Discussion:
[Samba] Debian Jessie joining AD as member fails with "The object name is not found."
Russell Ault
2016-07-10 06:32:46 UTC
Permalink
Hi all!

I'm trying to join Debian Jessie to an existing AD domain as a member server (AD DC is Server 2012R2) to run it as a file server. I installed acl, samba, winbind, libnss-winbind, and krb5-user using APT, and configured /etc/samba/smb.conf according to the Samba wiki article.

The error the join command is producing is " Failed to join domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found." which isn't an error message that appeared in any of my searching, so I'm pretty stumped. I've attached my smb.conf and -d10 command output. Any thoughts?

Thanks!

Sincerely,

Russell Ault


Here is my (sanitized) smb.conf:

[global]
netbios name = HOSTNAME
security = ADS
workgroup = DOMAIN
realm = DOMAIN.LOCAL

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999

winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

[storage]
path = /path
read only = no
admin users = "@DOMAIN\Domain Admins"


Here's the (sanitized) output of trying to join the domain:
***@hostname:~# net ads join -U administrator -d10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Processing section "[global]"
doing parameter netbios name = HOSTNAME
doing parameter security = ADS
doing parameter workgroup = DOMAIN
doing parameter realm = DOMAIN.LOCAL
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config DOMAIN:backend = ad
doing parameter idmap config DOMAIN:schema_mode = rfc2307
doing parameter idmap config DOMAIN:range = 10000-99999
doing parameter winbind nss info = template
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="HOSTNAME"
added interface eth0 ip=192.168.0.37 bcast=192.168.0.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Enter administrator's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HOSTNAME'
domain_name : *
domain_name : 'DOMAIN.LOCAL'
account_ou : NULL
admin_account : 'administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-Site-Name"
dsgetdcname_internal: domain_name: DOMAIN.LOCAL, domain_guid: (null), site_name: Default-First-Site-Name, flags: 0x40001011
debug_dsdcinfo_flags: 0x40001011
DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 389]
LDAP ping to domain-controller.domain.local (192.168.0.34)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN, we already got it
sitename_store: realm = [DOMAIN], sitename = [Default-First-Site-Name], expire = [2085923199]
Did not store value for AD_SITENAME/DOMAIN/DOMAIN, we already got it
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN.LOCAL, we already got it
sitename_store: realm = [domain.local], sitename = [Default-First-Site-Name], expire = [2085923199]
Did not store value for AD_SITENAME/DOMAIN/DOMAIN.LOCAL, we already got it
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-Site-Name"
internal_resolve_name: looking up domain-controller.domain.local#20 (sitename Default-First-Site-Name)
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and timeout=[Wed Dec 31 05:00:00 PM 1969 MST] (-1468131016 seconds in the past)
no entry for domain-controller.domain.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name domain-controller.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name domain-controller.domain.local<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name domain-controller.domain.local<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for domain-controller.domain.local#20: 192.168.0.34
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and timeout=[Sun Jul 10 12:21:16 AM 2016 MDT] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.0.34:0
Connecting to 192.168.0.34 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=***@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp_check_packet: NTLMSSP signature OK !
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
cli_init_creds: user administrator domain
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0, auth_level 1
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-ef00-0123456789ab
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d2 (1238994)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
reason : union dcerpc_bind_ack_reason(case 0)
value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine domain-controller.domain.local and bound anonymously.
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level : 0x0002 (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x02000000 (33554432)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 12 75 96 20 33 1B 0A 40 A0 CE C9 5D .....u. ***@...]
[0010] 01 EA 3F 01 00 00 00 00 ..?.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-c95d01ea3f01
result : NT_STATUS_OK
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
in: struct lsa_QueryInfoPolicy2
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-c95d01ea3f01
level : LSA_POLICY_INFO_DNS (12)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000016 (22)
context_id : 0x0000 (0)
opnum : 0x002e (46)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 176
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x00c0 (192)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x000000a8 (168)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=168

<redacted>

Got pdu len 192, data_len 168
rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 168 bytes.
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
out: struct lsa_QueryInfoPolicy2
info : *
info : *
info : union lsa_PolicyInformation(case 12)
dns: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'DOMAIN'
dns_domain: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
string : 'domain.local'
dns_forest: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
string : 'domain.local'
domain_guid : 681ea09d-d921-4581-b653-8f8b8f4eb470
sid : *
sid : S-1-5-21-<redacted>-<redacted>-<redacted>
result : NT_STATUS_OK
lsa_Close: struct lsa_Close
in: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-c95d01ea3f01
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0000 (0)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_Close: struct lsa_Close
out: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
signed SMB2 message
create_local_private_krb5_conf_for_domain: fname = /var/run/samba/smb_krb5/krb5.conf.DOMAIN, realm = domain.local, domain = DOMAIN
saf_fetch: failed to find server for "domain.local" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up domain.local#1c (sitename (null))
no entry for domain.local#1C found.
resolve_ads: Attempting to resolve KDCs for domain.local using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 88]
remove_duplicate_addrs2: looking for duplicate address/port pairs
internal_resolve_name: returning 1 addresses: 192.168.0.34:88
Adding 1 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain domain.local server 192.168.0.34
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.0.34:88
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
get_kdc_ip_string: Returning kdc = 192.168.0.34

create_local_private_krb5_conf_for_domain: wrote file /var/run/samba/smb_krb5/krb5.conf.DOMAIN with realm DOMAIN.LOCAL KDC list = kdc = 192.168.0.34

signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0, auth_level 1
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-ef00-0123456789ac
if_version : 0x00000001 (1)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d3 (1238995)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 02 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
reason : union dcerpc_bind_ack_reason(case 0)
value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe samr to machine domain-controller.domain.local and bound anonymously.
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : *
system_name : 'domain-controller.domain.local'
access_mask : 0x00000030 (48)
0: SAMR_ACCESS_CONNECT_TO_SERVER
0: SAMR_ACCESS_SHUTDOWN_SERVER
0: SAMR_ACCESS_INITIALIZE_SERVER
0: SAMR_ACCESS_CREATE_DOMAIN
1: SAMR_ACCESS_ENUM_DOMAINS
1: SAMR_ACCESS_LOOKUP_DOMAIN
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000044 (68)
context_id : 0x0000 (0)
opnum : 0x0039 (57)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 96 BA 08 79 09 9E B8 43 99 31 35 E3 .......y ...C.15.
[0010] 6F DB 2D 8C 00 00 00 00 o.-.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Connect2: struct samr_Connect2
out: struct samr_Connect2
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
access_mask : 0x00000211 (529)
1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
1: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
sid : *
sid : S-1-5-21-<redacted>-<redacted>-<redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000034 (52)
context_id : 0x0000 (0)
opnum : 0x0007 (7)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 BB BF DA CA 50 F9 95 4B 9C 62 7E 58 ........ P..K.b~X
[0010] ED BE BA 7D 00 00 00 00 ...}....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_OpenDomain: struct samr_OpenDomain
out: struct samr_OpenDomain
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
Creating account with desired access mask: -536543056
samr_CreateUser2: struct samr_CreateUser2
in: struct samr_CreateUser2
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
account_name : *
account_name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'hostname$'
acct_flags : 0x00000080 (128)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
access_mask : 0xe00500b0 (3758424240)
0: SAMR_USER_ACCESS_GET_NAME_ETC
0: SAMR_USER_ACCESS_GET_LOCALE
0: SAMR_USER_ACCESS_SET_LOC_COM
0: SAMR_USER_ACCESS_GET_LOGONINFO
1: SAMR_USER_ACCESS_GET_ATTRIBUTES
1: SAMR_USER_ACCESS_SET_ATTRIBUTES
0: SAMR_USER_ACCESS_CHANGE_PASSWORD
1: SAMR_USER_ACCESS_SET_PASSWORD
0: SAMR_USER_ACCESS_GET_GROUPS
0: SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP
0: SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000004c (76)
context_id : 0x0000 (0)
opnum : 0x0032 (50)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 40
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0038 (56)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000020 (32)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 64 06 00 00 34 00 00 C0 ........ d...4...
Got pdu len 56, data_len 32
rpc_api_pipe: got frag len of 56 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 32 bytes.
samr_CreateUser2: struct samr_CreateUser2
out: struct samr_CreateUser2
user_handle : *
user_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
access_granted : *
access_granted : 0x00000000 (0)
rid : *
rid : 0x00000664 (1636)
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
signed SMB2 message
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.local'
forest_name : 'domain.local'
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-<redacted>-<redacted>-<redacted>
modified_config : 0x00 (0)
error_string : 'failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found.'
domain_is_ad : 0x01 (1)
result : WERR_BADFILE
Failed to join domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found.
return code = -1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Russell Ault
2016-07-18 05:08:07 UTC
Permalink
Hi all!

To clarify, it must have been removed from the copy-pasta, but “net ads join -U” did produce a password prompt as expected.

The dig command produced the following:

***@host:~$ dig -t SRV _ldap._tcp.domain.local

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -t SRV _ldap._tcp.domain.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35393
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.domain.local. IN SRV

;; ANSWER SECTION:
_ldap._tcp.domain.local. 600 IN SRV 0 100 389 domain-controller.domain.local.

;; ADDITIONAL SECTION:
domain-controller.domain.local. 3600 IN A 192.168.0.34

;; Query time: 0 msec
;; SERVER: 192.168.0.34#53(192.168.0.34)
;; WHEN: Sun Jul 17 23:23:47 MDT 2016
;; MSG SIZE rcvd: 107

And "kinit administrator" gave me a valid ticket according to klist.

When I ran "net ads join -k" I got the same error: "Failed to join domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found." The -d10 output looks pretty much like the one I posted in my first e-mail message.

Any thoughts? Is there something in my domain that could be misconfigured? What does "The object name is not found." even mean?

Thanks!

Sincerely,

Russell Ault

From: mathias dufresne [mailto:***@gmail.com]
Sent: July 11, 2016 06:53
To: Russell Ault
Cc: ***@lists.samba.org
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The object name is not found."

I found strange to not see password prompt right after your "net ads join" command. As you did used -U a password should have been asked, at least that's what I believe.
Before joining AD your Linux must be well configured. DNS and Kerberos are the first points.
DNS:
dig -t SRV _ldap._tcp.<your>.<domain>.<tld>
must work.
Kerberos:
kinit administartor
must also work.
Then once these commands worked you should have a valid kerberos ticket (generated during kinit). You can verify Kerbreos ticket status with "klist", if you have one valid you can retry net ads join using kerberos auth:
net ads join -k

2016-07-10 8:32 GMT+02:00 Russell Ault <***@auksnest.ca>:
Hi all!

I'm trying to join Debian Jessie to an existing AD domain as a member server (AD DC is Server 2012R2) to run it as a file server. I installed acl, samba, winbind, libnss-winbind, and krb5-user using APT, and configured /etc/samba/smb.conf according to the Samba wiki article.

The error the join command is producing is " Failed to join domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found." which isn't an error message that appeared in any of my searching, so I'm pretty stumped. I've attached my smb.conf and -d10 command output. Any thoughts?

Thanks!

Sincerely,

Russell Ault


Here is my (sanitized) smb.conf:

 [global]
  netbios name = HOSTNAME
  security  = ADS
  workgroup = DOMAIN
  realm = DOMAIN.LOCAL

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999

  idmap config DOMAIN:backend = ad
  idmap config DOMAIN:schema_mode = rfc2307
  idmap config DOMAIN:range = 10000-99999

  winbind nss info = template
  template shell = /bin/bash
  template homedir = /home/%U

  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes

 [storage]
  path = /path
  read only = no
  admin users = "@DOMAIN\Domain Admins"


Here's the (sanitized) output of trying to join the domain:
***@hostname:~# net ads join -U administrator -d10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
Processing section "[global]"
doing parameter netbios name = HOSTNAME
doing parameter security = ADS
doing parameter workgroup = DOMAIN
doing parameter realm = DOMAIN.LOCAL
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config DOMAIN:backend = ad
doing parameter idmap config DOMAIN:schema_mode = rfc2307
doing parameter idmap config DOMAIN:range = 10000-99999
doing parameter winbind nss info = template
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="HOSTNAME"
added interface eth0 ip=192.168.0.37 bcast=192.168.0.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Enter administrator's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'HOSTNAME'
            domain_name              : *
                domain_name              : 'DOMAIN.LOCAL'
            account_ou               : NULL
            admin_account            : 'administrator'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-Site-Name"
dsgetdcname_internal: domain_name: DOMAIN.LOCAL, domain_guid: (null), site_name: Default-First-Site-Name, flags: 0x40001011
debug_dsdcinfo_flags: 0x40001011
        DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 389]
LDAP ping to domain-controller.domain.local (192.168.0.34)
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0000f3fd (62461)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               1: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : 681ea09d-d921-4581-b653-8f8b8f4eb470
        forest                   : 'domain.local'
        dns_domain               : 'domain.local'
        pdc_dns_name             : 'domain-controller.domain.local'
        domain_name              : 'DOMAIN'
        pdc_name                 : 'DOMAIN-CONTROLLER'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN, we already got it
sitename_store: realm = [DOMAIN], sitename = [Default-First-Site-Name], expire = [2085923199]
Did not store value for AD_SITENAME/DOMAIN/DOMAIN, we already got it
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN.LOCAL, we already got it
sitename_store: realm = [domain.local], sitename = [Default-First-Site-Name], expire = [2085923199]
Did not store value for AD_SITENAME/DOMAIN/DOMAIN.LOCAL, we already got it
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-Site-Name"
internal_resolve_name: looking up domain-controller.domain.local#20 (sitename Default-First-Site-Name)
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and timeout=[Wed Dec 31 05:00:00 PM 1969 MST] (-1468131016 seconds in the past)
no entry for domain-controller.domain.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name domain-controller.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name domain-controller.domain.local<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name domain-controller.domain.local<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for domain-controller.domain.local#20: 192.168.0.34
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and timeout=[Sun Jul 10 12:21:16 AM 2016 MDT] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.0.34:0
Connecting to 192.168.0.34 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=***@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
     negotiate: struct NEGOTIATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmNegotiate (1)
        NegotiateFlags           : 0x62088215 (1644724757)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM
               1: NTLMSSP_REQUEST_TARGET
               1: NTLMSSP_NEGOTIATE_SIGN
               0: NTLMSSP_NEGOTIATE_SEAL
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               1: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56
        DomainNameLen            : 0x0000 (0)
        DomainNameMaxLen         : 0x0000 (0)
        DomainName               : *
            DomainName               : ''
        WorkstationLen           : 0x0000 (0)
        WorkstationMaxLen        : 0x0000 (0)
        Workstation              : *
            Workstation              : ''
        Version: struct ntlmssp_VERSION
            ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
            ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
            ProductBuild             : 0x0000 (0)
            Reserved: ARRAY(3)
                [0]                      : 0x00 (0)
                [1]                      : 0x00 (0)
                [2]                      : 0x00 (0)
            NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp_check_packet: NTLMSSP signature OK !
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
cli_init_creds: user administrator domain
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0, auth_level 1
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND (11)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0048 (72)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000001 (1)
        u                        : union dcerpc_payload(case 11)
        bind: struct dcerpc_bind
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x10b8 (4280)
            assoc_group_id           : 0x00000000 (0)
            num_contexts             : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0000 (0)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     : 12345778-1234-abcd-ef00-0123456789ab
                        if_version               : 0x00000000 (0)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                            if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND_ACK (12)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0044 (68)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000001 (1)
        u                        : union dcerpc_payload(case 12)
        bind_ack: struct dcerpc_bind_ack
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x10b8 (4280)
            assoc_group_id           : 0x0012e7d2 (1238994)
            secondary_address_size   : 0x000c (12)
            secondary_address        : '\pipe\lsass'
            _pad1                    : DATA_BLOB length=2
[0000] 00 00                                              ..
            num_results              : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ack_ctx
                    result                   : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
                    reason                   : union dcerpc_bind_ack_reason(case 0)
                    value                    : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
                    syntax: struct ndr_syntax_id
                        uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                        if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine domain-controller.domain.local and bound anonymously.
     lsa_OpenPolicy: struct lsa_OpenPolicy
        in: struct lsa_OpenPolicy
            system_name              : *
                system_name              : 0x005c (92)
            attr                     : *
                attr: struct lsa_ObjectAttribute
                    len                      : 0x00000018 (24)
                    root_dir                 : NULL
                    object_name              : NULL
                    attributes               : 0x00000000 (0)
                    sec_desc                 : NULL
                    sec_qos                  : *
                        sec_qos: struct lsa_QosInfo
                            len                      : 0x0000000c (12)
                            impersonation_level      : 0x0002 (2)
                            context_mode             : 0x01 (1)
                            effective_only           : 0x00 (0)
            access_mask              : 0x02000000 (33554432)
                   0: LSA_POLICY_VIEW_LOCAL_INFORMATION
                   0: LSA_POLICY_VIEW_AUDIT_INFORMATION
                   0: LSA_POLICY_GET_PRIVATE_INFORMATION
                   0: LSA_POLICY_TRUST_ADMIN
                   0: LSA_POLICY_CREATE_ACCOUNT
                   0: LSA_POLICY_CREATE_SECRET
                   0: LSA_POLICY_CREATE_PRIVILEGE
                   0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
                   0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
                   0: LSA_POLICY_AUDIT_LOG_ADMIN
                   0: LSA_POLICY_SERVER_ADMIN
                   0: LSA_POLICY_LOOKUP_NAMES
                   0: LSA_POLICY_NOTIFICATION
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x0000002c (44)
            context_id               : 0x0000 (0)
            opnum                    : 0x0006 (6)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0030 (48)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000018 (24)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=24
[0000] 00 00 00 00 12 75 96 20   33 1B 0A 40 A0 CE C9 5D   .....u.  ***@...]
[0010] 01 EA 3F 01 00 00 00 00                             ..?.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
     lsa_OpenPolicy: struct lsa_OpenPolicy
        out: struct lsa_OpenPolicy
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 20967512-1b33-400a-a0ce-c95d01ea3f01
            result                   : NT_STATUS_OK
     lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
        in: struct lsa_QueryInfoPolicy2
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 20967512-1b33-400a-a0ce-c95d01ea3f01
            level                    : LSA_POLICY_INFO_DNS (12)
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000016 (22)
            context_id               : 0x0000 (0)
            opnum                    : 0x002e (46)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 176
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x00c0 (192)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x000000a8 (168)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=168

<redacted>

                        Got pdu len 192, data_len 168
rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 168 bytes.
     lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
        out: struct lsa_QueryInfoPolicy2
            info                     : *
                info                     : *
                    info                     : union lsa_PolicyInformation(case 12)
                    dns: struct lsa_DnsDomainInfo
                        name: struct lsa_StringLarge
                            length                   : 0x0006 (6)
                            size                     : 0x0008 (8)
                            string                   : *
                                string                   : 'DOMAIN'
                        dns_domain: struct lsa_StringLarge
                            length                   : 0x0012 (18)
                            size                     : 0x0014 (20)
                            string                   : *
                                string                   : 'domain.local'
                        dns_forest: struct lsa_StringLarge
                            length                   : 0x0012 (18)
                            size                     : 0x0014 (20)
                            string                   : *
                                string                   : 'domain.local'
                        domain_guid              : 681ea09d-d921-4581-b653-8f8b8f4eb470
                        sid                      : *
                            sid                      : S-1-5-21-<redacted>-<redacted>-<redacted>
            result                   : NT_STATUS_OK
     lsa_Close: struct lsa_Close
        in: struct lsa_Close
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 20967512-1b33-400a-a0ce-c95d01ea3f01
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000004 (4)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            opnum                    : 0x0000 (0)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0030 (48)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000004 (4)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000018 (24)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 00 00 00 00                             ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
     lsa_Close: struct lsa_Close
        out: struct lsa_Close
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 00000000-0000-0000-0000-000000000000
            result                   : NT_STATUS_OK
signed SMB2 message
create_local_private_krb5_conf_for_domain: fname = /var/run/samba/smb_krb5/krb5.conf.DOMAIN, realm = domain.local, domain = DOMAIN
saf_fetch: failed to find server for "domain.local" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up domain.local#1c (sitename (null))
no entry for domain.local#1C found.
resolve_ads: Attempting to resolve KDCs for domain.local using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 88]
remove_duplicate_addrs2: looking for duplicate address/port pairs
internal_resolve_name: returning 1 addresses: 192.168.0.34:88
Adding 1 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain domain.local server 192.168.0.34
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.0.34:88
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0000f3fd (62461)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               1: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : 681ea09d-d921-4581-b653-8f8b8f4eb470
        forest                   : 'domain.local'
        dns_domain               : 'domain.local'
        pdc_dns_name             : 'domain-controller.domain.local'
        domain_name              : 'DOMAIN'
        pdc_name                 : 'DOMAIN-CONTROLLER'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
get_kdc_ip_string: Returning    kdc = 192.168.0.34

create_local_private_krb5_conf_for_domain: wrote file /var/run/samba/smb_krb5/krb5.conf.DOMAIN with realm DOMAIN.LOCAL KDC list =     kdc = 192.168.0.34

signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0, auth_level 1
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND (11)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0048 (72)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000005 (5)
        u                        : union dcerpc_payload(case 11)
        bind: struct dcerpc_bind
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x10b8 (4280)
            assoc_group_id           : 0x00000000 (0)
            num_contexts             : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0000 (0)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     : 12345778-1234-abcd-ef00-0123456789ac
                        if_version               : 0x00000001 (1)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                            if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND_ACK (12)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0044 (68)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000005 (5)
        u                        : union dcerpc_payload(case 12)
        bind_ack: struct dcerpc_bind_ack
            max_xmit_frag            : 0x10b8 (4280)
            max_recv_frag            : 0x10b8 (4280)
            assoc_group_id           : 0x0012e7d3 (1238995)
            secondary_address_size   : 0x000c (12)
            secondary_address        : '\pipe\lsass'
            _pad1                    : DATA_BLOB length=2
[0000] 02 00                                              ..
            num_results              : 0x01 (1)
            ctx_list: ARRAY(1)
                ctx_list: struct dcerpc_ack_ctx
                    result                   : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
                    reason                   : union dcerpc_bind_ack_reason(case 0)
                    value                    : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
                    syntax: struct ndr_syntax_id
                        uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                        if_version               : 0x00000002 (2)
            auth_info                : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe samr to machine domain-controller.domain.local and bound anonymously.
     samr_Connect2: struct samr_Connect2
        in: struct samr_Connect2
            system_name              : *
                system_name              : 'domain-controller.domain.local'
            access_mask              : 0x00000030 (48)
                   0: SAMR_ACCESS_CONNECT_TO_SERVER
                   0: SAMR_ACCESS_SHUTDOWN_SERVER
                   0: SAMR_ACCESS_INITIALIZE_SERVER
                   0: SAMR_ACCESS_CREATE_DOMAIN
                   1: SAMR_ACCESS_ENUM_DOMAINS
                   1: SAMR_ACCESS_LOOKUP_DOMAIN
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000006 (6)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000044 (68)
            context_id               : 0x0000 (0)
            opnum                    : 0x0039 (57)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0030 (48)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000006 (6)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000018 (24)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=24
[0000] 00 00 00 00 96 BA 08 79   09 9E B8 43 99 31 35 E3   .......y ...C.15.
[0010] 6F DB 2D 8C 00 00 00 00                             o.-.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
     samr_Connect2: struct samr_Connect2
        out: struct samr_Connect2
            connect_handle           : *
                connect_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : <redacted>
            result                   : NT_STATUS_OK
     samr_OpenDomain: struct samr_OpenDomain
        in: struct samr_OpenDomain
            connect_handle           : *
                connect_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : <redacted>
            access_mask              : 0x00000211 (529)
                   1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
                   0: SAMR_DOMAIN_ACCESS_SET_INFO_1
                   0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
                   0: SAMR_DOMAIN_ACCESS_SET_INFO_2
                   1: SAMR_DOMAIN_ACCESS_CREATE_USER
                   0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
                   0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
                   0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
                   0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
                   1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
                   0: SAMR_DOMAIN_ACCESS_SET_INFO_3
            sid                      : *
                sid                      : S-1-5-21-<redacted>-<redacted>-<redacted>
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000007 (7)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000034 (52)
            context_id               : 0x0000 (0)
            opnum                    : 0x0007 (7)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0030 (48)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000007 (7)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000018 (24)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=24
[0000] 00 00 00 00 BB BF DA CA   50 F9 95 4B 9C 62 7E 58   ........ P..K.b~X
[0010] ED BE BA 7D 00 00 00 00                             ...}....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
     samr_OpenDomain: struct samr_OpenDomain
        out: struct samr_OpenDomain
            domain_handle            : *
                domain_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : <redacted>
            result                   : NT_STATUS_OK
Creating account with desired access mask: -536543056
     samr_CreateUser2: struct samr_CreateUser2
        in: struct samr_CreateUser2
            domain_handle            : *
                domain_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : <redacted>
            account_name             : *
                account_name: struct lsa_String
                    length                   : 0x001c (28)
                    size                     : 0x001c (28)
                    string                   : *
                        string                   : 'hostname$'
            acct_flags               : 0x00000080 (128)
                   0: ACB_DISABLED
                   0: ACB_HOMDIRREQ
                   0: ACB_PWNOTREQ
                   0: ACB_TEMPDUP
                   0: ACB_NORMAL
                   0: ACB_MNS
                   0: ACB_DOMTRUST
                   1: ACB_WSTRUST
                   0: ACB_SVRTRUST
                   0: ACB_PWNOEXP
                   0: ACB_AUTOLOCK
                   0: ACB_ENC_TXT_PWD_ALLOWED
                   0: ACB_SMARTCARD_REQUIRED
                   0: ACB_TRUSTED_FOR_DELEGATION
                   0: ACB_NOT_DELEGATED
                   0: ACB_USE_DES_KEY_ONLY
                   0: ACB_DONT_REQUIRE_PREAUTH
                   0: ACB_PW_EXPIRED
                   0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
                   0: ACB_NO_AUTH_DATA_REQD
                   0: ACB_PARTIAL_SECRETS_ACCOUNT
                   0: ACB_USE_AES_KEYS
            access_mask              : 0xe00500b0 (3758424240)
                   0: SAMR_USER_ACCESS_GET_NAME_ETC
                   0: SAMR_USER_ACCESS_GET_LOCALE
                   0: SAMR_USER_ACCESS_SET_LOC_COM
                   0: SAMR_USER_ACCESS_GET_LOGONINFO
                   1: SAMR_USER_ACCESS_GET_ATTRIBUTES
                   1: SAMR_USER_ACCESS_SET_ATTRIBUTES
                   0: SAMR_USER_ACCESS_CHANGE_PASSWORD
                   1: SAMR_USER_ACCESS_SET_PASSWORD
                   0: SAMR_USER_ACCESS_GET_GROUPS
                   0: SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP
                   0: SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000008 (8)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x0000004c (76)
            context_id               : 0x0000 (0)
            opnum                    : 0x0032 (50)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 40
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0038 (56)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000008 (8)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000020 (32)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 00 00 00 00   64 06 00 00 34 00 00 C0   ........ d...4...
Got pdu len 56, data_len 32
rpc_api_pipe: got frag len of 56 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 32 bytes.
     samr_CreateUser2: struct samr_CreateUser2
        out: struct samr_CreateUser2
            user_handle              : *
                user_handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 00000000-0000-0000-0000-000000000000
            access_granted           : *
                access_granted           : 0x00000000 (0)
            rid                      : *
                rid                      : 0x00000664 (1636)
            result                   : NT_STATUS_OBJECT_NAME_NOT_FOUND
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
     samr_Close: struct samr_Close
        in: struct samr_Close
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : <redacted>
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000009 (9)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            opnum                    : 0x0001 (1)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0030 (48)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000009 (9)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000018 (24)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 00 00 00 00                             ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
     samr_Close: struct samr_Close
        out: struct samr_Close
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 00000000-0000-0000-0000-000000000000
            result                   : NT_STATUS_OK
     samr_Close: struct samr_Close
        in: struct samr_Close
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : <redacted>
     &r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_REQUEST (0)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0018 (24)
        auth_length              : 0x0000 (0)
        call_id                  : 0x0000000a (10)
        u                        : union dcerpc_payload(case 0)
        request: struct dcerpc_request
            alloc_hint               : 0x00000014 (20)
            context_id               : 0x0000 (0)
            opnum                    : 0x0001 (1)
            object                   : union dcerpc_object(case 0)
            empty: struct dcerpc_empty
            _pad                     : DATA_BLOB length=0
            stub_and_verifier        : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0030 (48)
        auth_length              : 0x0000 (0)
        call_id                  : 0x0000000a (10)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x00000018 (24)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 00 00 00 00                             ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
     samr_Close: struct samr_Close
        out: struct samr_Close
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 00000000-0000-0000-0000-000000000000
            result                   : NT_STATUS_OK
signed SMB2 message
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'DOMAIN'
            dns_domain_name          : 'domain.local'
            forest_name              : 'domain.local'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-<redacted>-<redacted>-<redacted>
            modified_config          : 0x00 (0)
            error_string             : 'failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found.'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_BADFILE
Failed to join domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not found.
return code = -1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-18 08:25:47 UTC
Permalink
I'll bet static ip, with correct resolv.conf hosts and nsswitch.conf and krb5.conf.


This must be the clue...
Post by Russell Ault
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
So the join reaches the AD but here something happens.


Russelt, can you try again with debug 10 and post both logs.

net ads join -UAdministrator
and
net ads join -UAdministratos -S YOUR_ADDC.domain.tld.

Or if i may say mail them to Rowland.

Greetz,

Louis
Post by Russell Ault
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 juli 2016 9:57
Onderwerp: Re: [Samba] Debian Jessie joining AD as member fails with "The
object name is not found."
Post by Russell Ault
Hi all!
To clarify, it must have been removed from the copy-pasta, but “net ads
join -U” did produce a password prompt as expected.
Post by Russell Ault
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -t SRV _ldap._tcp.domain.local
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35393
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4000
;_ldap._tcp.domain.local. IN SRV
_ldap._tcp.domain.local. 600 IN SRV 0 100 389 domain-
controller.domain.local.
Post by Russell Ault
domain-controller.domain.local. 3600 IN A 192.168.0.34
;; Query time: 0 msec
;; SERVER: 192.168.0.34#53(192.168.0.34)
;; WHEN: Sun Jul 17 23:23:47 MDT 2016
;; MSG SIZE rcvd: 107
And "kinit administrator" gave me a valid ticket according to klist.
When I ran "net ads join -k" I got the same error: "Failed to join
domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is
not found." The -d10 output looks pretty much like the one I posted in my
first e-mail message.
Post by Russell Ault
Any thoughts? Is there something in my domain that could be
misconfigured? What does "The object name is not found." even mean?
Post by Russell Ault
Thanks!
Sincerely,
Russell Ault
Sent: July 11, 2016 06:53
To: Russell Ault
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The
object name is not found."
Post by Russell Ault
I found strange to not see password prompt right after your "net ads
join" command. As you did used -U a password should have been asked, at
least that's what I believe.
Post by Russell Ault
Before joining AD your Linux must be well configured. DNS and Kerberos
are the first points.
Post by Russell Ault
dig -t SRV _ldap._tcp.<your>.<domain>.<tld>
must work.
kinit administartor
must also work.
Then once these commands worked you should have a valid kerberos ticket
(generated during kinit). You can verify Kerbreos ticket status with
"klist", if you have one valid you can retry net ads join using kerberos
Post by Russell Ault
net ads join -k
Hi all!
I'm trying to join Debian Jessie to an existing AD domain as a member
server (AD DC is Server 2012R2) to run it as a file server. I installed
acl, samba, winbind, libnss-winbind, and krb5-user using APT, and
configured /etc/samba/smb.conf according to the Samba wiki article.
failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not
found." which isn't an error message that appeared in any of my searching,
so I'm pretty stumped. I've attached my smb.conf and -d10 command output.
Any thoughts?
Post by Russell Ault
Thanks!
Sincerely,
Russell Ault
[global]
netbios name = HOSTNAME
security = ADS
workgroup = DOMAIN
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[storage]
path = /path
read only = no
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Processing section "[global]"
doing parameter netbios name = HOSTNAME
doing parameter security = ADS
doing parameter workgroup = DOMAIN
doing parameter realm = DOMAIN.LOCAL
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config DOMAIN:backend = ad
doing parameter idmap config DOMAIN:schema_mode = rfc2307
doing parameter idmap config DOMAIN:range = 10000-99999
doing parameter winbind nss info = template
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="HOSTNAME"
added interface eth0 ip=192.168.0.37 bcast=192.168.0.255
netmask=255.255.255.0
Post by Russell Ault
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HOSTNAME'
domain_name : *
domain_name : 'DOMAIN.LOCAL'
account_ou : NULL
admin_account : 'administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-
Site-Name"
Post by Russell Ault
dsgetdcname_internal: domain_name: DOMAIN.LOCAL, domain_guid: (null),
site_name: Default-First-Site-Name, flags: 0x40001011
Post by Russell Ault
debug_dsdcinfo_flags: 0x40001011
DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
Post by Russell Ault
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100,
389]
Post by Russell Ault
LDAP ping to domain-controller.domain.local (192.168.0.34)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN, we already got it
sitename_store: realm = [DOMAIN], sitename = [Default-First-Site-Name],
expire = [2085923199]
Post by Russell Ault
Did not store value for AD_SITENAME/DOMAIN/DOMAIN, we already got it
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN.LOCAL, we already got
it
Post by Russell Ault
sitename_store: realm = [domain.local], sitename = [Default-First-Site-
Name], expire = [2085923199]
Post by Russell Ault
Did not store value for AD_SITENAME/DOMAIN/DOMAIN.LOCAL, we already got
it
Post by Russell Ault
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-
Site-Name"
Post by Russell Ault
internal_resolve_name: looking up domain-controller.domain.local#20
(sitename Default-First-Site-Name)
Post by Russell Ault
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and
timeout=[Wed Dec 31 05:00:00 PM 1969 MST] (-1468131016 seconds in the
past)
Post by Russell Ault
no entry for domain-controller.domain.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
resolve_lmhosts: Attempting lmhosts lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Post by Russell Ault
resolve_wins: WINS server resolution selected and no WINS servers
listed.
Post by Russell Ault
resolve_hosts: Attempting host lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for domain-
controller.domain.local#20: 192.168.0.34
Post by Russell Ault
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and
timeout=[Sun Jul 10 12:21:16 AM 2016 MDT] (660 seconds ahead)
Post by Russell Ault
internal_resolve_name: returning 1 addresses: 192.168.0.34:0
Connecting to 192.168.0.34 at port 445
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6
(6)
Post by Russell Ault
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1
(1)
Post by Russell Ault
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp_check_packet: NTLMSSP signature OK !
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
cli_init_creds: user administrator domain
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0,
auth_level 1
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-
ef00-0123456789ab
Post by Russell Ault
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-
11c9-9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d2 (1238994)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
Post by Russell Ault
reason : union
dcerpc_bind_ack_reason(case 0)
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
Post by Russell Ault
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-
9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine domain-
controller.domain.local and bound anonymously.
Post by Russell Ault
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level : 0x0002 (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x02000000 (33554432)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 12 75 96 20 33 1B 0A 40 A0 CE C9 5D .....u.
[0010] 01 EA 3F 01 00 00 00 00 ..?.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
result : NT_STATUS_OK
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
in: struct lsa_QueryInfoPolicy2
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
level : LSA_POLICY_INFO_DNS (12)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000016 (22)
context_id : 0x0000 (0)
opnum : 0x002e (46)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 176
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x00c0 (192)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x000000a8 (168)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=168
<redacted>
Got pdu len 192, data_len 168
rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 168 bytes.
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
out: struct lsa_QueryInfoPolicy2
info : *
info : *
info : union
lsa_PolicyInformation(case 12)
Post by Russell Ault
dns: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'DOMAIN'
dns_domain: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
'domain.local'
Post by Russell Ault
dns_forest: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
'domain.local'
Post by Russell Ault
domain_guid : 681ea09d-d921-4581-
b653-8f8b8f4eb470
Post by Russell Ault
sid : *
sid : S-1-5-21-
<redacted>-<redacted>-<redacted>
Post by Russell Ault
result : NT_STATUS_OK
lsa_Close: struct lsa_Close
in: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0000 (0)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_Close: struct lsa_Close
out: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
signed SMB2 message
create_local_private_krb5_conf_for_domain: fname =
/var/run/samba/smb_krb5/krb5.conf.DOMAIN, realm = domain.local, domain =
DOMAIN
Post by Russell Ault
saf_fetch: failed to find server for "domain.local" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up domain.local#1c (sitename (null))
no entry for domain.local#1C found.
resolve_ads: Attempting to resolve KDCs for domain.local using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 88]
remove_duplicate_addrs2: looking for duplicate address/port pairs
internal_resolve_name: returning 1 addresses: 192.168.0.34:88
Adding 1 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain domain.local
server 192.168.0.34
Post by Russell Ault
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.0.34:88
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
get_kdc_ip_string: Returning kdc = 192.168.0.34
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.DOMAIN with realm DOMAIN.LOCAL KDC list
= kdc = 192.168.0.34
Post by Russell Ault
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0,
auth_level 1
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-
ef00-0123456789ac
Post by Russell Ault
if_version : 0x00000001 (1)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-
11c9-9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d3 (1238995)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 02 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
Post by Russell Ault
reason : union
dcerpc_bind_ack_reason(case 0)
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
Post by Russell Ault
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-
9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe samr to machine domain-
controller.domain.local and bound anonymously.
Post by Russell Ault
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : *
system_name : 'domain-
controller.domain.local'
Post by Russell Ault
access_mask : 0x00000030 (48)
0: SAMR_ACCESS_CONNECT_TO_SERVER
0: SAMR_ACCESS_SHUTDOWN_SERVER
0: SAMR_ACCESS_INITIALIZE_SERVER
0: SAMR_ACCESS_CREATE_DOMAIN
1: SAMR_ACCESS_ENUM_DOMAINS
1: SAMR_ACCESS_LOOKUP_DOMAIN
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000044 (68)
context_id : 0x0000 (0)
opnum : 0x0039 (57)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 96 BA 08 79 09 9E B8 43 99 31 35 E3 .......y
...C.15.
Post by Russell Ault
[0010] 6F DB 2D 8C 00 00 00 00 o.-.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Connect2: struct samr_Connect2
out: struct samr_Connect2
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
access_mask : 0x00000211 (529)
1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
1: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
sid : *
sid : S-1-5-21-<redacted>-
<redacted>-<redacted>
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000034 (52)
context_id : 0x0000 (0)
opnum : 0x0007 (7)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 BB BF DA CA 50 F9 95 4B 9C 62 7E 58 ........
P..K.b~X
Post by Russell Ault
[0010] ED BE BA 7D 00 00 00 00 ...}....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_OpenDomain: struct samr_OpenDomain
out: struct samr_OpenDomain
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
Creating account with desired access mask: -536543056
samr_CreateUser2: struct samr_CreateUser2
in: struct samr_CreateUser2
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
account_name : *
account_name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'hostname$'
acct_flags : 0x00000080 (128)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
access_mask : 0xe00500b0 (3758424240)
0: SAMR_USER_ACCESS_GET_NAME_ETC
0: SAMR_USER_ACCESS_GET_LOCALE
0: SAMR_USER_ACCESS_SET_LOC_COM
0: SAMR_USER_ACCESS_GET_LOGONINFO
1: SAMR_USER_ACCESS_GET_ATTRIBUTES
1: SAMR_USER_ACCESS_SET_ATTRIBUTES
0: SAMR_USER_ACCESS_CHANGE_PASSWORD
1: SAMR_USER_ACCESS_SET_PASSWORD
0: SAMR_USER_ACCESS_GET_GROUPS
0: SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP
0: SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000004c (76)
context_id : 0x0000 (0)
opnum : 0x0032 (50)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 40
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0038 (56)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000020 (32)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 64 06 00 00 34 00 00 C0 ........
d...4...
Post by Russell Ault
Got pdu len 56, data_len 32
rpc_api_pipe: got frag len of 56 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 32 bytes.
samr_CreateUser2: struct samr_CreateUser2
out: struct samr_CreateUser2
user_handle : *
user_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
access_granted : *
access_granted : 0x00000000 (0)
rid : *
rid : 0x00000664 (1636)
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
signed SMB2 message
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.local'
forest_name : 'domain.local'
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-<redacted>-
<redacted>-<redacted>
Post by Russell Ault
modified_config : 0x00 (0)
error_string : 'failed to join domain
'DOMAIN.LOCAL' over rpc: The object name is not found.'
Post by Russell Ault
domain_is_ad : 0x01 (1)
result : WERR_BADFILE
The object name is not found.
Post by Russell Ault
return code = -1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Have you set up /etc/krb5.conf and if so, what does it contain ?
Does your /etc/resolv.conf point at the DC ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Russell Ault
2016-07-19 05:04:34 UTC
Permalink
Hi all!

I had originally been using a DHCP-assigned address. I have now switched to a static IP, but that didn't solve the problem (same error message).

I'm attaching my resolv.conf, nsswitch.conf and krb5.conf files. I have not manually altered either of them, although krb5.conf appears to have been updated by some tool somewhere along the way because my domain is listed as the default_realm. The output of "net ads join -UAdministrator -d10" was attached to my first e-mail (and at over 1000 lines long I don't want to litter people's inboxes with a second copy, to say nothing of the time it takes to sanitize that much output) and the output of the "-S domain-controller.domain.local" version of the command produces an apparently identical output, so I haven't included it either.

***@host:~# cat /etc/resolv.conf
domain my-domain.local
search my-domain.local
nameserver 192.168.0.34

***@host:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat
group: compat
shadow: compat
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis


***@host:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MY-DOMAIN.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}

[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA

[login]
krb4_convert = true
krb4_get_tickets = false


I agree that the join is reaching AD before failing, which is why I'm beginning to suspect that there's a configuration issue with the domain itself that is preventing the Samba join, but if there is such a problem, it hasn't caused any issues when joining Windows clients. Are there certain specific configuration requirements of a Windows Server-based AD that are required to join a Samba client? I've already given all my users (including the administrator user I'm using to try the net ads join command with) RFC2307 UID and GID numbers. Is there anything else I have to do?

Thanks!

Sincerely,

Russell Ault

-----Original Message-----
From: samba [mailto:samba-***@lists.samba.org] On Behalf Of L.P.H. van Belle
Sent: July 18, 2016 02:26
To: ***@lists.samba.org
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The object name is not found."

I'll bet static ip, with correct resolv.conf hosts and nsswitch.conf and krb5.conf.


This must be the clue...
Post by Russell Ault
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
So the join reaches the AD but here something happens.


Russelt, can you try again with debug 10 and post both logs.

net ads join -UAdministrator
and
net ads join -UAdministratos -S YOUR_ADDC.domain.tld.

Or if i may say mail them to Rowland.

Greetz,

Louis
Post by Russell Ault
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 juli 2016 9:57
Onderwerp: Re: [Samba] Debian Jessie joining AD as member fails with "The
object name is not found."
Post by Russell Ault
Hi all!
To clarify, it must have been removed from the copy-pasta, but “net ads
join -U” did produce a password prompt as expected.
Post by Russell Ault
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -t SRV _ldap._tcp.domain.local
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35393
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4000
;_ldap._tcp.domain.local. IN SRV
_ldap._tcp.domain.local. 600 IN SRV 0 100 389 domain-
controller.domain.local.
Post by Russell Ault
domain-controller.domain.local. 3600 IN A 192.168.0.34
;; Query time: 0 msec
;; SERVER: 192.168.0.34#53(192.168.0.34)
;; WHEN: Sun Jul 17 23:23:47 MDT 2016
;; MSG SIZE rcvd: 107
And "kinit administrator" gave me a valid ticket according to klist.
When I ran "net ads join -k" I got the same error: "Failed to join
domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is
not found." The -d10 output looks pretty much like the one I posted in my
first e-mail message.
Post by Russell Ault
Any thoughts? Is there something in my domain that could be
misconfigured? What does "The object name is not found." even mean?
Post by Russell Ault
Thanks!
Sincerely,
Russell Ault
Sent: July 11, 2016 06:53
To: Russell Ault
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The
object name is not found."
Post by Russell Ault
I found strange to not see password prompt right after your "net ads
join" command. As you did used -U a password should have been asked, at
least that's what I believe.
Post by Russell Ault
Before joining AD your Linux must be well configured. DNS and Kerberos
are the first points.
Post by Russell Ault
dig -t SRV _ldap._tcp.<your>.<domain>.<tld>
must work.
kinit administartor
must also work.
Then once these commands worked you should have a valid kerberos ticket
(generated during kinit). You can verify Kerbreos ticket status with
"klist", if you have one valid you can retry net ads join using kerberos
Post by Russell Ault
net ads join -k
Hi all!
I'm trying to join Debian Jessie to an existing AD domain as a member
server (AD DC is Server 2012R2) to run it as a file server. I installed
acl, samba, winbind, libnss-winbind, and krb5-user using APT, and
configured /etc/samba/smb.conf according to the Samba wiki article.
failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not
found." which isn't an error message that appeared in any of my searching,
so I'm pretty stumped. I've attached my smb.conf and -d10 command output.
Any thoughts?
Post by Russell Ault
Thanks!
Sincerely,
Russell Ault
[global]
netbios name = HOSTNAME
security = ADS
workgroup = DOMAIN
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[storage]
path = /path
read only = no
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Processing section "[global]"
doing parameter netbios name = HOSTNAME
doing parameter security = ADS
doing parameter workgroup = DOMAIN
doing parameter realm = DOMAIN.LOCAL
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config DOMAIN:backend = ad
doing parameter idmap config DOMAIN:schema_mode = rfc2307
doing parameter idmap config DOMAIN:range = 10000-99999
doing parameter winbind nss info = template
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="HOSTNAME"
added interface eth0 ip=192.168.0.37 bcast=192.168.0.255
netmask=255.255.255.0
Post by Russell Ault
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HOSTNAME'
domain_name : *
domain_name : 'DOMAIN.LOCAL'
account_ou : NULL
admin_account : 'administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-
Site-Name"
Post by Russell Ault
dsgetdcname_internal: domain_name: DOMAIN.LOCAL, domain_guid: (null),
site_name: Default-First-Site-Name, flags: 0x40001011
Post by Russell Ault
debug_dsdcinfo_flags: 0x40001011
DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
Post by Russell Ault
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100,
389]
Post by Russell Ault
LDAP ping to domain-controller.domain.local (192.168.0.34)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN, we already got it
sitename_store: realm = [DOMAIN], sitename = [Default-First-Site-Name],
expire = [2085923199]
Post by Russell Ault
Did not store value for AD_SITENAME/DOMAIN/DOMAIN, we already got it
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN.LOCAL, we already got
it
Post by Russell Ault
sitename_store: realm = [domain.local], sitename = [Default-First-Site-
Name], expire = [2085923199]
Post by Russell Ault
Did not store value for AD_SITENAME/DOMAIN/DOMAIN.LOCAL, we already got
it
Post by Russell Ault
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-
Site-Name"
Post by Russell Ault
internal_resolve_name: looking up domain-controller.domain.local#20
(sitename Default-First-Site-Name)
Post by Russell Ault
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and
timeout=[Wed Dec 31 05:00:00 PM 1969 MST] (-1468131016 seconds in the
past)
Post by Russell Ault
no entry for domain-controller.domain.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
resolve_lmhosts: Attempting lmhosts lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Post by Russell Ault
resolve_wins: WINS server resolution selected and no WINS servers
listed.
Post by Russell Ault
resolve_hosts: Attempting host lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for domain-
controller.domain.local#20: 192.168.0.34
Post by Russell Ault
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and
timeout=[Sun Jul 10 12:21:16 AM 2016 MDT] (660 seconds ahead)
Post by Russell Ault
internal_resolve_name: returning 1 addresses: 192.168.0.34:0
Connecting to 192.168.0.34 at port 445
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6
(6)
Post by Russell Ault
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1
(1)
Post by Russell Ault
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp_check_packet: NTLMSSP signature OK !
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
cli_init_creds: user administrator domain
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0,
auth_level 1
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-
ef00-0123456789ab
Post by Russell Ault
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-
11c9-9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d2 (1238994)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
Post by Russell Ault
reason : union
dcerpc_bind_ack_reason(case 0)
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
Post by Russell Ault
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-
9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine domain-
controller.domain.local and bound anonymously.
Post by Russell Ault
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level : 0x0002 (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x02000000 (33554432)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 12 75 96 20 33 1B 0A 40 A0 CE C9 5D .....u.
[0010] 01 EA 3F 01 00 00 00 00 ..?.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
result : NT_STATUS_OK
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
in: struct lsa_QueryInfoPolicy2
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
level : LSA_POLICY_INFO_DNS (12)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000016 (22)
context_id : 0x0000 (0)
opnum : 0x002e (46)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 176
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x00c0 (192)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x000000a8 (168)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=168
<redacted>
Got pdu len 192, data_len 168
rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 168 bytes.
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
out: struct lsa_QueryInfoPolicy2
info : *
info : *
info : union
lsa_PolicyInformation(case 12)
Post by Russell Ault
dns: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'DOMAIN'
dns_domain: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
'domain.local'
Post by Russell Ault
dns_forest: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
'domain.local'
Post by Russell Ault
domain_guid : 681ea09d-d921-4581-
b653-8f8b8f4eb470
Post by Russell Ault
sid : *
sid : S-1-5-21-
<redacted>-<redacted>-<redacted>
Post by Russell Ault
result : NT_STATUS_OK
lsa_Close: struct lsa_Close
in: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0000 (0)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_Close: struct lsa_Close
out: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
signed SMB2 message
create_local_private_krb5_conf_for_domain: fname =
/var/run/samba/smb_krb5/krb5.conf.DOMAIN, realm = domain.local, domain =
DOMAIN
Post by Russell Ault
saf_fetch: failed to find server for "domain.local" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up domain.local#1c (sitename (null))
no entry for domain.local#1C found.
resolve_ads: Attempting to resolve KDCs for domain.local using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 88]
remove_duplicate_addrs2: looking for duplicate address/port pairs
internal_resolve_name: returning 1 addresses: 192.168.0.34:88
Adding 1 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain domain.local
server 192.168.0.34
Post by Russell Ault
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.0.34:88
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
get_kdc_ip_string: Returning kdc = 192.168.0.34
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.DOMAIN with realm DOMAIN.LOCAL KDC list
= kdc = 192.168.0.34
Post by Russell Ault
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0,
auth_level 1
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-
ef00-0123456789ac
Post by Russell Ault
if_version : 0x00000001 (1)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-
11c9-9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d3 (1238995)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 02 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
Post by Russell Ault
reason : union
dcerpc_bind_ack_reason(case 0)
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
Post by Russell Ault
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-
9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe samr to machine domain-
controller.domain.local and bound anonymously.
Post by Russell Ault
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : *
system_name : 'domain-
controller.domain.local'
Post by Russell Ault
access_mask : 0x00000030 (48)
0: SAMR_ACCESS_CONNECT_TO_SERVER
0: SAMR_ACCESS_SHUTDOWN_SERVER
0: SAMR_ACCESS_INITIALIZE_SERVER
0: SAMR_ACCESS_CREATE_DOMAIN
1: SAMR_ACCESS_ENUM_DOMAINS
1: SAMR_ACCESS_LOOKUP_DOMAIN
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000044 (68)
context_id : 0x0000 (0)
opnum : 0x0039 (57)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 96 BA 08 79 09 9E B8 43 99 31 35 E3 .......y
...C.15.
Post by Russell Ault
[0010] 6F DB 2D 8C 00 00 00 00 o.-.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Connect2: struct samr_Connect2
out: struct samr_Connect2
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
access_mask : 0x00000211 (529)
1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
1: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
sid : *
sid : S-1-5-21-<redacted>-
<redacted>-<redacted>
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000034 (52)
context_id : 0x0000 (0)
opnum : 0x0007 (7)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 BB BF DA CA 50 F9 95 4B 9C 62 7E 58 ........
P..K.b~X
Post by Russell Ault
[0010] ED BE BA 7D 00 00 00 00 ...}....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_OpenDomain: struct samr_OpenDomain
out: struct samr_OpenDomain
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
Creating account with desired access mask: -536543056
samr_CreateUser2: struct samr_CreateUser2
in: struct samr_CreateUser2
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
account_name : *
account_name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'hostname$'
acct_flags : 0x00000080 (128)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
access_mask : 0xe00500b0 (3758424240)
0: SAMR_USER_ACCESS_GET_NAME_ETC
0: SAMR_USER_ACCESS_GET_LOCALE
0: SAMR_USER_ACCESS_SET_LOC_COM
0: SAMR_USER_ACCESS_GET_LOGONINFO
1: SAMR_USER_ACCESS_GET_ATTRIBUTES
1: SAMR_USER_ACCESS_SET_ATTRIBUTES
0: SAMR_USER_ACCESS_CHANGE_PASSWORD
1: SAMR_USER_ACCESS_SET_PASSWORD
0: SAMR_USER_ACCESS_GET_GROUPS
0: SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP
0: SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000004c (76)
context_id : 0x0000 (0)
opnum : 0x0032 (50)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 40
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0038 (56)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000020 (32)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 64 06 00 00 34 00 00 C0 ........
d...4...
Post by Russell Ault
Got pdu len 56, data_len 32
rpc_api_pipe: got frag len of 56 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 32 bytes.
samr_CreateUser2: struct samr_CreateUser2
out: struct samr_CreateUser2
user_handle : *
user_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
access_granted : *
access_granted : 0x00000000 (0)
rid : *
rid : 0x00000664 (1636)
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
signed SMB2 message
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.local'
forest_name : 'domain.local'
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-<redacted>-
<redacted>-<redacted>
Post by Russell Ault
modified_config : 0x00 (0)
error_string : 'failed to join domain
'DOMAIN.LOCAL' over rpc: The object name is not found.'
Post by Russell Ault
domain_is_ad : 0x01 (1)
result : WERR_BADFILE
The object name is not found.
Post by Russell Ault
return code = -1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Have you set up /etc/krb5.conf and if so, what does it contain ?
Does your /etc/resolv.conf point at the DC ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Russell Ault
2016-07-19 20:27:39 UTC
Permalink
Hi all!

I just wanted to report that I have successfully joined the computer to the domain. I want to provide an explanation of what happened in case some future person runs into the same problem.

I noticed in the libnet_join output section of the net ads join log (which is to say, the last few lines) had the "dn" section listed as "NULL". Since "dn" should be the LDAP container for the new computer, a NULL here would reasonably be expected to cause a "the object name is not found" error.

I then remembered that I had configured the domain to redirect newly-joined computers into a specific LDAP OU using the redircmp command (see https://support.microsoft.com/en-us/kb/324949/ for more information). As a trouble-shooting step I undid using the same command. I then ran the net ads join command again it succeeded immediately.

TL;DR: Redirecting CN=Computers to a specified OU caused Samba to produce a NULL dn which caused the join to fail. Given that this is a fully supported option in a Windows Domain environment (and has never prevented a Windows client from joining the domain), this is probably a bug, and I will look into filling a report for it.

Thank you all for your help!

Sincerely,

Russell Ault

-----Original Message-----
From: samba [mailto:samba-***@lists.samba.org] On Behalf Of Russell Ault
Sent: July 18, 2016 23:05
To: ***@lists.samba.org
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The object name is not found."

Hi all!

I had originally been using a DHCP-assigned address. I have now switched to a static IP, but that didn't solve the problem (same error message).

I'm attaching my resolv.conf, nsswitch.conf and krb5.conf files. I have not manually altered either of them, although krb5.conf appears to have been updated by some tool somewhere along the way because my domain is listed as the default_realm. The output of "net ads join -UAdministrator -d10" was attached to my first e-mail (and at over 1000 lines long I don't want to litter people's inboxes with a second copy, to say nothing of the time it takes to sanitize that much output) and the output of the "-S domain-controller.domain.local" version of the command produces an apparently identical output, so I haven't included it either.

***@host:~# cat /etc/resolv.conf
domain my-domain.local
search my-domain.local
nameserver 192.168.0.34

***@host:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat
group: compat
shadow: compat
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis


***@host:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MY-DOMAIN.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}

[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA

[login]
krb4_convert = true
krb4_get_tickets = false


I agree that the join is reaching AD before failing, which is why I'm beginning to suspect that there's a configuration issue with the domain itself that is preventing the Samba join, but if there is such a problem, it hasn't caused any issues when joining Windows clients. Are there certain specific configuration requirements of a Windows Server-based AD that are required to join a Samba client? I've already given all my users (including the administrator user I'm using to try the net ads join command with) RFC2307 UID and GID numbers. Is there anything else I have to do?

Thanks!

Sincerely,

Russell Ault

-----Original Message-----
From: samba [mailto:samba-***@lists.samba.org] On Behalf Of L.P.H. van Belle
Sent: July 18, 2016 02:26
To: ***@lists.samba.org
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The object name is not found."

I'll bet static ip, with correct resolv.conf hosts and nsswitch.conf and krb5.conf.


This must be the clue...
Post by Russell Ault
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
So the join reaches the AD but here something happens.


Russelt, can you try again with debug 10 and post both logs.

net ads join -UAdministrator
and
net ads join -UAdministratos -S YOUR_ADDC.domain.tld.

Or if i may say mail them to Rowland.

Greetz,

Louis
Post by Russell Ault
-----Oorspronkelijk bericht-----
Verzonden: maandag 18 juli 2016 9:57
Onderwerp: Re: [Samba] Debian Jessie joining AD as member fails with "The
object name is not found."
Post by Russell Ault
Hi all!
To clarify, it must have been removed from the copy-pasta, but “net ads
join -U” did produce a password prompt as expected.
Post by Russell Ault
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -t SRV _ldap._tcp.domain.local
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35393
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4000
;_ldap._tcp.domain.local. IN SRV
_ldap._tcp.domain.local. 600 IN SRV 0 100 389 domain-
controller.domain.local.
Post by Russell Ault
domain-controller.domain.local. 3600 IN A 192.168.0.34
;; Query time: 0 msec
;; SERVER: 192.168.0.34#53(192.168.0.34)
;; WHEN: Sun Jul 17 23:23:47 MDT 2016
;; MSG SIZE rcvd: 107
And "kinit administrator" gave me a valid ticket according to klist.
When I ran "net ads join -k" I got the same error: "Failed to join
domain: failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is
not found." The -d10 output looks pretty much like the one I posted in my
first e-mail message.
Post by Russell Ault
Any thoughts? Is there something in my domain that could be
misconfigured? What does "The object name is not found." even mean?
Post by Russell Ault
Thanks!
Sincerely,
Russell Ault
Sent: July 11, 2016 06:53
To: Russell Ault
Subject: Re: [Samba] Debian Jessie joining AD as member fails with "The
object name is not found."
Post by Russell Ault
I found strange to not see password prompt right after your "net ads
join" command. As you did used -U a password should have been asked, at
least that's what I believe.
Post by Russell Ault
Before joining AD your Linux must be well configured. DNS and Kerberos
are the first points.
Post by Russell Ault
dig -t SRV _ldap._tcp.<your>.<domain>.<tld>
must work.
kinit administartor
must also work.
Then once these commands worked you should have a valid kerberos ticket
(generated during kinit). You can verify Kerbreos ticket status with
"klist", if you have one valid you can retry net ads join using kerberos
Post by Russell Ault
net ads join -k
Hi all!
I'm trying to join Debian Jessie to an existing AD domain as a member
server (AD DC is Server 2012R2) to run it as a file server. I installed
acl, samba, winbind, libnss-winbind, and krb5-user using APT, and
configured /etc/samba/smb.conf according to the Samba wiki article.
failed to join domain 'DOMAIN.LOCAL' over rpc: The object name is not
found." which isn't an error message that appeared in any of my searching,
so I'm pretty stumped. I've attached my smb.conf and -d10 command output.
Any thoughts?
Post by Russell Ault
Thanks!
Sincerely,
Russell Ault
[global]
netbios name = HOSTNAME
security = ADS
workgroup = DOMAIN
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[storage]
path = /path
read only = no
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lp_load_ex: refreshing parameters
Initialising global parameters
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Processing section "[global]"
doing parameter netbios name = HOSTNAME
doing parameter security = ADS
doing parameter workgroup = DOMAIN
doing parameter realm = DOMAIN.LOCAL
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config DOMAIN:backend = ad
doing parameter idmap config DOMAIN:schema_mode = rfc2307
doing parameter idmap config DOMAIN:range = 10000-99999
doing parameter winbind nss info = template
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="HOSTNAME"
added interface eth0 ip=192.168.0.37 bcast=192.168.0.255
netmask=255.255.255.0
Post by Russell Ault
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HOSTNAME'
domain_name : *
domain_name : 'DOMAIN.LOCAL'
account_ou : NULL
admin_account : 'administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-
Site-Name"
Post by Russell Ault
dsgetdcname_internal: domain_name: DOMAIN.LOCAL, domain_guid: (null),
site_name: Default-First-Site-Name, flags: 0x40001011
Post by Russell Ault
debug_dsdcinfo_flags: 0x40001011
DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
Post by Russell Ault
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100,
389]
Post by Russell Ault
LDAP ping to domain-controller.domain.local (192.168.0.34)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN, we already got it
sitename_store: realm = [DOMAIN], sitename = [Default-First-Site-Name],
expire = [2085923199]
Post by Russell Ault
Did not store value for AD_SITENAME/DOMAIN/DOMAIN, we already got it
Did not store value for DSGETDCNAME/DOMAIN/DOMAIN.LOCAL, we already got
it
Post by Russell Ault
sitename_store: realm = [domain.local], sitename = [Default-First-Site-
Name], expire = [2085923199]
Post by Russell Ault
Did not store value for AD_SITENAME/DOMAIN/DOMAIN.LOCAL, we already got
it
Post by Russell Ault
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-
Site-Name"
Post by Russell Ault
internal_resolve_name: looking up domain-controller.domain.local#20
(sitename Default-First-Site-Name)
Post by Russell Ault
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and
timeout=[Wed Dec 31 05:00:00 PM 1969 MST] (-1468131016 seconds in the
past)
Post by Russell Ault
no entry for domain-controller.domain.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
resolve_lmhosts: Attempting lmhosts lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Post by Russell Ault
resolve_wins: WINS server resolution selected and no WINS servers
listed.
Post by Russell Ault
resolve_hosts: Attempting host lookup for name domain-
controller.domain.local<0x20>
Post by Russell Ault
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for domain-
controller.domain.local#20: 192.168.0.34
Post by Russell Ault
Adding cache entry with key=[NBT/DOMAIN-CONTROLLER.DOMAIN.LOCAL#20] and
timeout=[Sun Jul 10 12:21:16 AM 2016 MDT] (660 seconds ahead)
Post by Russell Ault
internal_resolve_name: returning 1 addresses: 192.168.0.34:0
Connecting to 192.168.0.34 at port 445
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6
(6)
Post by Russell Ault
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1
(1)
Post by Russell Ault
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ntlmssp_check_packet: NTLMSSP signature OK !
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
cli_init_creds: user administrator domain
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0,
auth_level 1
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-
ef00-0123456789ab
Post by Russell Ault
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-
11c9-9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d2 (1238994)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
Post by Russell Ault
reason : union
dcerpc_bind_ack_reason(case 0)
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
Post by Russell Ault
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-
9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine domain-
controller.domain.local and bound anonymously.
Post by Russell Ault
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level : 0x0002 (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x02000000 (33554432)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 12 75 96 20 33 1B 0A 40 A0 CE C9 5D .....u.
[0010] 01 EA 3F 01 00 00 00 00 ..?.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
result : NT_STATUS_OK
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
in: struct lsa_QueryInfoPolicy2
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
level : LSA_POLICY_INFO_DNS (12)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000016 (22)
context_id : 0x0000 (0)
opnum : 0x002e (46)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 176
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x00c0 (192)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x000000a8 (168)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=168
<redacted>
Got pdu len 192, data_len 168
rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 168 bytes.
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
out: struct lsa_QueryInfoPolicy2
info : *
info : *
info : union
lsa_PolicyInformation(case 12)
Post by Russell Ault
dns: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'DOMAIN'
dns_domain: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
'domain.local'
Post by Russell Ault
dns_forest: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
'domain.local'
Post by Russell Ault
domain_guid : 681ea09d-d921-4581-
b653-8f8b8f4eb470
Post by Russell Ault
sid : *
sid : S-1-5-21-
<redacted>-<redacted>-<redacted>
Post by Russell Ault
result : NT_STATUS_OK
lsa_Close: struct lsa_Close
in: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 20967512-1b33-400a-a0ce-
c95d01ea3f01
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0000 (0)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
lsa_Close: struct lsa_Close
out: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
signed SMB2 message
create_local_private_krb5_conf_for_domain: fname =
/var/run/samba/smb_krb5/krb5.conf.DOMAIN, realm = domain.local, domain =
DOMAIN
Post by Russell Ault
saf_fetch: failed to find server for "domain.local" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up domain.local#1c (sitename (null))
no entry for domain.local#1C found.
resolve_ads: Attempting to resolve KDCs for domain.local using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed domain-controller.domain.local [0, 100, 88]
remove_duplicate_addrs2: looking for duplicate address/port pairs
internal_resolve_name: returning 1 addresses: 192.168.0.34:88
Adding 1 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain domain.local
server 192.168.0.34
Post by Russell Ault
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.0.34:88
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000f3fd (62461)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 681ea09d-d921-4581-b653-8f8b8f4eb470
forest : 'domain.local'
dns_domain : 'domain.local'
pdc_dns_name : 'domain-controller.domain.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAIN-CONTROLLER'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
get_kdc_ip_string: Returning kdc = 192.168.0.34
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.DOMAIN with realm DOMAIN.LOCAL KDC list
= kdc = 192.168.0.34
Post by Russell Ault
signed SMB2 message
Bind RPC Pipe: host domain-controller.domain.local auth_type 0,
auth_level 1
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-
ef00-0123456789ac
Post by Russell Ault
if_version : 0x00000001 (1)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-
11c9-9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0012e7d3 (1238995)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 02 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0)
Post by Russell Ault
reason : union
dcerpc_bind_ack_reason(case 0)
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
Post by Russell Ault
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-
9fe8-08002b104860
Post by Russell Ault
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe samr to machine domain-
controller.domain.local and bound anonymously.
Post by Russell Ault
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : *
system_name : 'domain-
controller.domain.local'
Post by Russell Ault
access_mask : 0x00000030 (48)
0: SAMR_ACCESS_CONNECT_TO_SERVER
0: SAMR_ACCESS_SHUTDOWN_SERVER
0: SAMR_ACCESS_INITIALIZE_SERVER
0: SAMR_ACCESS_CREATE_DOMAIN
1: SAMR_ACCESS_ENUM_DOMAINS
1: SAMR_ACCESS_LOOKUP_DOMAIN
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000044 (68)
context_id : 0x0000 (0)
opnum : 0x0039 (57)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 96 BA 08 79 09 9E B8 43 99 31 35 E3 .......y
...C.15.
Post by Russell Ault
[0010] 6F DB 2D 8C 00 00 00 00 o.-.....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Connect2: struct samr_Connect2
out: struct samr_Connect2
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
access_mask : 0x00000211 (529)
1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
1: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
sid : *
sid : S-1-5-21-<redacted>-
<redacted>-<redacted>
Post by Russell Ault
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000034 (52)
context_id : 0x0000 (0)
opnum : 0x0007 (7)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 BB BF DA CA 50 F9 95 4B 9C 62 7E 58 ........
P..K.b~X
Post by Russell Ault
[0010] ED BE BA 7D 00 00 00 00 ...}....
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_OpenDomain: struct samr_OpenDomain
out: struct samr_OpenDomain
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
result : NT_STATUS_OK
Creating account with desired access mask: -536543056
samr_CreateUser2: struct samr_CreateUser2
in: struct samr_CreateUser2
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
account_name : *
account_name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'hostname$'
acct_flags : 0x00000080 (128)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
access_mask : 0xe00500b0 (3758424240)
0: SAMR_USER_ACCESS_GET_NAME_ETC
0: SAMR_USER_ACCESS_GET_LOCALE
0: SAMR_USER_ACCESS_SET_LOC_COM
0: SAMR_USER_ACCESS_GET_LOGONINFO
1: SAMR_USER_ACCESS_GET_ATTRIBUTES
1: SAMR_USER_ACCESS_SET_ATTRIBUTES
0: SAMR_USER_ACCESS_CHANGE_PASSWORD
1: SAMR_USER_ACCESS_SET_PASSWORD
0: SAMR_USER_ACCESS_GET_GROUPS
0: SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP
0: SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000004c (76)
context_id : 0x0000 (0)
opnum : 0x0032 (50)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 40
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0038 (56)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000020 (32)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 64 06 00 00 34 00 00 C0 ........
d...4...
Post by Russell Ault
Got pdu len 56, data_len 32
rpc_api_pipe: got frag len of 56 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 32 bytes.
samr_CreateUser2: struct samr_CreateUser2
out: struct samr_CreateUser2
user_handle : *
user_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
access_granted : *
access_granted : 0x00000000 (0)
rid : *
rid : 0x00000664 (1636)
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
Creation of workstation account failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000009 (9)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : <redacted>
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0001 (1)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host domain-controller.domain.local
signed SMB2 message
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x0000000a (10)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
Post by Russell Ault
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host domain-controller.domain.local returned 24 bytes.
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-
000000000000
Post by Russell Ault
result : NT_STATUS_OK
signed SMB2 message
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOMAIN'
dns_domain_name : 'domain.local'
forest_name : 'domain.local'
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-<redacted>-
<redacted>-<redacted>
Post by Russell Ault
modified_config : 0x00 (0)
error_string : 'failed to join domain
'DOMAIN.LOCAL' over rpc: The object name is not found.'
Post by Russell Ault
domain_is_ad : 0x01 (1)
result : WERR_BADFILE
The object name is not found.
Post by Russell Ault
return code = -1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Have you set up /etc/krb5.conf and if so, what does it contain ?
Does your /etc/resolv.conf point at the DC ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...