_num=1 data_len=352 cli_pipe_validate_current_pdu: got pdu len 416, data_len 348, ss_len 4 rpc_api_pipe: got PDU len of 416 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f returned 696 bytes. netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts out: struct netr_DsrEnumerateDomainTrusts trusts : * trusts: struct netr_DomainTrustList count : 0x00000002 (2) array : * array: ARRAY(2) array: struct netr_DomainTrust netbios_name : * netbios_name : 'EIGHTAD6' dns_name : * dns_name : 'eightad6.testing.com' trust_flags : 0x00000027 (39) 1: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 1: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND parent_index : 0x00000000 (0) trust_type : NETR_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000020 (32) 0: NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 1: NETR_TRUST_ATTRIBUTE_WITHIN_FOREST 0: NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL sid : * sid : S-1-5-21-162008750-1983285441-4146528753 guid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a array: struct netr_DomainTrust netbios_name : * netbios_name : 'CHILD03' dns_name : * dns_name : 'child03.eightad6.testing.com' trust_flags : 0x00000019 (25) 1: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 1: NETR_TRUST_FLAG_PRIMARY 1: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND parent_index : 0x00000000 (0) trust_type : NETR_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: NETR_TRUST_ATTRIBUTE_WITHIN_FOREST 0: NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL sid : * sid : S-1-5-21-1527705246-3463401961-2594329352 guid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 result : WERR_OK trusted_domains(ads): Searching trusted domain list of CHILD03 and storing trust flags for domain eightad6.testing.com wcache_tdc_add_domain: Adding domain EIGHTAD6 (eightad6.testing.com), SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attributes = 0x20, type = 0x2 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (CHILD03.EIGHTAD6.TESTING.COM) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x0, attribs = 0x0, type = 0x0 pack_tdc_domains: Packing 4 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain ALTAIR () pack_tdc_domains: Packing domain CHILD03 (CHILD03.EIGHTAD6.TESTING.COM) pack_tdc_domains: Packing domain EIGHTAD6 (eightad6.testing.com) trusted_domains(ads): Searching trusted domain list of CHILD03 and storing trust flags for domain child03.eightad6.testing.com wcache_tdc_add_domain: Adding domain CHILD03 (child03.eightad6.testing.com), SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x19, attributes = 0x0, type = 0x2 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (CHILD03.EIGHTAD6.TESTING.COM) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain EIGHTAD6 (eightad6.testing.com) SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attribs = 0x20, type = 0x2 add_wbdomain_to_tdc_array: Found existing record for CHILD03 pack_tdc_domains: Packing 4 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain ALTAIR () pack_tdc_domains: Packing domain CHILD03 (child03.eightad6.testing.com) pack_tdc_domains: Packing domain EIGHTAD6 (eightad6.testing.com) Storing response for pid 9850, len 3646 Storing extra data: len=150 timed_events_timeout: 604693/370792 Destroying timed event 2ab26bafadb0 "async_request_timeout_handler" select will use timeout of 604693.370792 seconds Retrieving response for pid 9850 Retrieving extra data length=150 [000] 45 49 47 48 54 41 44 36 5C 65 69 67 68 74 61 64 EIGHTAD6 \eightad [010] 36 2E 74 65 73 74 69 6E 67 2E 63 6F 6D 5C 53 2D 6.testin g.com\S- [020] 31 2D 35 2D 32 31 2D 31 36 32 30 30 38 37 35 30 1-5-21-1 62008750 [030] 2D 31 39 38 33 32 38 35 34 34 31 2D 34 31 34 36 -1983285 441-4146 [040] 35 32 38 37 35 33 0A 43 48 49 4C 44 30 33 5C 63 528753.C HILD03\c [050] 68 69 6C 64 30 33 2E 65 69 67 68 74 61 64 36 2E hild03.e ightad6. [060] 74 65 73 74 69 6E 67 2E 63 6F 6D 5C 53 2D 31 2D testing. com\S-1- [070] 35 2D 32 31 2D 31 35 32 37 37 30 35 32 34 36 2D 5-21-152 7705246- [080] 33 34 36 33 34 30 31 39 36 31 2D 32 35 39 34 33 34634019 61-25943 [090] 32 39 33 35 32 00 29352. wcache_tdc_add_domain: Adding domain EIGHTAD6 (eightad6.testing.com), SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x0, attributes = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (child03.eightad6.testing.com) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x19, attribs = 0x0, type = 0x2 unpack_tdc_domains: Unpacking domain EIGHTAD6 (eightad6.testing.com) SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attribs = 0x20, type = 0x2 add_wbdomain_to_tdc_array: Found existing record for EIGHTAD6 pack_tdc_domains: Packing 4 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain ALTAIR () pack_tdc_domains: Packing domain CHILD03 (child03.eightad6.testing.com) pack_tdc_domains: Packing domain EIGHTAD6 (eightad6.testing.com) idmap config EIGHTAD6 : range = not defined Added domain EIGHTAD6 eightad6.testing.com S-1-5-21-162008750-1983285441-4146528753 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (child03.eightad6.testing.com) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x19, attribs = 0x0, type = 0x2 unpack_tdc_domains: Unpacking domain EIGHTAD6 (eightad6.testing.com) SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attribs = 0x20, type = 0x2 rescan_forest_root_trusts: Following trust path for domain tree root EIGHTAD6 (eightad6.testing.com) Sending request to child pid 9850 (domain=CHILD03) Added timed event "async_request_timeout_handler": 2ab26bafadb0 timed_events_timeout: 299/999957 child daemon request 38 child_process_request: request fn GETDCNAME [ 9849]: Get DC name for EIGHTAD6 netr_GetAnyDCName: struct netr_GetAnyDCName in: struct netr_GetAnyDCName logon_server : * logon_server : 'norma.child03.eightad6.testing.com' domainname : * domainname : 'EIGHTAD6' 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00c0 000a auth_len : 0020 000c call_id : 0000000b 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007a 0014 context_id: 0000 0016 opnum : 000d 000098 smb_io_rpc_hdr_auth hdr_auth 0098 auth_type : 44 0099 auth_level : 06 009a auth_pad_len : 06 009b auth_reserved: 00 009c auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=2 SCHANNEL: schannel_encode seq_num=2 data_len=128 0000a0 smb_io_rpc_auth_schannel_chk 00a0 sig : 77 00 7a 00 ff ff 00 00 00a8 seq_num: 6e a8 0e 1f 46 2a 68 b0 00b0 packet_digest: 64 81 62 8a 9a d6 5f cd 00b8 confounder: bd 86 51 3e 30 e2 dc 4b rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f size=274 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=21 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 192 (0xC0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 192 (0xC0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32783 (0x800F) smb_bcc=207 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 C0 00 20 00 0B 00 00 00 7A ........ . .....z [020] 00 00 00 00 00 0D 00 88 F6 C5 38 3E CA 2C 07 10 ........ ..8>.,.. [030] 8C BF 34 C7 3B 09 F8 59 61 D2 48 2B 33 E0 28 21 ..4.;..Y a.H+3.(! [040] B0 F7 97 A1 29 9C BB C1 A6 61 CD CC 99 6C D0 51 ....)... .a...l.Q [050] D2 E1 74 72 85 A3 18 EB 2E 73 1C F7 D6 01 C5 71 ..tr.... .s.....q [060] 8A 6D 0F 9E B1 70 9A 44 15 62 55 16 7D B3 93 6F .m...p.D .bU.}..o [070] 72 0E 11 40 E1 93 09 F8 39 75 64 C9 C8 36 FC 80 r..@.... 9ud..6.. [080] A6 F3 03 AF B4 2B 98 5F EC 0A 8C FA 77 90 04 60 .....+._ ....w..` [090] D3 A8 D1 19 41 40 F8 E0 F9 3B 8B CE FD 3E 41 FC ....A@.. .;...>A. [0A0] 52 C0 4A 75 96 78 48 44 06 06 00 01 00 00 00 77 R.Ju.xHD .......w [0B0] 00 7A 00 FF FF 00 00 6E A8 0E 1F 46 2A 68 B0 64 .z.....n ...F*h.d [0C0] 81 62 8A 9A D6 5F CD BD 86 51 3E 30 E2 DC 4B .b..._.. .Q>0..K simple_packet_signature: sequence number 38 client_sign_outgoing_message: sent SMB signature of [000] BA 26 2A 57 D1 E6 8C 58 .&*W...X store_sequence_for_reply: stored seq = 39 mid = 21 write_socket(16,278) write_socket(16,278) wrote 278 got smb length of 168 size=168 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=21 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 112 (0x70) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=113 [000] C0 05 00 02 03 10 00 00 00 70 00 20 00 0B 00 00 ........ .p. .... [010] 00 30 00 00 00 00 00 00 00 BD B2 84 26 69 F3 ED .0...... ....&i.. [020] 50 3A 83 67 82 57 21 76 F9 C5 49 04 31 64 EB AF P:.g.W!v ..I.1d.. [030] 6B C7 A9 4B 79 4C 56 0B CC 12 FE 8E E3 C9 C1 62 k..KyLV. .......b [040] AD ED FF 6A 35 ED 9C 9A 31 44 06 00 00 01 00 00 ...j5... 1D...... [050] 00 77 00 7A 00 FF FF 00 00 5A 9C 49 B5 04 68 03 .w.z.... .Z.I..h. [060] C0 D8 7B 2C E2 44 00 F9 7E B7 10 28 22 F7 20 22 ..{,.D.. ~..(". " [070] 6F o get_sequence_for_reply: found seq = 39 mid = 21 simple_packet_signature: sequence number 39 client_check_incoming_message: seq 39: got good SMB signature of [000] 2F EA DA C7 25 6C 18 8C /...%l.. size=168 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=21 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 112 (0x70) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=113 [000] C0 05 00 02 03 10 00 00 00 70 00 20 00 0B 00 00 ........ .p. .... [010] 00 30 00 00 00 00 00 00 00 BD B2 84 26 69 F3 ED .0...... ....&i.. [020] 50 3A 83 67 82 57 21 76 F9 C5 49 04 31 64 EB AF P:.g.W!v ..I.1d.. [030] 6B C7 A9 4B 79 4C 56 0B CC 12 FE 8E E3 C9 C1 62 k..KyLV. .......b [040] AD ED FF 6A 35 ED 9C 9A 31 44 06 00 00 01 00 00 ...j5... 1D...... [050] 00 77 00 7A 00 FF FF 00 00 5A 9C 49 B5 04 68 03 .w.z.... .Z.I..h. [060] C0 D8 7B 2C E2 44 00 F9 7E B7 10 28 22 F7 20 22 ..{,.D.. ~..(". " [070] 6F o get_sequence_for_reply: found seq = 39 mid = 21 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0070 000a auth_len : 0020 000c call_id : 0000000b 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000030 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000048 smb_io_rpc_hdr_auth hdr_auth 0048 auth_type : 44 0049 auth_level : 06 004a auth_pad_len : 00 004b auth_reserved: 00 004c auth_context_id: 00000001 000050 smb_io_rpc_auth_schannel_chk 0050 sig : 77 00 7a 00 ff ff 00 00 0058 seq_num: 5a 9c 49 b5 04 68 03 c0 0060 packet_digest: d8 7b 2c e2 44 00 f9 7e 0068 confounder: b7 10 28 22 f7 20 22 6f SCHANNEL: schannel_decode seq_num=3 data_len=48 SCHANNEL: schannel_decode seq_num=3 data_len=48 cli_pipe_validate_current_pdu: got pdu len 112, data_len 48, ss_len 0 rpc_api_pipe: got PDU len of 112 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f returned 96 bytes. netr_GetAnyDCName: struct netr_GetAnyDCName out: struct netr_GetAnyDCName dcname : * dcname : * dcname : '\\EIGHTAD-DC' result : WERR_OK Storing response for pid 9850, len 3496 timed_events_timeout: 604693/265281 Destroying timed event 2ab26bafadb0 "async_request_timeout_handler" Retrieving response for pid 9850 Received getdcname response Sending request to child pid 0 (domain=EIGHTAD6) fork_domain_child called for domain 'EIGHTAD6' select will use timeout of 604693.265281 seconds Child process 9865 Deregistering messaging pointer for type 769 - private_data=(nil) Deregistering messaging pointer for type 13 - private_data=(nil) Deregistering messaging pointer for type 1028 - private_data=(nil) Deregistering messaging pointer for type 1027 - private_data=(nil) Deregistering messaging pointer for type 1029 - private_data=(nil) Deregistering messaging pointer for type 1280 - private_data=(nil) Deregistering messaging pointer for type 1033 - private_data=(nil) Deregistering messaging pointer for type 1 - private_data=(nil) set_domain_online_request: called for domain EIGHTAD6 set_domain_online_request: domain EIGHTAD6 was globally offline. Added timed event "check_domain_online_handler": 2ab26bafab60 set_domain_online_request: called for domain CHILD03 set_domain_online_request: domain CHILD03 was globally offline. Added timed event "check_domain_online_handler": 2ab26bad5650 timed_events_timeout: 4/999911 select will use timeout of 4.999911 seconds Added timed event "async_request_timeout_handler": 2ab26bafadb0 timed_events_timeout: 299/999963 child daemon request 48 child_process_request: request fn INIT_CONNECTION connection_ok: Connection to EIGHTAD-DC for domain EIGHTAD6 has NULL cli! Cache entry with key = SAFJOIN/DOMAIN/EIGHTAD6 couldn't be found Returning valid cache entry: key = SAF/DOMAIN/EIGHTAD6, value = eightad-dc.eightad6.testing.com, timeout = Wed Nov 25 18:45:20 2009 saf_fetch: Returning "eightad-dc.eightad6.testing.com" for "EIGHTAD6" domain Cache entry with key = NEG_CONN_CACHE/EIGHTAD6,eightad-dc.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain EIGHTAD6 server eightad-dc.eightad6.testing.com cm_open_connection: saf_servername is 'eightad-dc.eightad6.testing.com' for domain EIGHTAD6 cm_open_connection: dcname is 'eightad-dc.eightad6.testing.com' for domain EIGHTAD6 Cache entry with key = NEG_CONN_CACHE/EIGHTAD6,eightad-dc.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain EIGHTAD6 server eightad-dc.eightad6.testing.com Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up eightad-dc.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning expired cache entry: key = NBT/EIGHTAD-DC.EIGHTAD6.TESTING.COM#20, value = 192.168.12.179:0, timeout = Wed Nov 25 18:31:21 2009 no entry for eightad-dc.eightad6.testing.com#20 found. resolve_lmhosts: Attempting lmhosts lookup for name eightad-dc.eightad6.testing.com<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost resolve_wins: Attempting wins lookup for name eightad-dc.eightad6.testing.com<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name eightad-dc.eightad6.testing.com<0x20> remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for eightad-dc.eightad6.testing.com#20: 192.168.12.179 Adding cache entry with key = NBT/EIGHTAD-DC.EIGHTAD6.TESTING.COM#20; value = 192.168.12.179:0 and timeout = Wed Nov 25 18:42:25 2009 (660 seconds ahead) internal_resolve_name: returning 1 addresses: 192.168.12.179:0 cm_prepare_connection: connecting to DC eightad-dc.eightad6.testing.com for domain EIGHTAD6 write_socket(19,194) write_socket(19,194) wrote 194 got smb length of 193 size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9865 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=29312 (0x7280) smb_vwv[12]=23307 (0x5B0B) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=124 [000] B1 33 D1 21 52 B8 4C 49 AF 1D D9 07 4D 97 E2 FA .3.!R.LI ....M... [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... ...`0^.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 .*0(.&.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9865 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=29312 (0x7280) smb_vwv[12]=23307 (0x5B0B) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=124 [000] B1 33 D1 21 52 B8 4C 49 AF 1D D9 07 4D 97 E2 FA .3.!R.LI ....M... [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... ...`0^.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 .*0(.&.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore connecting to eightad-dc.eightad6.testing.com from ALTAIR with kerberos principal [ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM] and realm [eightad6.testing.com] winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Doing spnego session setup (blob length=124) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=not_defined_in_RFC4178@please_ignore kerberos_kinit_password: as ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM using [MEMORY:cliconnect] as ccache and config [(null)] cli_session_setup_spnego: got a bad server principal, trying to guess ... cli_session_setup_spnego: guessed server principal=eightad-dc$@EIGHTAD6 Doing kerberos session setup ads_krb5_mk_req: krb5_get_credentials failed for eightad-dc$@EIGHTAD6 (Cannot find KDC for requested realm) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm failed kerberos session setup with Cannot find KDC for requested realm connecting to eightad-dc.eightad6.testing.com from ALTAIR with username [CHILD03]\[ALTAIR$] Doing spnego session setup (blob length=124) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=not_defined_in_RFC4178@please_ignore write_socket(19,164) write_socket(19,164) wrote 164 got smb length of 552 size=552 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9865 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 552 (0x228) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 321 (0x141) smb_bcc=509 [000] A1 82 01 3D 30 82 01 39 A0 03 0A 01 01 A1 0C 06 ...=0..9 ........ [010] 0A 2B 06 01 04 01 82 37 02 02 0A A2 82 01 22 04 .+.....7 ......". [020] 82 01 1E 4E 54 4C 4D 53 53 50 00 02 00 00 00 10 ...NTLMS SP...... [030] 00 10 00 38 00 00 00 15 82 89 62 48 22 78 4F 7A ...8.... ..bH"xOz [040] 92 ED 3B 00 00 00 00 00 00 00 00 D6 00 D6 00 48 ..;..... .......H [050] 00 00 00 06 00 71 17 00 00 00 0F 45 00 49 00 47 .....q.. ...E.I.G [060] 00 48 00 54 00 41 00 44 00 36 00 02 00 10 00 45 .H.T.A.D .6.....E [070] 00 49 00 47 00 48 00 54 00 41 00 44 00 36 00 01 .I.G.H.T .A.D.6.. [080] 00 14 00 45 00 49 00 47 00 48 00 54 00 41 00 44 ...E.I.G .H.T.A.D [090] 00 2D 00 44 00 43 00 04 00 28 00 65 00 69 00 67 .-.D.C.. .(.e.i.g [0A0] 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 .h.t.a.d .6...t.e [0B0] 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F .s.t.i.n .g...c.o [0C0] 00 6D 00 03 00 3E 00 65 00 69 00 67 00 68 00 74 .m...>.e .i.g.h.t [0D0] 00 61 00 64 00 2D 00 64 00 63 00 2E 00 65 00 69 .a.d.-.d .c...e.i [0E0] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [0F0] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [100] 00 6F 00 6D 00 05 00 28 00 65 00 69 00 67 00 68 .o.m...( .e.i.g.h [110] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [120] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [130] 00 07 00 08 00 34 CE 5F 66 CF 6D CA 01 00 00 00 .....4._ f.m..... [140] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [150] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [160] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [170] 00 45 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 .E.n.t.e .r.p.r.i [180] 00 73 00 65 00 20 00 36 00 30 00 30 00 31 00 20 .s.e. .6 .0.0.1. [190] 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 .S.e.r.v .i.c.e. [1A0] 00 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 .P.a.c.k . .1...W [1B0] 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 .i.n.d.o .w.s. .S [1C0] 00 65 00 72 00 76 00 65 00 72 00 20 00 28 00 52 .e.r.v.e .r. .(.R [1D0] 00 29 00 20 00 32 00 30 00 30 00 38 00 20 00 45 .). .2.0 .0.8. .E [1E0] 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 00 73 .n.t.e.r .p.r.i.s [1F0] 00 65 00 20 00 36 00 2E 00 30 00 00 00 .e. .6.. .0... size=552 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9865 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 552 (0x228) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 321 (0x141) smb_bcc=509 [000] A1 82 01 3D 30 82 01 39 A0 03 0A 01 01 A1 0C 06 ...=0..9 ........ [010] 0A 2B 06 01 04 01 82 37 02 02 0A A2 82 01 22 04 .+.....7 ......". [020] 82 01 1E 4E 54 4C 4D 53 53 50 00 02 00 00 00 10 ...NTLMS SP...... [030] 00 10 00 38 00 00 00 15 82 89 62 48 22 78 4F 7A ...8.... ..bH"xOz [040] 92 ED 3B 00 00 00 00 00 00 00 00 D6 00 D6 00 48 ..;..... .......H [050] 00 00 00 06 00 71 17 00 00 00 0F 45 00 49 00 47 .....q.. ...E.I.G [060] 00 48 00 54 00 41 00 44 00 36 00 02 00 10 00 45 .H.T.A.D .6.....E [070] 00 49 00 47 00 48 00 54 00 41 00 44 00 36 00 01 .I.G.H.T .A.D.6.. [080] 00 14 00 45 00 49 00 47 00 48 00 54 00 41 00 44 ...E.I.G .H.T.A.D [090] 00 2D 00 44 00 43 00 04 00 28 00 65 00 69 00 67 .-.D.C.. .(.e.i.g [0A0] 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 .h.t.a.d .6...t.e [0B0] 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F .s.t.i.n .g...c.o [0C0] 00 6D 00 03 00 3E 00 65 00 69 00 67 00 68 00 74 .m...>.e .i.g.h.t [0D0] 00 61 00 64 00 2D 00 64 00 63 00 2E 00 65 00 69 .a.d.-.d .c...e.i [0E0] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [0F0] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [100] 00 6F 00 6D 00 05 00 28 00 65 00 69 00 67 00 68 .o.m...( .e.i.g.h [110] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [120] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [130] 00 07 00 08 00 34 CE 5F 66 CF 6D CA 01 00 00 00 .....4._ f.m..... [140] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [150] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [160] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [170] 00 45 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 .E.n.t.e .r.p.r.i [180] 00 73 00 65 00 20 00 36 00 30 00 30 00 31 00 20 .s.e. .6 .0.0.1. [190] 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 .S.e.r.v .i.c.e. [1A0] 00 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 .P.a.c.k . .1...W [1B0] 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 .i.n.d.o .w.s. .S [1C0] 00 65 00 72 00 76 00 65 00 72 00 20 00 28 00 52 .e.r.v.e .r. .(.R [1D0] 00 29 00 20 00 32 00 30 00 30 00 38 00 20 00 45 .). .2.0 .0.8. .E [1E0] 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 00 73 .n.t.e.r .p.r.i.s [1F0] 00 65 00 20 00 36 00 2E 00 30 00 00 00 .e. .6.. .0... Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH write_socket(19,504) write_socket(19,504) wrote 504 got smb length of 240 size=240 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9865 smb_uid=4097 smb_mid=3 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 9 (0x9) smb_bcc=197 [000] A1 07 30 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 ..0..... .W.i.n.d [010] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [020] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [030] 00 30 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 .0.0.8. .E.n.t.e [040] 00 72 00 70 00 72 00 69 00 73 00 65 00 20 00 36 .r.p.r.i .s.e. .6 [050] 00 30 00 30 00 31 00 20 00 53 00 65 00 72 00 76 .0.0.1. .S.e.r.v [060] 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6B .i.c.e. .P.a.c.k [070] 00 20 00 31 00 00 00 57 00 69 00 6E 00 64 00 6F . .1...W .i.n.d.o [080] 00 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 .w.s. .S .e.r.v.e [090] 00 72 00 20 00 28 00 52 00 29 00 20 00 32 00 30 .r. .(.R .). .2.0 [0A0] 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 00 72 .0.8. .E .n.t.e.r [0B0] 00 70 00 72 00 69 00 73 00 65 00 20 00 36 00 2E .p.r.i.s .e. .6.. [0C0] 00 30 00 00 00 .0... size=240 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9865 smb_uid=4097 smb_mid=3 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 9 (0x9) smb_bcc=197 [000] A1 07 30 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 ..0..... .W.i.n.d [010] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [020] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [030] 00 30 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 .0.0.8. .E.n.t.e [040] 00 72 00 70 00 72 00 69 00 73 00 65 00 20 00 36 .r.p.r.i .s.e. .6 [050] 00 30 00 30 00 31 00 20 00 53 00 65 00 72 00 76 .0.0.1. .S.e.r.v [060] 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6B .i.c.e. .P.a.c.k [070] 00 20 00 31 00 00 00 57 00 69 00 6E 00 64 00 6F . .1...W .i.n.d.o [080] 00 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 .w.s. .S .e.r.v.e [090] 00 72 00 20 00 28 00 52 00 29 00 20 00 32 00 30 .r. .(.R .). .2.0 [0A0] 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 00 72 .0.8. .E .n.t.e.r [0B0] 00 70 00 72 00 69 00 73 00 65 00 20 00 36 00 2E .p.r.i.s .e. .6.. [0C0] 00 30 00 00 00 .0... Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key [000] 12 69 73 50 7E 33 0D 06 EE 4A 87 F2 D9 AA D4 60 .isP~3.. .J.....` cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 8F 64 07 A6 84 EC B9 93 .d...... store_sequence_for_reply: stored seq = 1 mid = 3 get_sequence_for_reply: found seq = 1 mid = 3 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 90 F2 C9 8C 87 63 D7 F7 .....c.. cli_init_creds: user ALTAIR$ domain CHILD03 saf_store: domain = [EIGHTAD6], server = [eightad-dc.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/EIGHTAD6; value = eightad-dc.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] A4 32 8A B2 D1 C9 D6 B6 .2...... store_sequence_for_reply: stored seq = 3 mid = 4 write_socket(19,130) write_socket(19,130) wrote 130 got smb length of 56 size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=4 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]=65535 (0xFFFF) smb_vwv[ 4]= 31 (0x1F) smb_vwv[ 5]=65535 (0xFFFF) smb_vwv[ 6]= 31 (0x1F) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 4 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 6B AF 50 39 BF E8 F7 4A k.P9...J winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 set_global_winbindd_state_online: online requested. set_global_winbindd_state_online: rejecting. set_domain_online: called for domain EIGHTAD6 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Destroying timed event 2ab26bafab60 "check_domain_online_handler" set_dc_type_and_flags_trustinfo: domain EIGHTAD6 connection_ok: Connection to norma.child03.eightad6.testing.com for domain CHILD03 has died or was never started (fd == -1) set_dc_type_and_flags_trustinfo: No connection to our domain! set_dc_type_and_flags_connect: domain EIGHTAD6 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 91 1D B9 8A 42 FB 1C 5F ....B.._ store_sequence_for_reply: stored seq = 5 mid = 5 write_socket(19,104) write_socket(19,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=5 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1024 (0x400) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 5 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] 9C 6F 02 D3 6F 51 7E C0 .o..oQ~. Bind RPC Pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16388 (0x4004) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] ED 84 60 96 C8 5E A2 0A ..`..^.. store_sequence_for_reply: stored seq = 7 mid = 6 write_socket(19,158) write_socket(19,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 ........ .D...... [010] 00 B8 10 B8 10 9C 4A 00 00 0C 00 5C 70 69 70 65 ......J. ...\pipe [020] 5C 6C 73 61 73 73 00 98 9A 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 6 simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] F0 74 D4 20 C9 7A 99 74 .t. .z.t size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 ........ .D...... [010] 00 B8 10 B8 10 9C 4A 00 00 0C 00 5C 70 69 70 65 ......J. ...\pipe [020] 5C 6C 73 61 73 73 00 98 9A 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 6 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 returned 68 bytes. rpc_pipe_bind: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00004a9c 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \pipe\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine eightad-dc.eightad6.testing.com and bound anonymously. dssetup_DsRoleGetPrimaryDomainInformation: struct dssetup_DsRoleGetPrimaryDomainInformation in: struct dssetup_DsRoleGetPrimaryDomainInformation level : DS_ROLE_BASIC_INFORMATION (1) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000002 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16388 (0x4004) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 07 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 64 E8 BB 34 99 88 41 F3 d..4..A. store_sequence_for_reply: stored seq = 9 mid = 7 write_socket(19,112) write_socket(19,112) wrote 112 got smb length of 272 size=272 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 216 (0xD8) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 216 (0xD8) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=217 [000] 00 05 00 02 03 10 00 00 00 D8 00 00 00 07 00 00 ........ ........ [010] 00 C0 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 B2 37 C4 3B C5 76 BD 4E B2 C2 BC ......7. ;.v.N... [040] 53 0C E4 9A 8A 09 00 00 00 00 00 00 00 09 00 00 S....... ........ [050] 00 45 00 49 00 47 00 48 00 54 00 41 00 44 00 36 .E.I.G.H .T.A.D.6 [060] 00 00 00 00 00 15 00 00 00 00 00 00 00 15 00 00 ........ ........ [070] 00 65 00 69 00 67 00 68 00 74 00 61 00 64 00 36 .e.i.g.h .t.a.d.6 [080] 00 2E 00 74 00 65 00 73 00 74 00 69 00 6E 00 67 ...t.e.s .t.i.n.g [090] 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 15 00 00 ...c.o.m ........ [0A0] 00 00 00 00 00 15 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0B0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0C0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0D0] 00 00 00 00 00 00 00 00 00 ........ . get_sequence_for_reply: found seq = 9 mid = 7 simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 49 D2 22 6B F3 F3 BE D2 I."k.... size=272 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 216 (0xD8) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 216 (0xD8) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=217 [000] 00 05 00 02 03 10 00 00 00 D8 00 00 00 07 00 00 ........ ........ [010] 00 C0 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 B2 37 C4 3B C5 76 BD 4E B2 C2 BC ......7. ;.v.N... [040] 53 0C E4 9A 8A 09 00 00 00 00 00 00 00 09 00 00 S....... ........ [050] 00 45 00 49 00 47 00 48 00 54 00 41 00 44 00 36 .E.I.G.H .T.A.D.6 [060] 00 00 00 00 00 15 00 00 00 00 00 00 00 15 00 00 ........ ........ [070] 00 65 00 69 00 67 00 68 00 74 00 61 00 64 00 36 .e.i.g.h .t.a.d.6 [080] 00 2E 00 74 00 65 00 73 00 74 00 69 00 6E 00 67 ...t.e.s .t.i.n.g [090] 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 15 00 00 ...c.o.m ........ [0A0] 00 00 00 00 00 15 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0B0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0C0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0D0] 00 00 00 00 00 00 00 00 00 ........ . get_sequence_for_reply: found seq = 9 mid = 7 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00d8 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000c0 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 216, data_len 192, ss_len 0 rpc_api_pipe: got PDU len of 216 at offset 0 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 returned 384 bytes. dssetup_DsRoleGetPrimaryDomainInformation: struct dssetup_DsRoleGetPrimaryDomainInformation out: struct dssetup_DsRoleGetPrimaryDomainInformation info : * info : union dssetup_DsRoleInfo(case 1) basic: struct dssetup_DsRolePrimaryDomInfoBasic role : DS_ROLE_PRIMARY_DC (5) flags : 0x01000001 (16777217) 1: DS_ROLE_PRIMARY_DS_RUNNING 0: DS_ROLE_PRIMARY_DS_MIXED_MODE 0: DS_ROLE_UPGRADE_IN_PROGRESS 1: DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT domain : * domain : 'EIGHTAD6' dns_domain : * dns_domain : 'eightad6.testing.com' forest : * forest : 'eightad6.testing.com' domain_guid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a result : WERR_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 9A 4D 43 E8 B1 73 61 31 .MC..sa1 store_sequence_for_reply: stored seq = 11 mid = 8 write_socket(19,45) write_socket(19,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=8 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 8 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] E4 6E 31 3C 85 C0 28 1E .n1<..(. rpc_pipe_destructor: closed host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4004 simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 5D 55 09 C1 D2 13 83 DA ]U...... store_sequence_for_reply: stored seq = 13 mid = 9 write_socket(19,104) write_socket(19,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=9 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1280 (0x500) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 9 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] B6 03 68 45 33 84 74 74 ..hE3.tt Bind RPC Pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16389 (0x4005) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 08 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] BE CF C5 58 72 AA 53 E6 ...Xr.S. store_sequence_for_reply: stored seq = 15 mid = 10 write_socket(19,158) write_socket(19,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 08 00 00 ........ .D...... [010] 00 B8 10 B8 10 9D 4A 00 00 0C 00 5C 70 69 70 65 ......J. ...\pipe [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 10 simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 7E 77 6D D3 D0 35 C1 7E ~wm..5.~ size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 08 00 00 ........ .D...... [010] 00 B8 10 B8 10 9D 4A 00 00 0C 00 5C 70 69 70 65 ......J. ...\pipe [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 10 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000008 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 returned 68 bytes. rpc_pipe_bind: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00004a9d 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \pipe\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine eightad-dc.eightad6.testing.com and bound anonymously. init_lsa_sec_qos init_lsa_obj_attr lsa_OpenPolicy2: struct lsa_OpenPolicy2 in: struct lsa_OpenPolicy2 system_name : * system_name : '\\EIGHTAD-DC.EIGHTAD6.TESTING.COM' attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : * sec_qos: struct lsa_QosInfo len : 0x0000000c (12) impersonation_level : 0x0002 (2) context_mode : 0x01 (1) effective_only : 0x00 (0) access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0090 000a auth_len : 0000 000c call_id : 00000009 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000078 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 size=226 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 144 (0x90) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 144 (0x90) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16389 (0x4005) smb_bcc=159 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 90 00 00 00 09 00 00 00 78 ........ .......x [020] 00 00 00 00 00 2C 00 00 00 02 00 22 00 00 00 00 .....,.. ...".... [030] 00 00 00 22 00 00 00 5C 00 5C 00 45 00 49 00 47 ..."...\ .\.E.I.G [040] 00 48 00 54 00 41 00 44 00 2D 00 44 00 43 00 2E .H.T.A.D .-.D.C.. [050] 00 45 00 49 00 47 00 48 00 54 00 41 00 44 00 36 .E.I.G.H .T.A.D.6 [060] 00 2E 00 54 00 45 00 53 00 54 00 49 00 4E 00 47 ...T.E.S .T.I.N.G [070] 00 2E 00 43 00 4F 00 4D 00 00 00 18 00 00 00 00 ...C.O.M ........ [080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ........ ........ [090] 00 02 00 0C 00 00 00 02 00 01 00 00 00 00 02 ........ ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 7C F6 C9 6F D2 EC 0D 86 |..o.... store_sequence_for_reply: stored seq = 17 mid = 11 write_socket(19,230) write_socket(19,230) wrote 230 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 09 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 CB BD D0 ........ ........ [020] A4 D4 0F E1 4A AA B5 87 40 48 A7 F7 FA 00 00 00 ....J... @H...... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 11 simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] 10 DA 2A 81 B5 3A CB 42 ..*..:.B size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 09 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 CB BD D0 ........ ........ [020] A4 D4 0F E1 4A AA B5 87 40 48 A7 F7 FA 00 00 00 ....J... @H...... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 11 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000009 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 rpc_api_pipe: got PDU len of 48 at offset 0 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 returned 48 bytes. lsa_OpenPolicy2: struct lsa_OpenPolicy2 out: struct lsa_OpenPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a4d0bdcb-0fd4-4ae1-aab5-874048a7f7fa result : NT_STATUS_OK lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 in: struct lsa_QueryInfoPolicy2 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a4d0bdcb-0fd4-4ae1-aab5-874048a7f7fa level : LSA_POLICY_INFO_DNS (12) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 0000000a 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000016 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=12 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16389 (0x4005) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 0A 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 CB BD D0 A4 D4 ........ ........ [030] 0F E1 4A AA B5 87 40 48 A7 F7 FA 0C 00 ..J...@H ..... simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] 7A 72 A3 2D E3 4E 78 A9 zr.-.Nx. store_sequence_for_reply: stored seq = 19 mid = 12 write_socket(19,132) write_socket(19,132) wrote 132 got smb length of 296 size=296 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 240 (0xF0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=241 [000] 00 05 00 02 03 10 00 00 00 F0 00 00 00 0A 00 00 ........ ........ [010] 00 D8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 10 00 12 00 04 00 02 00 28 00 2A 00 08 00 02 ........ .(.*.... [030] 00 28 00 2A 00 0C 00 02 00 B2 37 C4 3B C5 76 BD .(.*.... ..7.;.v. [040] 4E B2 C2 BC 53 0C E4 9A 8A 10 00 02 00 09 00 00 N...S... ........ [050] 00 00 00 00 00 08 00 00 00 45 00 49 00 47 00 48 ........ .E.I.G.H [060] 00 54 00 41 00 44 00 36 00 15 00 00 00 00 00 00 .T.A.D.6 ........ [070] 00 14 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [080] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [090] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0A0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0B0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0C0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0D0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0E0] 00 AE 0E A8 09 C1 88 36 76 F1 01 27 F7 00 00 00 .......6 v..'.... [0F0] 00 . get_sequence_for_reply: found seq = 19 mid = 12 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 84 95 50 20 B8 7D A4 20 ..P .}. size=296 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 240 (0xF0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=241 [000] 00 05 00 02 03 10 00 00 00 F0 00 00 00 0A 00 00 ........ ........ [010] 00 D8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 10 00 12 00 04 00 02 00 28 00 2A 00 08 00 02 ........ .(.*.... [030] 00 28 00 2A 00 0C 00 02 00 B2 37 C4 3B C5 76 BD .(.*.... ..7.;.v. [040] 4E B2 C2 BC 53 0C E4 9A 8A 10 00 02 00 09 00 00 N...S... ........ [050] 00 00 00 00 00 08 00 00 00 45 00 49 00 47 00 48 ........ .E.I.G.H [060] 00 54 00 41 00 44 00 36 00 15 00 00 00 00 00 00 .T.A.D.6 ........ [070] 00 14 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [080] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [090] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0A0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0B0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0C0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0D0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0E0] 00 AE 0E A8 09 C1 88 36 76 F1 01 27 F7 00 00 00 .......6 v..'.... [0F0] 00 . get_sequence_for_reply: found seq = 19 mid = 12 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00f0 000a auth_len : 0000 000c call_id : 0000000a 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000d8 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 240, data_len 216, ss_len 0 rpc_api_pipe: got PDU len of 240 at offset 0 rpc_api_pipe: host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 returned 432 bytes. lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0010 (16) size : 0x0012 (18) string : * string : 'EIGHTAD6' dns_domain: struct lsa_StringLarge length : 0x0028 (40) size : 0x002a (42) string : * string : 'eightad6.testing.com' dns_forest: struct lsa_StringLarge length : 0x0028 (40) size : 0x002a (42) string : * string : 'eightad6.testing.com' domain_guid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a sid : * sid : S-1-5-21-162008750-1983285441-4146528753 result : NT_STATUS_OK set_dc_type_and_flags_connect: domain EIGHTAD6 is in native mode. set_dc_type_and_flags_connect: domain EIGHTAD6 is running active directory. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 75 18 41 93 F5 09 6E 70 u.A...np store_sequence_for_reply: stored seq = 21 mid = 13 write_socket(19,45) write_socket(19,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9865 smb_uid=4097 smb_mid=13 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 13 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] DA 7C F1 2B 5A 66 5A 17 .|.+ZfZ. rpc_pipe_destructor: closed host eightad-dc.eightad6.testing.com, pipe \lsarpc, fnum 0x4005 Storing response for pid 9865, len 3496 timed_events_timeout: 4/920390 select will use timeout of 4.920390 seconds Destroying timed event 2ab26bafadb0 "async_request_timeout_handler" Retrieving response for pid 9865 Received child initialization response for domain EIGHTAD6 connection_ok: Connection to for domain EIGHTAD6 has NULL cli! Cache entry with key = SAFJOIN/DOMAIN/EIGHTAD6 couldn't be found Returning valid cache entry: key = SAF/DOMAIN/EIGHTAD6, value = eightad-dc.eightad6.testing.com, timeout = Wed Nov 25 18:46:25 2009 saf_fetch: Returning "eightad-dc.eightad6.testing.com" for "EIGHTAD6" domain Cache entry with key = NEG_CONN_CACHE/EIGHTAD6,eightad-dc.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain EIGHTAD6 server eightad-dc.eightad6.testing.com cm_open_connection: saf_servername is 'eightad-dc.eightad6.testing.com' for domain EIGHTAD6 cm_open_connection: dcname is 'eightad-dc.eightad6.testing.com' for domain EIGHTAD6 Cache entry with key = NEG_CONN_CACHE/EIGHTAD6,eightad-dc.eightad6.testing.com couldn't be found check_negative_conn_cache returning result 0 for domain EIGHTAD6 server eightad-dc.eightad6.testing.com Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up eightad-dc.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/EIGHTAD-DC.EIGHTAD6.TESTING.COM#20, value = 192.168.12.179:0, timeout = Wed Nov 25 18:42:25 2009 name eightad-dc.eightad6.testing.com#20 found. cm_prepare_connection: connecting to DC eightad-dc.eightad6.testing.com for domain EIGHTAD6 write_socket(17,194) write_socket(17,194) wrote 194 got smb length of 193 size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9849 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=22400 (0x5780) smb_vwv[12]=26354 (0x66F2) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=124 [000] B1 33 D1 21 52 B8 4C 49 AF 1D D9 07 4D 97 E2 FA .3.!R.LI ....M... [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... ...`0^.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 .*0(.&.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=9849 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=22400 (0x5780) smb_vwv[12]=26354 (0x66F2) smb_vwv[13]=53094 (0xCF66) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=124 [000] B1 33 D1 21 52 B8 4C 49 AF 1D D9 07 4D 97 E2 FA .3.!R.LI ....M... [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... ...`0^.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 .*0(.&.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore connecting to eightad-dc.eightad6.testing.com from ALTAIR with kerberos principal [ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM] and realm [eightad6.testing.com] winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 Doing spnego session setup (blob length=124) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=not_defined_in_RFC4178@please_ignore kerberos_kinit_password: as ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM using [MEMORY:cliconnect] as ccache and config [(null)] cli_session_setup_spnego: got a bad server principal, trying to guess ... cli_session_setup_spnego: guessed server principal=eightad-dc$@EIGHTAD6 Doing kerberos session setup ads_krb5_mk_req: krb5_get_credentials failed for eightad-dc$@EIGHTAD6 (Cannot find KDC for requested realm) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm failed kerberos session setup with Cannot find KDC for requested realm connecting to eightad-dc.eightad6.testing.com from ALTAIR with username [CHILD03]\[ALTAIR$] Doing spnego session setup (blob length=124) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=not_defined_in_RFC4178@please_ignore write_socket(17,164) write_socket(17,164) wrote 164 got smb length of 552 size=552 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9849 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 552 (0x228) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 321 (0x141) smb_bcc=509 [000] A1 82 01 3D 30 82 01 39 A0 03 0A 01 01 A1 0C 06 ...=0..9 ........ [010] 0A 2B 06 01 04 01 82 37 02 02 0A A2 82 01 22 04 .+.....7 ......". [020] 82 01 1E 4E 54 4C 4D 53 53 50 00 02 00 00 00 10 ...NTLMS SP...... [030] 00 10 00 38 00 00 00 15 82 89 62 2D 08 F0 05 9A ...8.... ..b-.... [040] 9E 7C 85 00 00 00 00 00 00 00 00 D6 00 D6 00 48 .|...... .......H [050] 00 00 00 06 00 71 17 00 00 00 0F 45 00 49 00 47 .....q.. ...E.I.G [060] 00 48 00 54 00 41 00 44 00 36 00 02 00 10 00 45 .H.T.A.D .6.....E [070] 00 49 00 47 00 48 00 54 00 41 00 44 00 36 00 01 .I.G.H.T .A.D.6.. [080] 00 14 00 45 00 49 00 47 00 48 00 54 00 41 00 44 ...E.I.G .H.T.A.D [090] 00 2D 00 44 00 43 00 04 00 28 00 65 00 69 00 67 .-.D.C.. .(.e.i.g [0A0] 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 .h.t.a.d .6...t.e [0B0] 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F .s.t.i.n .g...c.o [0C0] 00 6D 00 03 00 3E 00 65 00 69 00 67 00 68 00 74 .m...>.e .i.g.h.t [0D0] 00 61 00 64 00 2D 00 64 00 63 00 2E 00 65 00 69 .a.d.-.d .c...e.i [0E0] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [0F0] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [100] 00 6F 00 6D 00 05 00 28 00 65 00 69 00 67 00 68 .o.m...( .e.i.g.h [110] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [120] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [130] 00 07 00 08 00 B8 53 69 66 CF 6D CA 01 00 00 00 ......Si f.m..... [140] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [150] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [160] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [170] 00 45 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 .E.n.t.e .r.p.r.i [180] 00 73 00 65 00 20 00 36 00 30 00 30 00 31 00 20 .s.e. .6 .0.0.1. [190] 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 .S.e.r.v .i.c.e. [1A0] 00 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 .P.a.c.k . .1...W [1B0] 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 .i.n.d.o .w.s. .S [1C0] 00 65 00 72 00 76 00 65 00 72 00 20 00 28 00 52 .e.r.v.e .r. .(.R [1D0] 00 29 00 20 00 32 00 30 00 30 00 38 00 20 00 45 .). .2.0 .0.8. .E [1E0] 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 00 73 .n.t.e.r .p.r.i.s [1F0] 00 65 00 20 00 36 00 2E 00 30 00 00 00 .e. .6.. .0... size=552 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9849 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 552 (0x228) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 321 (0x141) smb_bcc=509 [000] A1 82 01 3D 30 82 01 39 A0 03 0A 01 01 A1 0C 06 ...=0..9 ........ [010] 0A 2B 06 01 04 01 82 37 02 02 0A A2 82 01 22 04 .+.....7 ......". [020] 82 01 1E 4E 54 4C 4D 53 53 50 00 02 00 00 00 10 ...NTLMS SP...... [030] 00 10 00 38 00 00 00 15 82 89 62 2D 08 F0 05 9A ...8.... ..b-.... [040] 9E 7C 85 00 00 00 00 00 00 00 00 D6 00 D6 00 48 .|...... .......H [050] 00 00 00 06 00 71 17 00 00 00 0F 45 00 49 00 47 .....q.. ...E.I.G [060] 00 48 00 54 00 41 00 44 00 36 00 02 00 10 00 45 .H.T.A.D .6.....E [070] 00 49 00 47 00 48 00 54 00 41 00 44 00 36 00 01 .I.G.H.T .A.D.6.. [080] 00 14 00 45 00 49 00 47 00 48 00 54 00 41 00 44 ...E.I.G .H.T.A.D [090] 00 2D 00 44 00 43 00 04 00 28 00 65 00 69 00 67 .-.D.C.. .(.e.i.g [0A0] 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 .h.t.a.d .6...t.e [0B0] 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F .s.t.i.n .g...c.o [0C0] 00 6D 00 03 00 3E 00 65 00 69 00 67 00 68 00 74 .m...>.e .i.g.h.t [0D0] 00 61 00 64 00 2D 00 64 00 63 00 2E 00 65 00 69 .a.d.-.d .c...e.i [0E0] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [0F0] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [100] 00 6F 00 6D 00 05 00 28 00 65 00 69 00 67 00 68 .o.m...( .e.i.g.h [110] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [120] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [130] 00 07 00 08 00 B8 53 69 66 CF 6D CA 01 00 00 00 ......Si f.m..... [140] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [150] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [160] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [170] 00 45 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 .E.n.t.e .r.p.r.i [180] 00 73 00 65 00 20 00 36 00 30 00 30 00 31 00 20 .s.e. .6 .0.0.1. [190] 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 .S.e.r.v .i.c.e. [1A0] 00 50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 .P.a.c.k . .1...W [1B0] 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 .i.n.d.o .w.s. .S [1C0] 00 65 00 72 00 76 00 65 00 72 00 20 00 28 00 52 .e.r.v.e .r. .(.R [1D0] 00 29 00 20 00 32 00 30 00 30 00 38 00 20 00 45 .). .2.0 .0.8. .E [1E0] 00 6E 00 74 00 65 00 72 00 70 00 72 00 69 00 73 .n.t.e.r .p.r.i.s [1F0] 00 65 00 20 00 36 00 2E 00 30 00 00 00 .e. .6.. .0... Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH write_socket(17,504) write_socket(17,504) wrote 504 got smb length of 240 size=240 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9849 smb_uid=4097 smb_mid=3 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 9 (0x9) smb_bcc=197 [000] A1 07 30 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 ..0..... .W.i.n.d [010] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [020] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [030] 00 30 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 .0.0.8. .E.n.t.e [040] 00 72 00 70 00 72 00 69 00 73 00 65 00 20 00 36 .r.p.r.i .s.e. .6 [050] 00 30 00 30 00 31 00 20 00 53 00 65 00 72 00 76 .0.0.1. .S.e.r.v [060] 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6B .i.c.e. .P.a.c.k [070] 00 20 00 31 00 00 00 57 00 69 00 6E 00 64 00 6F . .1...W .i.n.d.o [080] 00 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 .w.s. .S .e.r.v.e [090] 00 72 00 20 00 28 00 52 00 29 00 20 00 32 00 30 .r. .(.R .). .2.0 [0A0] 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 00 72 .0.8. .E .n.t.e.r [0B0] 00 70 00 72 00 69 00 73 00 65 00 20 00 36 00 2E .p.r.i.s .e. .6.. [0C0] 00 30 00 00 00 .0... size=240 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=9849 smb_uid=4097 smb_mid=3 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 9 (0x9) smb_bcc=197 [000] A1 07 30 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 ..0..... .W.i.n.d [010] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [020] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [030] 00 30 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 .0.0.8. .E.n.t.e [040] 00 72 00 70 00 72 00 69 00 73 00 65 00 20 00 36 .r.p.r.i .s.e. .6 [050] 00 30 00 30 00 31 00 20 00 53 00 65 00 72 00 76 .0.0.1. .S.e.r.v [060] 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6B .i.c.e. .P.a.c.k [070] 00 20 00 31 00 00 00 57 00 69 00 6E 00 64 00 6F . .1...W .i.n.d.o [080] 00 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 .w.s. .S .e.r.v.e [090] 00 72 00 20 00 28 00 52 00 29 00 20 00 32 00 30 .r. .(.R .). .2.0 [0A0] 00 30 00 38 00 20 00 45 00 6E 00 74 00 65 00 72 .0.8. .E .n.t.e.r [0B0] 00 70 00 72 00 69 00 73 00 65 00 20 00 36 00 2E .p.r.i.s .e. .6.. [0C0] 00 30 00 00 00 .0... Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key [000] AD 74 69 0D FE BE BF 2F 6C 39 AC 14 E9 04 E8 3D .ti..../ l9.....= cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 7C 34 5C A3 8B 98 C4 33 |4\....3 store_sequence_for_reply: stored seq = 1 mid = 3 get_sequence_for_reply: found seq = 1 mid = 3 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 1C AE F9 70 C5 46 40 26 ...p.F@& cli_init_creds: user ALTAIR$ domain CHILD03 saf_store: domain = [EIGHTAD6], server = [eightad-dc.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/EIGHTAD6; value = eightad-dc.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 2B D9 40 CA 83 E6 11 3A +.@....: store_sequence_for_reply: stored seq = 3 mid = 4 write_socket(17,130) write_socket(17,130) wrote 130 got smb length of 56 size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=9849 smb_uid=4097 smb_mid=4 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]=65535 (0xFFFF) smb_vwv[ 4]= 31 (0x1F) smb_vwv[ 5]=65535 (0xFFFF) smb_vwv[ 6]= 31 (0x1F) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 4 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] B8 8D C1 52 2F 2C D0 D4 ...R/,.. winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 set_global_winbindd_state_online: online requested. set_global_winbindd_state_online: rejecting. set_domain_online: called for domain EIGHTAD6 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_EIGHTAD6.TESTING.COM to: 192.168.12.179 winbindd_set_locator_kdc_env: setting var: WINBINDD_LOCATOR_KDC_ADDRESS_CHILD03.EIGHTAD6.TESTING.COM to: 192.168.12.172 set_dc_type_and_flags_trustinfo: domain EIGHTAD6 simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] 13 77 69 6D 92 F0 AB 0D .wim.... store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=13 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1792 (0x700) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] AC 81 F2 6D 4D 3A 67 E4 ...mM:g. Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 auth_type 0, auth_level 0 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=14 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49159 (0xC007) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 24 client_sign_outgoing_message: sent SMB signature of [000] AC 24 E2 51 4F 71 1B D3 .$.QOq.. store_sequence_for_reply: stored seq = 25 mid = 14 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 9F 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 76 F9 01 00 00 00 00 00 00 \lsass.v ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 25 mid = 14 simple_packet_signature: sequence number 25 client_check_incoming_message: seq 25: got good SMB signature of [000] A1 67 B1 30 61 78 0A B5 .g.0ax.. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 9F 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 76 F9 01 00 00 00 00 00 00 \lsass.v ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 25 mid = 14 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 returned 68 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000709f 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com and bound anonymously. netr_ServerReqChallenge: struct netr_ServerReqChallenge in: struct netr_ServerReqChallenge server_name : * server_name : '\\norma.child03.eightad6.testing.com' computer_name : 'ALTAIR' credentials : * credentials: struct netr_Credential data : bc3dd5c33d3a6d4b 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0096 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007e 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 size=232 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=15 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 150 (0x96) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 150 (0x96) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49159 (0xC007) smb_bcc=165 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 96 00 00 00 07 00 00 00 7E ........ .......~ [020] 00 00 00 00 00 04 00 00 00 02 00 25 00 00 00 00 ........ ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 41 ........ .......A [090] 00 4C 00 54 00 41 00 49 00 52 00 00 00 BC 3D D5 .L.T.A.I .R....=. [0A0] C3 3D 3A 6D 4B .=:mK simple_packet_signature: sequence number 26 client_sign_outgoing_message: sent SMB signature of [000] 57 2A 88 26 27 C7 F6 6C W*.&'..l store_sequence_for_reply: stored seq = 27 mid = 15 write_socket(16,236) write_socket(16,236) wrote 236 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 96 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 BF C3 3A 0D B4 9D 4D ........ ...:...M [020] EB 00 00 00 00 ..... get_sequence_for_reply: found seq = 27 mid = 15 simple_packet_signature: sequence number 27 client_check_incoming_message: seq 27: got good SMB signature of [000] 56 A6 E4 5E D7 69 95 03 V..^.i.. size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 96 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 BF C3 3A 0D B4 9D 4D ........ ...:...M [020] EB 00 00 00 00 ..... get_sequence_for_reply: found seq = 27 mid = 15 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 rpc_api_pipe: got PDU len of 36 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 returned 24 bytes. netr_ServerReqChallenge: struct netr_ServerReqChallenge out: struct netr_ServerReqChallenge return_credentials : * return_credentials: struct netr_Credential data : bfc33a0db49d4deb result : NT_STATUS_OK creds_client_init: neg_flags : 600fffff creds_client_init: client chal : BC3DD5C33D3A6D4B creds_client_init: server chal : BFC33A0DB49D4DEB creds_init_128 clnt_chal_in: BC3DD5C33D3A6D4B srv_chal_in : BFC33A0DB49D4DEB creds_client_init: clnt : 3655CB18E1BF9B59 creds_client_init: server : EFE1ACD9B11DBC35 creds_client_init: seed : 3655CB18E1BF9B59 netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 in: struct netr_ServerAuthenticate2 server_name : * server_name : '\\norma.child03.eightad6.testing.com' account_name : 'ALTAIR$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : 'ALTAIR' credentials : * credentials: struct netr_Credential data : 3655cb18e1bf9b59 negotiate_flags : * negotiate_flags : 0x600fffff (1611661311) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 1: NETLOGON_NEG_GENERIC_PASSTHROUGH 1: NETLOGON_NEG_CONCURRENT_RPC 1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_128BIT 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_SCHANNEL 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00bc 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 000000a4 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 size=270 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=16 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 188 (0xBC) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 188 (0xBC) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49159 (0xC007) smb_bcc=203 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 BC 00 00 00 08 00 00 00 A4 ........ ........ [020] 00 00 00 00 00 0F 00 00 00 02 00 25 00 00 00 00 ........ ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 41 ........ .......A [090] 00 4C 00 54 00 41 00 49 00 52 00 24 00 00 00 02 .L.T.A.I .R.$.... [0A0] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 41 ........ .......A [0B0] 00 4C 00 54 00 41 00 49 00 52 00 00 00 36 55 CB .L.T.A.I .R...6U. [0C0] 18 E1 BF 9B 59 00 00 FF FF 0F 60 ....Y... ..` simple_packet_signature: sequence number 28 client_sign_outgoing_message: sent SMB signature of [000] 08 A6 D5 D0 29 F0 73 9B ....).s. store_sequence_for_reply: stored seq = 29 mid = 16 write_socket(16,274) write_socket(16,274) wrote 274 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] BC 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 EF E1 AC D9 B1 1D BC ........ ........ [020] 35 FF FF 0F 60 00 00 00 00 5...`... . get_sequence_for_reply: found seq = 29 mid = 16 simple_packet_signature: sequence number 29 client_check_incoming_message: seq 29: got good SMB signature of [000] B5 A9 94 35 52 5B 04 DB ...5R[.. size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] BC 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 EF E1 AC D9 B1 1D BC ........ ........ [020] 35 FF FF 0F 60 00 00 00 00 5...`... . get_sequence_for_reply: found seq = 29 mid = 16 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 rpc_api_pipe: got PDU len of 40 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 returned 32 bytes. netr_ServerAuthenticate2: struct netr_ServerAuthenticate2 out: struct netr_ServerAuthenticate2 return_credentials : * return_credentials: struct netr_Credential data : efe1acd9b11dbc35 negotiate_flags : * negotiate_flags : 0x600fffff (1611661311) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 1: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 1: NETLOGON_NEG_GENERIC_PASSTHROUGH 1: NETLOGON_NEG_CONCURRENT_RPC 1: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 1: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_128BIT 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 1: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 1: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_SCHANNEL result : NT_STATUS_OK netlogon_creds_client_check: credentials check OK. rpccli_netlogon_setup_creds: server norma.child03.eightad6.testing.com credential chain established. simple_packet_signature: sequence number 30 client_sign_outgoing_message: sent SMB signature of [000] 4C F9 FB 84 76 59 57 C2 L...vYW. store_sequence_for_reply: stored seq = 31 mid = 17 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=17 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1536 (0x600) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 31 mid = 17 simple_packet_signature: sequence number 31 client_check_incoming_message: seq 31: got good SMB signature of [000] F5 8E 00 F3 3A C8 11 AA ....:... Bind RPC Pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc006 auth_type 2, auth_level 6 000000 smb_io_rpc_auth_schannel_neg schannel_neg 0000 type1: 00000000 0004 type2: 00000003 [000] 43 48 49 4C 44 30 33 CHILD03 [000] 41 4C 54 41 49 52 ALTAIR 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0067 000a auth_len : 0017 000c call_id : 00000009 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 000048 smb_io_rpc_hdr_auth hdr_auth 0048 auth_type : 44 0049 auth_level : 06 004a auth_pad_len : 00 004b auth_reserved: 00 004c auth_context_id: 00000001 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc006 size=185 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=18 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 103 (0x67) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49158 (0xC006) smb_bcc=118 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 67 00 17 00 09 00 00 00 B8 .......g ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 06 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 43 48 49 4C 44 30 33 00 41 .......C HILD03.A [070] 4C 54 41 49 52 00 LTAIR. simple_packet_signature: sequence number 32 client_sign_outgoing_message: sent SMB signature of [000] 95 90 FF 7E 97 AC B4 33 ...~...3 store_sequence_for_reply: stored seq = 33 mid = 18 write_socket(16,189) write_socket(16,189) wrote 189 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 67 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 g....... .X...... [010] 00 B8 10 B8 10 A0 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 74 00 .......t . get_sequence_for_reply: found seq = 33 mid = 18 simple_packet_signature: sequence number 33 client_check_incoming_message: seq 33: got good SMB signature of [000] 4E 44 9E 11 D3 B3 DA C0 ND...... size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 67 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 g....... .X...... [010] 00 B8 10 B8 10 A0 70 00 00 0C 00 5C 50 49 50 45 ......p. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 74 00 .......t . get_sequence_for_reply: found seq = 33 mid = 18 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 rpc_api_pipe: got PDU len of 88 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc006 returned 88 bytes. rpc_pipe_bind: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc006 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 000070a0 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com for domain CHILD03 and bound using schannel. simple_packet_signature: sequence number 34 client_sign_outgoing_message: sent SMB signature of [000] 8B 0F 31 AF CC B7 07 73 ..1....s store_sequence_for_reply: stored seq = 35 mid = 19 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=19 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 35 mid = 19 simple_packet_signature: sequence number 35 client_check_incoming_message: seq 35: got good SMB signature of [000] ED B9 10 B1 A0 1A 81 C1 ........ rpc_pipe_destructor: closed host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc007 netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts in: struct netr_DsrEnumerateDomainTrusts server_name : * server_name : 'norma.child03.eightad6.testing.com' trust_flags : 0x00000023 (35) 1: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00a0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000005c 0014 context_id: 0000 0016 opnum : 0028 000078 smb_io_rpc_hdr_auth hdr_auth 0078 auth_type : 44 0079 auth_level : 06 007a auth_pad_len : 04 007b auth_reserved: 00 007c auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=0 SCHANNEL: schannel_encode seq_num=0 data_len=96 000080 smb_io_rpc_auth_schannel_chk 0080 sig : 77 00 7a 00 ff ff 00 00 0088 seq_num: 5f c5 f5 d6 cd 2c 86 d7 0090 packet_digest: 70 01 5b 5d 42 31 a9 ce 0098 confounder: 6c eb 27 21 63 f5 e6 9b rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc006 size=242 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=20 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 160 (0xA0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 160 (0xA0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49158 (0xC006) smb_bcc=175 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 A0 00 20 00 0A 00 00 00 5C ........ . .....\ [020] 00 00 00 00 00 28 00 44 1F 06 9A CD CA 5F 69 10 .....(.D ....._i. [030] C6 BC F6 F1 EA 23 43 A5 6F 8F 68 8C 81 C7 DA EA .....#C. o.h..... [040] 60 23 9C 83 87 69 17 73 9A A6 65 27 87 CB 60 5F `#...i.s ..e'..`_ [050] 2B EC A3 56 20 A9 BC A4 87 45 41 21 7D F5 A3 C1 +..V ... .EA!}... [060] 41 EC CA 54 41 7D 92 D4 B1 1D BC 46 CD 3C FB C5 A..TA}.. ...F.<.. [070] D8 DC A4 7A 1C DA 12 CA EB 58 D4 F0 9A 5C 36 97 ...z.... .X...\6. [080] F4 CE 78 5C C4 A2 39 44 06 04 00 01 00 00 00 77 ..x\..9D .......w [090] 00 7A 00 FF FF 00 00 5F C5 F5 D6 CD 2C 86 D7 70 .z....._ ....,..p [0A0] 01 5B 5D 42 31 A9 CE 6C EB 27 21 63 F5 E6 9B .[]B1..l .'!c... simple_packet_signature: sequence number 36 client_sign_outgoing_message: sent SMB signature of [000] 0F C7 97 26 35 9B 5F 00 ...&5._. store_sequence_for_reply: stored seq = 37 mid = 20 write_socket(16,246) write_socket(16,246) wrote 246 got smb length of 472 size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 D8 6F 10 22 FD 07 3F .\...... ..o."..? [020] 95 B7 B6 7F 57 1A D4 60 20 D8 70 CC 05 F3 B4 36 ....W..` .p....6 [030] 8E 1C 31 4E 0B 1C 29 C8 53 4E D2 E6 F3 B3 16 A2 ..1N..). SN...... [040] F4 1C 9C 69 D1 05 DD 60 81 F8 3B CD 2C 5A 9C 29 ...i...` ..;.,Z.) [050] DA 97 AD 32 20 CE 21 20 99 76 49 C5 0F EB 98 9D ...2 .! .vI..... [060] D9 77 3D 40 99 53 9A 07 A6 A1 58 47 F3 0D 2D E4 .w=@.S.. ..XG..-. [070] 3A 1B 43 17 67 65 58 3B 19 D0 90 A0 7D 48 47 CB :.C.geX; ....}HG. [080] 84 70 B3 9B A1 27 65 7A 0B ED E1 A0 C3 6E 6E 4D .p...'ez .....nnM [090] F1 F2 51 5E 81 B0 67 DB BE 1B 2A 5C 51 7C B5 73 ..Q^..g. ..*\Q|.s [0A0] 02 40 7F 94 E8 72 FA 1B AF 56 DD F9 E0 56 D5 96 .@...r.. .V...V.. [0B0] F0 DA D3 52 32 A1 CA B9 FB 28 48 B2 C2 30 AC F5 ...R2... .(H..0.. [0C0] 5D 03 FB D2 1B D6 31 2E FB 61 8B 3F 58 B6 6A 45 ].....1. .a.?X.jE [0D0] 1A FD F7 5C 0C 1E F8 D2 4E F3 87 2E F9 E3 83 16 ...\.... N....... [0E0] 83 17 C3 97 1D FD FD CE AE E2 F8 CB 98 91 FE 72 ........ .......r [0F0] A7 29 D3 EB D6 19 7B 1F 3F E0 D1 0F 5D 6B C5 AB .)....{. ?...]k.. [100] 86 7C 18 14 75 F8 E6 C0 14 45 C4 79 61 ED C8 DC .|..u... .E.ya... [110] 7A A3 26 E6 E0 0A FF 42 2F 77 ED BF 49 53 12 B4 z.&....B /w..IS.. [120] 2A 54 22 A1 A2 79 86 A9 6D 6A 9B 66 9F 2D B1 AC *T"..y.. mj.f.-.. [130] CB E5 A7 20 F4 4A 88 FE 52 7A 41 B2 95 2A A3 92 ... .J.. RzA..*.. [140] FF 55 F2 DE 38 CF DD 2F 7D F6 4A AB 9D 9E 3F D6 .U..8../ }.J...?. [150] 6D 5E C6 15 5C 00 79 DB 44 22 BE CE 24 1E B5 E5 m^..\.y. D"..$... [160] 4C 9E 9E 41 ED 5F 98 17 91 C3 6F 40 EE 26 27 C6 L..A._.. ..o@.&'. [170] 0F 6C A8 9B 30 C5 B2 50 11 44 06 04 00 01 00 00 .l..0..P .D...... [180] 00 77 00 7A 00 FF FF 00 00 4A CD AF 24 BC AA DE .w.z.... .J..$... [190] BD 92 8F B2 0E 15 71 EE 32 36 FE CC 9F 44 CC B3 ......q. 26...D.. [1A0] A0 . get_sequence_for_reply: found seq = 37 mid = 20 simple_packet_signature: sequence number 37 client_check_incoming_message: seq 37: got good SMB signature of [000] 6D 11 C7 B2 48 FD 22 BF m...H.". size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9849 smb_uid=10242 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 D8 6F 10 22 FD 07 3F .\...... ..o."..? [020] 95 B7 B6 7F 57 1A D4 60 20 D8 70 CC 05 F3 B4 36 ....W..` .p....6 [030] 8E 1C 31 4E 0B 1C 29 C8 53 4E D2 E6 F3 B3 16 A2 ..1N..). SN...... [040] F4 1C 9C 69 D1 05 DD 60 81 F8 3B CD 2C 5A 9C 29 ...i...` ..;.,Z.) [050] DA 97 AD 32 20 CE 21 20 99 76 49 C5 0F EB 98 9D ...2 .! .vI..... [060] D9 77 3D 40 99 53 9A 07 A6 A1 58 47 F3 0D 2D E4 .w=@.S.. ..XG..-. [070] 3A 1B 43 17 67 65 58 3B 19 D0 90 A0 7D 48 47 CB :.C.geX; ....}HG. [080] 84 70 B3 9B A1 27 65 7A 0B ED E1 A0 C3 6E 6E 4D .p...'ez .....nnM [090] F1 F2 51 5E 81 B0 67 DB BE 1B 2A 5C 51 7C B5 73 ..Q^..g. ..*\Q|.s [0A0] 02 40 7F 94 E8 72 FA 1B AF 56 DD F9 E0 56 D5 96 .@...r.. .V...V.. [0B0] F0 DA D3 52 32 A1 CA B9 FB 28 48 B2 C2 30 AC F5 ...R2... .(H..0.. [0C0] 5D 03 FB D2 1B D6 31 2E FB 61 8B 3F 58 B6 6A 45 ].....1. .a.?X.jE [0D0] 1A FD F7 5C 0C 1E F8 D2 4E F3 87 2E F9 E3 83 16 ...\.... N....... [0E0] 83 17 C3 97 1D FD FD CE AE E2 F8 CB 98 91 FE 72 ........ .......r [0F0] A7 29 D3 EB D6 19 7B 1F 3F E0 D1 0F 5D 6B C5 AB .)....{. ?...]k.. [100] 86 7C 18 14 75 F8 E6 C0 14 45 C4 79 61 ED C8 DC .|..u... .E.ya... [110] 7A A3 26 E6 E0 0A FF 42 2F 77 ED BF 49 53 12 B4 z.&....B /w..IS.. [120] 2A 54 22 A1 A2 79 86 A9 6D 6A 9B 66 9F 2D B1 AC *T"..y.. mj.f.-.. [130] CB E5 A7 20 F4 4A 88 FE 52 7A 41 B2 95 2A A3 92 ... .J.. RzA..*.. [140] FF 55 F2 DE 38 CF DD 2F 7D F6 4A AB 9D 9E 3F D6 .U..8../ }.J...?. [150] 6D 5E C6 15 5C 00 79 DB 44 22 BE CE 24 1E B5 E5 m^..\.y. D"..$... [160] 4C 9E 9E 41 ED 5F 98 17 91 C3 6F 40 EE 26 27 C6 L..A._.. ..o@.&'. [170] 0F 6C A8 9B 30 C5 B2 50 11 44 06 04 00 01 00 00 .l..0..P .D...... [180] 00 77 00 7A 00 FF FF 00 00 4A CD AF 24 BC AA DE .w.z.... .J..$... [190] BD 92 8F B2 0E 15 71 EE 32 36 FE CC 9F 44 CC B3 ......q. 26...D.. [1A0] A0 . get_sequence_for_reply: found seq = 37 mid = 20 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 01a0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000015c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000178 smb_io_rpc_hdr_auth hdr_auth 0178 auth_type : 44 0179 auth_level : 06 017a auth_pad_len : 04 017b auth_reserved: 00 017c auth_context_id: 00000001 000180 smb_io_rpc_auth_schannel_chk 0180 sig : 77 00 7a 00 ff ff 00 00 0188 seq_num: 4a cd af 24 bc aa de bd 0190 packet_digest: 92 8f b2 0e 15 71 ee 32 0198 confounder: 36 fe cc 9f 44 cc b3 a0 SCHANNEL: schannel_decode seq_num=1 data_len=352 SCHANNEL: schannel_decode seq_num=1 data_len=352 cli_pipe_validate_current_pdu: got pdu len 416, data_len 348, ss_len 4 rpc_api_pipe: got PDU len of 416 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0xc006 returned 696 bytes. netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts out: struct netr_DsrEnumerateDomainTrusts trusts : * trusts: struct netr_DomainTrustList count : 0x00000002 (2) array : * array: ARRAY(2) array: struct netr_DomainTrust netbios_name : * netbios_name : 'EIGHTAD6' dns_name : * dns_name : 'eightad6.testing.com' trust_flags : 0x00000027 (39) 1: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 1: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND parent_index : 0x00000000 (0) trust_type : NETR_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000020 (32) 0: NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 1: NETR_TRUST_ATTRIBUTE_WITHIN_FOREST 0: NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL sid : * sid : S-1-5-21-162008750-1983285441-4146528753 guid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a array: struct netr_DomainTrust netbios_name : * netbios_name : 'CHILD03' dns_name : * dns_name : 'child03.eightad6.testing.com' trust_flags : 0x00000019 (25) 1: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 1: NETR_TRUST_FLAG_PRIMARY 1: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND parent_index : 0x00000000 (0) trust_type : NETR_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: NETR_TRUST_ATTRIBUTE_WITHIN_FOREST 0: NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL sid : * sid : S-1-5-21-1527705246-3463401961-2594329352 guid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 result : WERR_OK set_dc_type_and_flags_trustinfo: domain EIGHTAD6 is NOT in native mode. set_dc_type_and_flags_trustinfo: domain EIGHTAD6 is running active directory. wcache_tdc_fetch_domain: Searching for domain EIGHTAD6 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (child03.eightad6.testing.com) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x19, attribs = 0x0, type = 0x2 unpack_tdc_domains: Unpacking domain EIGHTAD6 (eightad6.testing.com) SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attribs = 0x20, type = 0x2 wcache_tdc_fetch_domain: Found domain EIGHTAD6 Sending request to child pid 9865 (domain=EIGHTAD6) Added timed event "async_request_timeout_handler": 2ab26bad6860 timed_events_timeout: 299/999990 child daemon request 19 child_process_request: request fn LIST_TRUSTDOM [ 9849]: list trusted domains get_cache: Setting ADS methods for domain EIGHTAD6 fetch_cache_seqnum: invalid data size key [SEQNUM/EIGHTAD6] wcache_tdc_fetch_domain: Searching for domain EIGHTAD6 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (child03.eightad6.testing.com) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x19, attribs = 0x0, type = 0x2 unpack_tdc_domains: Unpacking domain EIGHTAD6 (eightad6.testing.com) SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attribs = 0x20, type = 0x2 wcache_tdc_fetch_domain: Found domain EIGHTAD6 ads: fetch sequence_number for EIGHTAD6 wcache_tdc_fetch_domain: Searching for domain EIGHTAD6 unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain ALTAIR () SID S-1-5-21-981045367-1446913133-3103150389, flags = 0x0, attribs = 0x0, type = 0x0 unpack_tdc_domains: Unpacking domain CHILD03 (child03.eightad6.testing.com) SID S-1-5-21-1527705246-3463401961-2594329352, flags = 0x19, attribs = 0x0, type = 0x2 unpack_tdc_domains: Unpacking domain EIGHTAD6 (eightad6.testing.com) SID S-1-5-21-162008750-1983285441-4146528753, flags = 0x27, attribs = 0x20, type = 0x2 wcache_tdc_fetch_domain: Found domain EIGHTAD6 ads_cached_connection Returning valid cache entry: key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: domain=EIGHTAD6 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'eightad6.testing.com' workgroup : 'EIGHTAD6' ldap_server : NULL foreign : true ads: struct auth realm : NULL password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: (cldap) looking for realm 'eightad6.testing.com' get_sorted_dc_list: attempting lookup for name eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Cache entry with key = SAFJOIN/DOMAIN/EIGHTAD6.TESTING.COM couldn't be found Returning valid cache entry: key = SAF/DOMAIN/EIGHTAD6.TESTING.COM, value = eightad-dc.eightad6.testing.com, timeout = Wed Nov 25 18:45:20 2009 saf_fetch: Returning "eightad-dc.eightad6.testing.com" for "eightad6.testing.com" domain get_dc_list: preferred server list: "eightad-dc.eightad6.testing.com, *" internal_resolve_name: looking up eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning expired cache entry: key = NBT/EIGHTAD6.TESTING.COM#1C, value = 192.168.12.179:389, timeout = Wed Nov 25 18:31:21 2009 no entry for eightad6.testing.com#1C found. resolve_ads: Attempting to resolve DCs for eightad6.testing.com using DNS ads_dns_lookup_srv: 1 records returned in the answer section. ads_dns_parse_rr_srv: Parsed eightad-dc.eightad6.testing.com [0, 100, 389] remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for eightad6.testing.com#1c: 192.168.12.179 Adding cache entry with key = NBT/EIGHTAD6.TESTING.COM#1C; value = 192.168.12.179:389 and timeout = Wed Nov 25 18:42:25 2009 (660 seconds ahead) internal_resolve_name: returning 1 addresses: 192.168.12.179:389 Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up eightad-dc.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/EIGHTAD-DC.EIGHTAD6.TESTING.COM#20, value = 192.168.12.179:0, timeout = Wed Nov 25 18:42:25 2009 name eightad-dc.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/eightad6.testing.com,192.168.12.179 couldn't be found check_negative_conn_cache returning result 0 for domain eightad6.testing.com server 192.168.12.179 Cache entry with key = NEG_CONN_CACHE/eightad6.testing.com,192.168.12.179 couldn't be found check_negative_conn_cache returning result 0 for domain eightad6.testing.com server 192.168.12.179 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.179:389 Cache entry with key = NEG_CONN_CACHE/eightad6.testing.com,192.168.12.179 couldn't be found check_negative_conn_cache returning result 0 for domain eightad6.testing.com server 192.168.12.179 ads_try_connect: sending CLDAP request to 192.168.12.179 (realm: eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000013fd (5117) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a forest : 'eightad6.testing.com' dns_domain : 'eightad6.testing.com' pdc_dns_name : 'eightad-dc.eightad6.testing.com' domain : 'EIGHTAD6' pdc_name : 'EIGHTAD-DC' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [EIGHTAD6], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/EIGHTAD6; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) sitename_store: realm = [eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) Successfully contacted LDAP server 192.168.12.179 ads_connect: leaving with: Success ads: struct ads_struct is_mine : true ads: struct server realm : 'eightad6.testing.com' workgroup : 'EIGHTAD6' ldap_server : NULL foreign : true ads: struct auth realm : 'EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.179' flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x000013fd (5117) 1: DS_SERVER_PDC 1: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 1: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 1: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'EIGHTAD6.TESTING.COM' bind_path : 'dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'eightad-dc.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : 192.168.12.179 last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: using server='EIGHTAD-DC.EIGHTAD6.TESTING.COM' IP=192.168.12.179 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'eightad6.testing.com' workgroup : 'EIGHTAD6' ldap_server : NULL foreign : true ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000000 (0) 0: ADS_AUTH_DISABLE_KERBEROS 0: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : Sat 31 Jan 1970 05:30:00 AM IST IST ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads_find_dc: (ldap) looking for realm 'eightad6.testing.com' Returning valid cache entry: key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: domain=EIGHTAD6 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'eightad6.testing.com' workgroup : 'EIGHTAD6' ldap_server : NULL foreign : true ads: struct auth realm : NULL password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: (cldap) looking for realm 'eightad6.testing.com' get_sorted_dc_list: attempting lookup for name eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Cache entry with key = SAFJOIN/DOMAIN/EIGHTAD6.TESTING.COM couldn't be found Returning valid cache entry: key = SAF/DOMAIN/EIGHTAD6.TESTING.COM, value = eightad-dc.eightad6.testing.com, timeout = Wed Nov 25 18:45:20 2009 saf_fetch: Returning "eightad-dc.eightad6.testing.com" for "eightad6.testing.com" domain get_dc_list: preferred server list: "eightad-dc.eightad6.testing.com, *" internal_resolve_name: looking up eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/EIGHTAD6.TESTING.COM#1C, value = 192.168.12.179:389, timeout = Wed Nov 25 18:42:25 2009 name eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up eightad-dc.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/EIGHTAD-DC.EIGHTAD6.TESTING.COM#20, value = 192.168.12.179:0, timeout = Wed Nov 25 18:42:25 2009 name eightad-dc.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/eightad6.testing.com,192.168.12.179 couldn't be found check_negative_conn_cache returning result 0 for domain eightad6.testing.com server 192.168.12.179 Cache entry with key = NEG_CONN_CACHE/eightad6.testing.com,192.168.12.179 couldn't be found check_negative_conn_cache returning result 0 for domain eightad6.testing.com server 192.168.12.179 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.179:389 Cache entry with key = NEG_CONN_CACHE/eightad6.testing.com,192.168.12.179 couldn't be found check_negative_conn_cache returning result 0 for domain eightad6.testing.com server 192.168.12.179 ads_try_connect: sending CLDAP request to 192.168.12.179 (realm: eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000013fd (5117) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a forest : 'eightad6.testing.com' dns_domain : 'eightad6.testing.com' pdc_dns_name : 'eightad-dc.eightad6.testing.com' domain : 'EIGHTAD6' pdc_name : 'EIGHTAD-DC' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [EIGHTAD6], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/EIGHTAD6; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) sitename_store: realm = [eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) Successfully contacted LDAP server 192.168.12.179 ads_connect: leaving with: Success ads: struct ads_struct is_mine : true ads: struct server realm : 'eightad6.testing.com' workgroup : 'EIGHTAD6' ldap_server : NULL foreign : true ads: struct auth realm : 'EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.179' flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x000013fd (5117) 1: DS_SERVER_PDC 1: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 1: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 1: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'EIGHTAD6.TESTING.COM' bind_path : 'dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'eightad-dc.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : 192.168.12.179 last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: using server='EIGHTAD-DC.EIGHTAD6.TESTING.COM' IP=192.168.12.179 ads_try_connect: sending CLDAP request to EIGHTAD-DC.EIGHTAD6.TESTING.COM (realm: eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000013fd (5117) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 3bc437b2-76c5-4ebd-b2c2-bc530ce49a8a forest : 'eightad6.testing.com' dns_domain : 'eightad6.testing.com' pdc_dns_name : 'eightad-dc.eightad6.testing.com' domain : 'EIGHTAD6' pdc_name : 'EIGHTAD-DC' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [EIGHTAD6], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/EIGHTAD6; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) sitename_store: realm = [eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154086 seconds ahead) Successfully contacted LDAP server 192.168.12.179 Opening connection to LDAP server 'eightad-dc.eightad6.testing.com:389', timeout 15 seconds Connected to LDAP server 'eightad-dc.eightad6.testing.com:389' Connected to LDAP server eightad-dc.eightad6.testing.com ads_closest_dc: NBT_SERVER_CLOSEST flag set saf_store: domain = [EIGHTAD6], server = [eightad-dc.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/EIGHTAD6; value = eightad-dc.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) saf_store: domain = [eightad6.testing.com], server = [eightad-dc.eightad6.testing.com], expire = [1259154985] Adding cache entry with key = SAF/DOMAIN/EIGHTAD6.TESTING.COM; value = eightad-dc.eightad6.testing.com and timeout = Wed Nov 25 18:46:25 2009 (900 seconds ahead) time offset is 2 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit kerberos_kinit_password: as ALTAIR$@CHILD03.EIGHTAD6.TESTING.COM using [MEMORY:winbind_ccache] as ccache and config [(null)] ads_krb5_mk_req: krb5_get_credentials failed for ldap/eightad-dc.eightad6.testing.com@EIGHTAD6.TESTING.COM (Cannot find KDC for requested realm) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot find KDC for requested realm ads_connect: leaving with: Cannot find KDC for requested realm ads: struct ads_struct is_mine : true ads: struct server realm : 'eightad6.testing.com' workgroup : 'EIGHTAD6' ldap_server : NULL foreign : true ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.179' flags : 0x00000000 (0) 0: ADS_AUTH_DISABLE_KERBEROS 0: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000002 (2) tgt_expire : Thu 26 Nov 2009 04:31:29 AM IST IST tgs_expire : (time_t)0 renewable : Sat 31 Jan 1970 05:30:00 AM IST IST ads: struct config flags : 0x000013fd (5117) 1: DS_SERVER_PDC 1: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 1: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 1: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'EIGHTAD6.TESTING.COM' bind_path : 'dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'eightad-dc.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : Wed 25 Nov 2009 06:31:27 PM IST IST schema_path : NULL config_path : NULL ads: struct ldap ld : * ss : 192.168.12.179 last_attempt : Wed 25 Nov 2009 06:31:25 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : * wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads_connect for domain EIGHTAD6 failed: Cannot find KDC for requested realm refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL store_cache_seqnum: success [EIGHTAD6][4294967295 @ 1259154085] refresh_sequence_number: EIGHTAD6 seq number is now -1 winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL Storing response for pid 9865, len 3496 Destroying timed event 2ab26bad6860 "async_request_timeout_handler" Retrieving response for pid 9865 Could not receive trustdoms timed_events_timeout: 4/833461 select will use timeout of 4.833461 seconds nothing is ready yet, continue timed_events_timeout: 0/78 select will use timeout of 0.78 seconds nothing is ready yet, continue Running event "check_domain_online_handler" 2ab26bad5650 check_domain_online_handler: called for domain CHILD03 (online = True) Destroying timed event 2ab26bad5650 "check_domain_online_handler" Deregistering messaging pointer for type 1028 - private_data=(nil) Deregistering messaging pointer for type 1027 - private_data=(nil) Deregistering messaging pointer for type 1029 - private_data=(nil) Deregistering messaging pointer for type 1280 - private_data=(nil) Deregistering messaging pointer for type 1 - private_data=(nil) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: domain=CHILD03 ads_connect: entering ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : NULL password : '(PASSWORD ommited)' user_name : NULL kdc_server : NULL flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x00000000 (0) 0: DS_SERVER_PDC 0: DS_SERVER_GC 0: DS_SERVER_LDAP 0: DS_SERVER_DS 0: DS_SERVER_KDC 0: DS_SERVER_TIMESERV 0: DS_SERVER_CLOSEST 0: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : NULL bind_path : NULL ldap_server_name : NULL server_site_name : NULL client_site_name : NULL current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : last_attempt : Wed 25 Nov 2009 06:31:30 PM IST IST port : 0x00000000 (0) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: (cldap) looking for realm 'child03.eightad6.testing.com' get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000001f9 (505) 1: NBT_SERVER_PDC 0: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 domain_uuid : 051fb988-d99f-42a3-8755-7bc9b4d48af3 forest : 'eightad6.testing.com' dns_domain : 'child03.eightad6.testing.com' pdc_dns_name : 'norma.child03.eightad6.testing.com' domain : 'CHILD03' pdc_name : 'NORMA' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVIOD_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) sitename_store: realm = [CHILD03], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03; value = Default-First-Site-Name and timeout = (null) (-1259154091 seconds ahead) sitename_store: realm = [child03.eightad6.testing.com], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259154091 seconds ahead) Successfully contacted LDAP server 192.168.12.172 ads_connect: leaving with: Success ads: struct ads_struct is_mine : true ads: struct server realm : 'child03.eightad6.testing.com' workgroup : 'CHILD03' ldap_server : NULL foreign : false ads: struct auth realm : 'CHILD03.EIGHTAD6.TESTING.COM' password : '(PASSWORD ommited)' user_name : 'ALTAIR$' kdc_server : '192.168.12.172' flags : 0x00000002 (2) 0: ADS_AUTH_DISABLE_KERBEROS 1: ADS_AUTH_NO_BIND 0: ADS_AUTH_ANON_BIND 0: ADS_AUTH_SIMPLE_BIND 0: ADS_AUTH_ALLOW_NTLMSSP 0: ADS_AUTH_SASL_SIGN 0: ADS_AUTH_SASL_SEAL 0: ADS_AUTH_SASL_FORCE time_offset : 0x00000000 (0) tgt_expire : (time_t)0 tgs_expire : (time_t)0 renewable : (time_t)0 ads: struct config flags : 0x000001f9 (505) 1: DS_SERVER_PDC 0: DS_SERVER_GC 1: DS_SERVER_LDAP 1: DS_SERVER_DS 1: DS_SERVER_KDC 1: DS_SERVER_TIMESERV 1: DS_SERVER_CLOSEST 1: DS_SERVER_WRITABLE 0: DS_SERVER_GOOD_TIMESERV 0: DS_SERVER_NDNC 0: DS_SERVER_SELECT_SECRET_DOMAIN_6 0: DS_SERVER_FULL_SECRET_DOMAIN_6 0: DS_DNS_CONTROLLER 0: DS_DNS_DOMAIN 0: DS_DNS_FOREST realm : 'CHILD03.EIGHTAD6.TESTING.COM' bind_path : 'dc=CHILD03,dc=EIGHTAD6,dc=TESTING,dc=COM' ldap_server_name : 'norma.child03.eightad6.testing.com' server_site_name : 'Default-First-Site-Name' client_site_name : 'Default-First-Site-Name' current_time : (time_t)0 schema_path : NULL config_path : NULL ads: struct ldap ld : NULL ss : 192.168.12.172 last_attempt : Wed 25 Nov 2009 06:31:30 PM IST IST port : 0x00000185 (389) wrap_type : 0x0001 (1) sbiod : NULL mem_ctx : NULL wrap_ops : NULL wrap_private_data : NULL ads: struct in ofs : 0x00000000 (0) needed : 0x00000000 (0) left : 0x00000000 (0) max_wrapped : 0x00000000 (0) min_wrapped : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) ads: struct out ofs : 0x00000000 (0) left : 0x00000000 (0) max_unwrapped : 0x00000000 (0) sig_size : 0x00000000 (0) size : 0x00000000 (0) buf: ARRAY(0) Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_closest_dc: NBT_SERVER_CLOSEST flag set create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = child03.eightad6.testing.com, domain = CHILD03 Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename (null)) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 get_kdc_ip_string: Returning kdc = 192.168.12.172 create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC list = kdc = 192.168.12.172 ads_dc_name: using server='NORMA.CHILD03.EIGHTAD6.TESTING.COM' IP=192.168.12.172 Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Cache entry with key = NEG_CONN_CACHE/CHILD03,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain CHILD03 server 192.168.12.172 get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename NULL) using [ads] Returning valid cache entry: key = SAFJOIN/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 19:29:39 2009 saf_fetch[join]: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename (null)) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:42:25 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:42:25 2009 name norma.child03.eightad6.testing.com#20 found. Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 Cache entry with key = NEG_CONN_CACHE/child03.eightad6.testing.com,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain child03.eightad6.testing.com server 192.168.12.172 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Cache entry with key = NEG_CONN_CACHE/CHILD03,192.168.12.172 couldn't be found check_negative_conn_cache returning result 0 for domain CHILD03 server 192.168.12.172 messaging_tdb_store: array: struct messaging_array num_messages : 0x00000001 (1) messages: ARRAY(1) messages: struct messaging_rec msg_version : 0x00000002 (2) msg_type : MSG_WINBIND_TRY_TO_GO_ONLINE (1030) dest: struct server_id id : 0x00002689 (9865) src: struct server_id id : 0x000026d4 (9940) buf : DATA_BLOB length=8 [000] 43 48 49 4C 44 30 33 00 CHILD03. message_dispatch: received_signal = 1 messaging_tdb_fetch: result: struct messaging_array num_messages : 0x00000001 (1) messages: ARRAY(1) messages: struct messaging_rec msg_version : 0x00000002 (2) msg_type : MSG_WINBIND_TRY_TO_GO_ONLINE (1030) dest: struct server_id id : 0x00002689 (9865) src: struct server_id id : 0x000026d4 (9940) buf : DATA_BLOB length=8 [000] 43 48 49 4C 44 30 33 00 CHILD03. msg_try_to_go_online: received for domain CHILD03. msg_try_to_go_online: domain CHILD03 already online. accepted socket 19 process_request: request fn INTERFACE_VERSION [10142]: request interface version process_request: request fn WINBINDD_PRIV_PIPE_DIR [10142]: request location of privileged pipe accepted socket 20 final write to client failed: Broken pipe process_request: request fn AUTH_CRAP [10142]: pam auth crap domain: [CHILD03] user: test is_myname("CHILD03") returns 0 Sending request to child pid 9850 (domain=CHILD03) Added timed event "async_request_timeout_handler": 2ab26bad6860 timed_events_timeout: 299/999983 child daemon request 13 child_process_request: request fn AUTH_CRAP [ 9849]: pam auth crap domain: CHILD03 user: test is_myname("CHILD03") returns 0 netr_LogonSamLogonEx: struct netr_LogonSamLogonEx in: struct netr_LogonSamLogonEx server_name : * server_name : '\\norma.child03.eightad6.testing.com' computer_name : * computer_name : 'ALTAIR' logon_level : NET_LOGON_TYPE (2) logon : * logon : union netr_LogonInfo(case 2) network : * network: struct netr_NetworkInfo identity_info: struct netr_IdentityInfo domain_name: struct lsa_String length : 0x000e (14) size : 0x000e (14) string : * string : 'CHILD03' parameter_control : 0x00000820 (2080) 0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0: MSV1_0_UPDATE_LOGON_STATISTICS 0: MSV1_0_RETURN_USER_PARAMETERS 1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0: MSV1_0_RETURN_PROFILE_PATH 1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT logon_id_low : 0x0000dead (57005) logon_id_high : 0x0000beef (48879) account_name: struct lsa_String length : 0x0008 (8) size : 0x0008 (8) string : * string : 'test' workstation: struct lsa_String length : 0x0010 (16) size : 0x0010 (16) string : * string : '\\ALTAIR' challenge : 06a53264999cb006 nt: struct netr_ChallengeResponse length : 0x0018 (24) size : 0x0018 (24) data : * data : 54fcdc6ed96c6df6faec7e60d9873b9a95962c5d2dd59b8b lm: struct netr_ChallengeResponse length : 0x0000 (0) size : 0x0000 (0) data : NULL validation_level : 0x0003 (3) flags : * flags : 0x00000000 (0) 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0178 000a auth_len : 0020 000c call_id : 0000000c 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000138 0014 context_id: 0000 0016 opnum : 0027 000150 smb_io_rpc_hdr_auth hdr_auth 0150 auth_type : 44 0151 auth_level : 06 0152 auth_pad_len : 00 0153 auth_reserved: 00 0154 auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=4 SCHANNEL: schannel_encode seq_num=4 data_len=312 000158 smb_io_rpc_auth_schannel_chk 0158 sig : 77 00 7a 00 ff ff 00 00 0160 seq_num: 78 e4 f0 38 9a 67 39 7e 0168 packet_digest: 4a 57 86 32 a9 ce 77 de 0170 confounder: 5c 89 46 8a 17 1d 65 b0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f size=458 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=22 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 376 (0x178) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 376 (0x178) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32783 (0x800F) smb_bcc=391 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 78 01 20 00 0C 00 00 00 38 .......x . .....8 [020] 01 00 00 00 00 27 00 8D 9D 7F 32 AC 11 54 5C 25 .....'.. ..2..T\% [030] 5B 3B 89 BB 1D E5 0D C7 A3 55 37 83 E5 30 08 6C [;...... .U7..0.l [040] 67 89 4C CD 3A 9A 45 18 79 2A D5 2F 01 E2 5D 67 g.L.:.E. y*./..]g [050] FA 8B 5A 48 F7 4E 90 C6 AD AF 69 BD A1 A3 C7 0D ..ZH.N.. ..i..... [060] 6F 10 F3 CA CC A8 24 BA DD 3F 68 6F AD 60 26 46 o.....$. .?ho.`&F [070] 5A A8 D8 2A 19 96 3E F6 91 BC DE 62 FE 63 4C 6B Z..*..>. ...b.cLk [080] 46 7C C1 40 9F CC BC D0 C8 4B EE 6C CA 94 84 5C F|.@.... .K.l...\ [090] 3B A8 6B C4 67 93 FD 08 13 BA AD AF 63 FA 48 35 ;.k.g... ....c.H5 [0A0] DD 21 64 29 CC A0 1D 76 20 D6 78 F4 B9 2B E3 2E .!d)...v .x..+.. [0B0] EA C1 9D 98 C1 9E B3 CA 32 D4 DF FD B6 15 6B 10 ........ 2.....k. [0C0] 8C FB 07 DE BB 84 03 6E FA 6C 36 3A 1C 4C 88 C8 .......n .l6:.L.. [0D0] DE 75 80 95 D2 E4 05 CD B2 C2 D4 97 40 5E 4D 19 .u...... ....@^M. [0E0] B5 1B 91 25 D2 44 F7 8C D5 C3 3C A4 1B A4 CD C5 ...%.D.. ..<..... [0F0] 92 7D F6 F5 58 B6 D9 AA 09 2C C9 DC 0E 8A 50 10 .}..X... .,....P. [100] 07 3B 9E 98 F1 15 A0 A6 76 78 CD 7E 44 F0 1D 34 .;...... vx.~D..4 [110] 0F 83 56 0C E4 9B F9 D7 06 51 68 AE 56 34 EB 50 ..V..... .Qh.V4.P [120] 4C 96 CA 63 A8 14 89 71 F5 E4 CA AD E4 1D 8A CE L..c...q ........ [130] D2 DC F0 81 2B 05 99 1A 1F 73 03 EE 1F A6 C8 04 ....+... .s...... [140] 1A 8B 7E 96 E2 B9 17 54 DB DD 8C 97 EB 71 A1 B6 ..~....T .....q.. [150] 23 A3 84 56 59 F1 62 7E 22 1A B5 A9 A2 72 2B 44 #..VY.b~ "....r+D [160] 06 00 00 01 00 00 00 77 00 7A 00 FF FF 00 00 78 .......w .z.....x [170] E4 F0 38 9A 67 39 7E 4A 57 86 32 A9 CE 77 DE 5C ..8.g9~J W.2..w.\ [180] 89 46 8A 17 1D 65 B0 .F...e. simple_packet_signature: sequence number 40 client_sign_outgoing_message: sent SMB signature of [000] CE 2D 0A 55 E4 2C FB 1D .-.U.,.. store_sequence_for_reply: stored seq = 41 mid = 22 write_socket(16,462) write_socket(16,462) wrote 462 got smb length of 456 size=456 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=22 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 400 (0x190) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 400 (0x190) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=401 [000] 78 05 00 02 03 10 00 00 00 90 01 20 00 0C 00 00 x....... ... .... [010] 00 50 01 00 00 00 00 00 00 76 CF 7E B4 43 E2 10 .P...... .v.~.C.. [020] EB 08 BE 60 EB 35 D4 D7 40 0B 6D D6 46 4A F5 E4 ...`.5.. @.m.FJ.. [030] CA 04 B5 D5 A9 19 8C B3 5A 53 3A 69 C9 A2 D3 69 ........ ZS:i...i [040] 96 9D 17 28 C4 BE 16 5C 52 B5 4E D4 58 0B F7 A7 ...(...\ R.N.X... [050] C4 38 A5 E4 D6 B1 69 D2 10 99 B1 F5 0D 71 A5 B0 .8....i. .....q.. [060] 3D D2 03 C7 2E C3 E2 DC 9D 9A DE F0 19 A8 6D 31 =....... ......m1 [070] D6 B5 43 DB 7E 8E E9 DC A1 06 1A 88 72 EE BA A4 ..C.~... ....r... [080] 95 5C 3F 4B 64 D6 70 F1 65 03 3E 9A 3A 44 A0 D2 .\?Kd.p. e.>.:D.. [090] 09 4B CB 37 F8 5A 09 4F 45 C0 CF ED 26 C7 4F 99 .K.7.Z.O E...&.O. [0A0] 27 86 4D 39 4A 09 84 EA A7 D5 AD 04 3F 8C 55 1E '.M9J... ....?.U. [0B0] 31 2B 6D C1 83 49 DB 63 8C 88 6B 8E B7 D8 A8 03 1+m..I.c ..k..... [0C0] CE 05 67 E1 8A 15 29 56 A6 31 B0 91 C6 29 00 3C ..g...)V .1...).< [0D0] 17 1D F2 3B 2E 1F E1 BC 38 9D 32 26 74 22 D9 D8 ...;.... 8.2&t".. [0E0] D3 6A 35 50 59 0F 2A 43 20 4B 04 BE A6 8D DE B4 .j5PY.*C K...... [0F0] 7C DE A3 6E BD 64 9D 16 60 7B 4C 60 27 7B C5 DB |..n.d.. `{L`'{.. [100] 4E FB 31 A5 F1 C7 24 25 18 7E 1C 73 D2 16 A9 E8 N.1...$% .~.s.... [110] 31 06 E5 66 A0 C7 57 A4 77 8F 98 5A FE CF CC 5C 1..f..W. w..Z...\ [120] 19 A1 39 8D 6C 52 BF 99 20 4E AA 16 9C A2 40 BD ..9.lR.. N....@. [130] 6D 94 B5 24 F2 4B B9 18 08 B1 D7 E1 04 D9 23 FE m..$.K.. ......#. [140] 49 CC 55 D6 A3 19 E3 4B 4E 1A 60 9C A8 A9 4F 8B I.U....K N.`...O. [150] 11 EB FC E5 79 7B 05 B1 4A 78 38 4F E9 7D 2E C4 ....y{.. Jx8O.}.. [160] 4E C8 27 4B 20 D7 86 03 7D 44 06 00 00 01 00 00 N.'K ... }D...... [170] 00 77 00 7A 00 FF FF 00 00 6B CE CA ED DE 98 F4 .w.z.... .k...... [180] 72 DB ED 41 0F 25 1F 84 2C 22 87 46 C3 BB 7C 72 r..A.%.. ,".F..|r [190] 88 . get_sequence_for_reply: found seq = 41 mid = 22 simple_packet_signature: sequence number 41 client_check_incoming_message: seq 41: got good SMB signature of [000] 1C F1 8D 3E D3 A7 4F 2C ...>..O, size=456 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6149 smb_pid=9850 smb_uid=10242 smb_mid=22 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 400 (0x190) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 400 (0x190) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=401 [000] 78 05 00 02 03 10 00 00 00 90 01 20 00 0C 00 00 x....... ... .... [010] 00 50 01 00 00 00 00 00 00 76 CF 7E B4 43 E2 10 .P...... .v.~.C.. [020] EB 08 BE 60 EB 35 D4 D7 40 0B 6D D6 46 4A F5 E4 ...`.5.. @.m.FJ.. [030] CA 04 B5 D5 A9 19 8C B3 5A 53 3A 69 C9 A2 D3 69 ........ ZS:i...i [040] 96 9D 17 28 C4 BE 16 5C 52 B5 4E D4 58 0B F7 A7 ...(...\ R.N.X... [050] C4 38 A5 E4 D6 B1 69 D2 10 99 B1 F5 0D 71 A5 B0 .8....i. .....q.. [060] 3D D2 03 C7 2E C3 E2 DC 9D 9A DE F0 19 A8 6D 31 =....... ......m1 [070] D6 B5 43 DB 7E 8E E9 DC A1 06 1A 88 72 EE BA A4 ..C.~... ....r... [080] 95 5C 3F 4B 64 D6 70 F1 65 03 3E 9A 3A 44 A0 D2 .\?Kd.p. e.>.:D.. [090] 09 4B CB 37 F8 5A 09 4F 45 C0 CF ED 26 C7 4F 99 .K.7.Z.O E...&.O. [0A0] 27 86 4D 39 4A 09 84 EA A7 D5 AD 04 3F 8C 55 1E '.M9J... ....?.U. [0B0] 31 2B 6D C1 83 49 DB 63 8C 88 6B 8E B7 D8 A8 03 1+m..I.c ..k..... [0C0] CE 05 67 E1 8A 15 29 56 A6 31 B0 91 C6 29 00 3C ..g...)V .1...).< [0D0] 17 1D F2 3B 2E 1F E1 BC 38 9D 32 26 74 22 D9 D8 ...;.... 8.2&t".. [0E0] D3 6A 35 50 59 0F 2A 43 20 4B 04 BE A6 8D DE B4 .j5PY.*C K...... [0F0] 7C DE A3 6E BD 64 9D 16 60 7B 4C 60 27 7B C5 DB |..n.d.. `{L`'{.. [100] 4E FB 31 A5 F1 C7 24 25 18 7E 1C 73 D2 16 A9 E8 N.1...$% .~.s.... [110] 31 06 E5 66 A0 C7 57 A4 77 8F 98 5A FE CF CC 5C 1..f..W. w..Z...\ [120] 19 A1 39 8D 6C 52 BF 99 20 4E AA 16 9C A2 40 BD ..9.lR.. N....@. [130] 6D 94 B5 24 F2 4B B9 18 08 B1 D7 E1 04 D9 23 FE m..$.K.. ......#. [140] 49 CC 55 D6 A3 19 E3 4B 4E 1A 60 9C A8 A9 4F 8B I.U....K N.`...O. [150] 11 EB FC E5 79 7B 05 B1 4A 78 38 4F E9 7D 2E C4 ....y{.. Jx8O.}.. [160] 4E C8 27 4B 20 D7 86 03 7D 44 06 00 00 01 00 00 N.'K ... }D...... [170] 00 77 00 7A 00 FF FF 00 00 6B CE CA ED DE 98 F4 .w.z.... .k...... [180] 72 DB ED 41 0F 25 1F 84 2C 22 87 46 C3 BB 7C 72 r..A.%.. ,".F..|r [190] 88 . get_sequence_for_reply: found seq = 41 mid = 22 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0190 000a auth_len : 0020 000c call_id : 0000000c 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000150 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000168 smb_io_rpc_hdr_auth hdr_auth 0168 auth_type : 44 0169 auth_level : 06 016a auth_pad_len : 00 016b auth_reserved: 00 016c auth_context_id: 00000001 000170 smb_io_rpc_auth_schannel_chk 0170 sig : 77 00 7a 00 ff ff 00 00 0178 seq_num: 6b ce ca ed de 98 f4 72 0180 packet_digest: db ed 41 0f 25 1f 84 2c 0188 confounder: 22 87 46 c3 bb 7c 72 88 SCHANNEL: schannel_decode seq_num=5 data_len=336 SCHANNEL: schannel_decode seq_num=5 data_len=336 cli_pipe_validate_current_pdu: got pdu len 400, data_len 336, ss_len 0 rpc_api_pipe: got PDU len of 400 at offset 0 rpc_api_pipe: host norma.child03.eightad6.testing.com, pipe \NETLOGON, fnum 0x800f returned 672 bytes. netr_LogonSamLogonEx: struct netr_LogonSamLogonEx out: struct netr_LogonSamLogonEx validation : * validation : union netr_Validation(case 3) sam3 : * sam3: struct netr_SamInfo3 base: struct netr_SamBaseInfo last_logon : NTTIME(0) last_logoff : Thu 14 Sep 30828 08:18:05 AM IST IST acct_expiry : Thu 14 Sep 30828 08:18:05 AM IST IST last_password_change : Wed 25 Nov 2009 03:53:53 PM IST IST allow_password_change : Wed 25 Nov 2009 03:53:53 PM IST IST force_password_change : Thu 14 Sep 30828 08:18:05 AM IST IST account_name: struct lsa_String length : 0x0008 (8) size : 0x000a (10) string : * string : 'test' full_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x0000044f (1103) primary_gid : 0x00000201 (513) groups: struct samr_RidWithAttributeArray count : 0x00000001 (1) rids : * rids: ARRAY(1) rids: struct samr_RidWithAttribute rid : 0x00000201 (513) attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) user_flags : 0x00000120 (288) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 1: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 1: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key : b04b5ef31fbeb49a62824758d32977f8 logon_server: struct lsa_StringLarge length : 0x000a (10) size : 0x000c (12) string : * string : 'NORMA' domain: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'CHILD03' domain_sid : * domain_sid : S-1-5-21-1527705246-3463401961-2594329352 LMSessKey: struct netr_LMSessionKey key : 5500c719feb0f6ca acct_flags : 0x00000210 (528) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 1: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 1: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_NO_AUTH_DATA_REQD unknown: ARRAY(7) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL authoritative : * authoritative : 0x01 (1) flags : * flags : 0x00000000 (0) result : NT_STATUS_OK wcache_invalidate_samlogon: clearing U/S-1-5-21-1527705246-3463401961-2594329352-1103 wcache_invalidate_samlogon: clearing UG/S-1-5-21-1527705246-3463401961-2594329352-1103 netsamlogon_clear_cached_user: SID [S-1-5-21-1527705246-3463401961-2594329352-1103] netsamlogon_cache_store: SID [S-1-5-21-1527705246-3463401961-2594329352-1103] &r: struct netsamlogoncache_entry timestamp : Wed 25 Nov 2009 06:31:41 PM IST IST info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo last_logon : NTTIME(0) last_logoff : Thu 14 Sep 30828 08:18:05 AM IST IST acct_expiry : Thu 14 Sep 30828 08:18:05 AM IST IST last_password_change : Wed 25 Nov 2009 03:53:53 PM IST IST allow_password_change : Wed 25 Nov 2009 03:53:53 PM IST IST force_password_change : Thu 14 Sep 30828 08:18:05 AM IST IST account_name: struct lsa_String length : 0x0008 (8) size : 0x000a (10) string : * string : 'test' full_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x0000044f (1103) primary_gid : 0x00000201 (513) groups: struct samr_RidWithAttributeArray count : 0x00000001 (1) rids : * rids: ARRAY(1) rids: struct samr_RidWithAttribute rid : 0x00000201 (513) attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) user_flags : 0x00000120 (288) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 1: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 1: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key : 8d5e68023716cf296160760773aa5838 logon_server: struct lsa_StringLarge length : 0x000a (10) size : 0x000c (12) string : * string : 'NORMA' domain: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'CHILD03' domain_sid : * domain_sid : S-1-5-21-1527705246-3463401961-2594329352 LMSessKey: struct netr_LMSessionKey key : 6815f1e8d6188d79 acct_flags : 0x00000210 (528) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 1: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 1: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_NO_AUTH_DATA_REQD unknown: ARRAY(7) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL NTLM CRAP authentication for user [CHILD03]\[test] returned NT_STATUS_OK (PAM: 0) Storing response for pid 9850, len 3496 Destroying timed event 2ab26bad6860 "async_request_timeout_handler" Retrieving response for pid 9850 timed_events_timeout: 604677/684624 select will use timeout of 604677.684624 seconds final write to client failed: Broken pipe