Yes.. the alignment is *after* the credential. You can look at the even.cap trace I mailed earlier. Stub data begins at 0x4E and the credential blob starts at 0xE0 (ie. 0x92 bytes away).
To answer Jean's question, odd/even refer to the Netbios name without the null character. So, in odd.cap, the win2k client sends 7 and 6 (= sizeof("FUBAR")) as the lengths. In even.cap, the client sends 8 and 7. Samba sends the same lengths as the win2k client. One difference is that Samba uses SMBTrans as the RPC transport but I doubt that this is significant. -----Original Message----- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 8:05 PM To: Jean Francois Micouleau Cc: Vijay Kota; [EMAIL PROTECTED] Subject: RE: unknown RPC opcodes during join+logon On Fri, 20 Sep 2002, Jean Francois Micouleau wrote: > > > On Fri, 20 Sep 2002, Richard Sharpe wrote: > > > On Thu, 19 Sep 2002, Vijay Kota wrote: > > > > > I am attaching the traces for 2 clients - FUBAR and FOOBAR. > > > > OK, thanks for that, but there is insufficient info in just two packets to > > allow Ethereal to dissect all the stuff in there. > > > > That makes it difficult to see what is going on. > > I would say it's enough. > > vijay, I guess the odd/even name are unicode strings. What are the > string length values W2K is sending and what samba is sending ? > > if there is an alignment bug it's before the credential blob. Hmmm, having looked at my trace of a WinXP client calling ServerAuthenticate3, the alignment bytes are after the authenticator/blob. Either than, or Ethereal is wrong in the dissection I have. Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]