NetrLogonSamLogonEx request fails with nca_s_fault_sec_pkg_error while accessing SMB share

Question

NetrLogonSamLogonEx request fails with nca_s_fault_sec_pkg_error while accessing SMB share

BHARATH BHEEMARASETTI 5

What is causing NetrLogonSamLogonEx request to fail with nca_s_fault_sec_pkg_error when accessing an SMB share? The network capture showed the error coming from the DC, but there was no indication of failure in the netlogon logs. The issue stops after restarting the SMB server. What could be causing this error and how can it be resolved?

Request:

Frame 47454: 972 bytes on wire (7776 bits), 972 bytes captured (7776 bits)
    Encapsulation type: Linux cooked-mode capture v1 (25)
    Arrival Time: Jun 27, 2023 20:24:26.813692000 IST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1687877666.813692000 seconds
    [Time delta from previous captured frame: 0.000042000 seconds]
    [Time delta from previous displayed frame: 0.000354000 seconds]
    [Time since reference or first frame: 2.621797000 seconds]
    Frame Number: 47454
    Frame Length: 972 bytes (7776 bits)
    Capture Length: 972 bytes (7776 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ethertype:ip:tcp:nbss:smb2:dcerpc]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || netbios]
Linux cooked capture v1
    Packet type: Sent by us (4)
    Link-layer address type: Ethernet (1)
    Link-layer address length: 6
    Source: SuperMic_20:61:a9 (7c:c2:55:20:61:a9)
    Unused: 4317
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.212.48, Dst: 10.10.16.21
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 956
    Identification: 0x79f3 (31219)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0xc4f9 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 10.0.212.48
    Destination Address: 10.10.16.21
Transmission Control Protocol, Src Port: 47126, Dst Port: 445, Seq: 3154, Ack: 1633, Len: 916
    Source Port: 47126
    Destination Port: 445
    [Stream index: 144]
    [Conversation completeness: Incomplete (12)]
    [TCP Segment Len: 916]
    Sequence Number: 3154    (relative sequence number)
    Sequence Number (raw): 275089683
    [Next Sequence Number: 4070    (relative sequence number)]
    Acknowledgment Number: 1633    (relative ack number)
    Acknowledgment number (raw): 1562373117
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window: 11
    [Calculated window size: 11]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0xfbfd [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.023529000 seconds]
        [Time since previous frame in this TCP stream: 0.000321000 seconds]
    [SEQ/ACK analysis]
        [Bytes in flight: 916]
        [Bytes sent since last PSH flag: 916]
    TCP payload (916 bytes)
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Ioctl (11)
        Credits requested: 1
        Flags: 0x00000018, Signing, Priority
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED
            .... .... .... .... .... .... .001 .... = Priority: This pdu contains a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 453
        Process Id: 0x00000000
        Tree Id: 0x00000001
        Session Id: 0x0000c2347800000d
        Signature: dc26f52f14e67307ae24e42f251d6b12
        [Response in: 47456]
    Ioctl Request (0x0b)
        StructureSize: 0x0039
        Reserved: 0000
        Function: FSCTL_PIPE_TRANSCEIVE (0x0011c017)
            0000 0000 0001 0001 .... .... .... .... = Device: NAMED_PIPE (0x0011)
            .... .... .... .... 11.. .... .... .... = Access: FILE_READ_WRITE_ACCESS (0x3)
            .... .... .... .... ..00 0000 0001 01.. = Function: 0x005
            .... .... .... .... .... .... .... ..11 = Method: METHOD_NEITHER (0x3)
        GUID handle File: netlogon
            File Id: 0043503c-0030-0000-c100-100030000000
            [Frame handle opened: 47440]
            [Frame handle closed: 47460]
        Max Ioctl In Size: 0
        Max Ioctl Out Size: 4280
        Flags: 0x00000001
        Reserved: 00000000
        Blob Offset: 0x00000078
        Blob Length: 792
        In Data
        Blob Offset: 0x00000078
        Blob Length: 0
        Out Data: NO DATA
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 792, Call: 15743, Ctx: 0, [Resp: #47456]
    Version: 5
    Version (minor): 0
    Packet type: Request (0)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 792
    Auth Length: 56
    Call ID: 15743
    Alloc hint: 696
    Context ID: 0
    Opnum: 39
    [Response in frame: 47456]
    Auth Info: NETLOGON Secure Channel, Packet privacy, AuthContextId(1)
        Auth type: NETLOGON Secure Channel (68)
        Auth level: Packet privacy (6)
        Auth pad len: 8
        Auth Rsrvd: 0
        Auth Context ID: 1
Microsoft Network Logon, NetrLogonSamLogonEx
    Operation: NetrLogonSamLogonEx (39)
    [Response in frame: 47456]
    Encrypted stub data: 6c226bea610ab5cb54b4cc93cc0ab9e3fabbed330fcb3ac2cbac6541b9b95bf4c2943ee0…

Response:

Frame 47456: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits)
    Encapsulation type: Linux cooked-mode capture v1 (25)
    Arrival Time: Jun 27, 2023 20:24:26.813871000 IST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1687877666.813871000 seconds
    [Time delta from previous captured frame: 0.000178000 seconds]
    [Time delta from previous displayed frame: 0.000179000 seconds]
    [Time since reference or first frame: 2.621976000 seconds]
    Frame Number: 47456
    Frame Length: 204 bytes (1632 bits)
    Capture Length: 204 bytes (1632 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ethertype:ip:tcp:nbss:smb2:dcerpc]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || netbios]
Linux cooked capture v1
    Packet type: Unicast to us (0)
    Link-layer address type: Ethernet (1)
    Link-layer address length: 6
    Source: Cisco_64:7c:ff (8c:94:1f:64:7c:ff)
    Unused: af17
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.10.16.21, Dst: 10.0.212.48
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 188
    Identification: 0x18b8 (6328)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 127
    Protocol: TCP (6)
    Header Checksum: 0xea34 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 10.10.16.21
    Destination Address: 10.0.212.48
Transmission Control Protocol, Src Port: 445, Dst Port: 47126, Seq: 1633, Ack: 4070, Len: 148
    Source Port: 445
    Destination Port: 47126
    [Stream index: 144]
    [Conversation completeness: Incomplete (12)]
    [TCP Segment Len: 148]
    Sequence Number: 1633    (relative sequence number)
    Sequence Number (raw): 1562373117
    [Next Sequence Number: 1781    (relative sequence number)]
    Acknowledgment Number: 4070    (relative ack number)
    Acknowledgment number (raw): 275090599
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window: 2048
    [Calculated window size: 2048]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x3e7c [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.023708000 seconds]
        [Time since previous frame in this TCP stream: 0.000178000 seconds]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 47454]
        [The RTT to ACK the segment was: 0.000179000 seconds]
        [Bytes in flight: 148]
        [Bytes sent since last PSH flag: 148]
    TCP payload (148 bytes)
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        ProtocolId: 0xfe534d42
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_SUCCESS (0x00000000)
        Command: Ioctl (11)
        Credits granted: 1
        Flags: 0x00000019, Response, Signing, Priority
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED
            .... .... .... .... .... .... .001 .... = Priority: This pdu contains a PRIORITY
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: 453
        Process Id: 0x00000000
        Tree Id: 0x00000001
        Session Id: 0x0000c2347800000d
        Signature: d69c8ac851b80d49369a5f650d0fb03c
        [Response to: 47454]
        [Time from request: 0.000179000 seconds]
    Ioctl Response (0x0b)
        StructureSize: 0x0031
        Reserved: 0000
        Function: FSCTL_PIPE_TRANSCEIVE (0x0011c017)
            0000 0000 0001 0001 .... .... .... .... = Device: NAMED_PIPE (0x0011)
            .... .... .... .... 11.. .... .... .... = Access: FILE_READ_WRITE_ACCESS (0x3)
            .... .... .... .... ..00 0000 0001 01.. = Function: 0x005
            .... .... .... .... .... .... .... ..11 = Method: METHOD_NEITHER (0x3)
        GUID handle File: netlogon
            File Id: 0043503c-0030-0000-c100-100030000000
            [Frame handle opened: 47440]
            [Frame handle closed: 47460]
        Flags: 0x00000000
        Reserved: 00000000
        Blob Offset: 0x00000070
        Blob Length: 0
        In Data: NO DATA
        Blob Offset: 0x00000070
        Blob Length: 32
        Out Data
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fault, Fragment: Single, FragLen: 32, Call: 15743, [Req: #47454]
    Version: 5
    Version (minor): 0
    Packet type: Fault (3)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 32
    Auth Length: 0
    Call ID: 15743
    Alloc hint: 32
    Context ID: 0
    Cancel count: 0
    Fault flags: 0x00
        .... ...0 = Extended error information present: False
    Status: nca_s_fault_sec_pkg_error (0x00000721)
        [Expert Info (Note/Response): Fault: nca_s_fault_sec_pkg_error]
            [Fault: nca_s_fault_sec_pkg_error]
            [Severity level: Note]
            [Group: Response]
    Reserved: 00000000
    [Opnum: 39]
    [Request in frame: 47454]
    [Time from request: 0.000179000 seconds]
    Fault stub data (0 bytes)

Everything works fine till this error is hit and starts working again somehow after restarting the smb server.

1 answer

Your answer

Answer 1

Limitless Technology 44,661

Hello there,

The error message "nca_s_fault_sec_pkg_error" typically indicates a security-related issue when accessing an SMB (Server Message Block) share. This error is specific to the DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol used by Windows systems.

Here are a few potential causes and troubleshooting steps you can follow to resolve the issue:

Check the system time synchronization: Ensure that the time on both the client and server machines are synchronized. Time discrepancies can lead to authentication failures.

Verify the authentication protocol: Make sure that both the client and server machines are configured to use the same authentication protocols. The NetrLogonSamLogonEx request relies on authentication mechanisms such as Kerberos or NTLM (NT LAN Manager). Ensure that the authentication protocols are correctly configured and compatible between the client and server.

Verify the user's credentials: Ensure that the user attempting to access the SMB share has valid credentials and sufficient permissions to access the shared resource. Double-check the username and password being used for authentication.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--

BHARATH BHEEMARASETTI 5 Reputation points

2023-07-01T21:27:36.9966667+00:00
Thanks, I verified all the causes:

The time zones of the machines are the same.

Both the client and the server are using Kerberos

The user credentials are the same in both the success and the error cases.

I have not been able to get around this issue in over a month. The main issue is that everything works fine after restarting the smb server without any changes in any part of the system.

Update: I figured out that restarting the netlogon service on the domain controller fixes the issue temporarily as well.

Is there any way to get more information about this error somewhere in the logs?
Sanjay S 0 Reputation points

2025-03-11T06:27:05.02+00:00

Hello Bharath,

We are exactly in the same position and have verified ntp, kerberos and user credentials. Were you able to breakthrough nca_s_fault_sec_pkg_error error ?

Regards,

Sanjay

Share via

NetrLogonSamLogonEx request fails with nca_s_fault_sec_pkg_error while accessing SMB share

1 answer

Your answer