From: Luke K. C. L. <lk...@lk...> - 2005-01-07 12:49:38
|
loic, freedce'ers, opendce'ers, samba-tng'ers and samba-tech'ers, hi, okay this is from some stuff i have had kicking about since 2001. i'm relaying it here for people who may be interested. basically it revives freedce to the point where it is almost actually useful for development work as an MSRPC-compatible development environment. the only issues to resolve to make a usefulrelease: out-sourcing of authentication to some sort of NT Domain Clone authentication server, and making the "Named Pipes" transport inherit the authentication context. FUNDING FOR THIS STRATEGICALLY IMPORTANT PROJECT WOULD HELP LOTS OF PEOPLE. patches are obtainable at http://hands.com:~lkcl freedce-patch.txt and ncklib-auth.tgz. it's patches against freedce.sf.net cvs main, _not_ the dce-rpc 1.1 release just made by loic last month. therefore, some of the issues (like --enable-dcom or --disable-dcom) _may_ have been fixed in that release - but not in freedce cvs main. merging the dce-rpc 1.1 release into cvs main is going to take time, expertise and effort that at present is not available. if i had cvs access to freedce.sf.net, this would be the cvs commit message: 1) adding expression so that size_is( data_len / 2) and length_is( (data_len + 7) & ~7) etc. will work *gibber* it's not my code, i can't recall where it came from. it is essential for both dcom and MSRPC interoperability. the /2 is essential for correctly transferring UCS-2 unicode strings. the 8-byte aligmnent is essential for dcom in transferring data blobs. apparently. 2) adding gss-api auth. again - no clue where it comes from. 3) adding ntlmssp auth. this is mine, but is now "public domain", at least the bits of it that _are_ mine are public domain (e.g. excluding the smbdes.c code etc.) it's hardcoded to workgroup WORKGROUP, principle name HIGHFIELD, username TEST and password TEST. once there exists client-side library implementing the NETLOGON api, (which is a trivial couple-of-days job _if_ access to the netlogon.idl file is available) then this plugin will of course have an easy mechanism to be able to do "outsourced" authentication. if anyone can think of a better way to do this, please say so. e.g. would it be better to bounce the authentication off to winbindd? e.g. revive pam_ntdom? e.g. write a simple special interface (root-only-accessible) that sends domain+user+pass? e.g. write an IDL file, create a service (which needs to be root-only accessible) that does the above? etc. 4) correcting AUTH3 pdu problems, client-side. this is a little scary because i really don't have a clue as to how the state machine really works: i can only guess. i've made three simple changes, the exact implications of which i can only guess at, and all i can say is "they seem to work". you know the difference between amateur and professional: amateur is happy it worked once, professional is happy it never fails. well, this is "amateur" and i am _very_ happy :) ... but, like all open source, it's good enough for "first version". 5) removing dcom *AGAIN* because it's not properly / totally autoconf'd and doesn't compile properly in cvs main with either --enable-dcom _or_ --disable-dcom. 6) updating uuid-gen which appears to now have a g++ stl compile-related error. 7) removing *AGAIN* the defaults which make dceidl stop everything from compiling without warnings (g++ is the default instead of gcc) this really needs to be dealt with properly by giving dceidl a "-cpp" argument which is used in Makefiles where it is needed, rather than being the default behaviour. if it hasn't already. i haven't really checked to be honest: as you are no doubt aware, i'm in "get it working" mode. 8) adding in a couple of essential - but hard-coded - name service resolutions into what would otherwise be a "dummy" DCE library. these are the points at which the DCE 1.2.2 code would add "real" functionality. except that the DCE 1.2.2 code would add "real" DCE-related functionality - it wouldn't add MSRPC/WINS resolver functionality, which this [unattributed] patch _does_ add even if not very well. oops :) 9) yaccisms. yukk :) now compiles with flex 2.5.X series. 10) adding "implicit handles" to the IDL syntax, which are presently missing. these are ESSENTIAL. and i can't remember who added it. 11) disabled atfork because you can guarantee a crash if you don't disable it. when i say "can't remember", it's been four years, and the only other two people i remember who worked on this were Wez Furlong and Luke Howard. build prerequisites are: - patience. - autoconf 2.13 NOT 2.5whatever. [debianites: apt-get install autoconf2.13] - dce-rpc 1.1 dcethreads library released last month on http://sf.net/projects/freedce, but you MUST export LD_ASSUME_KERNEL=2.4.19 if you are using a 2.6 kernel. i _do_ have a badly-fixed freedce dcethreads library - which doesn't entirely work either (passes tests 1 and 2) - which doesn't suffer from the "atfork" segfault problem that the dce-rpc 1.1 dcethreads library does (test_atfork1 doesn't compile), but it _does_ suffer from some other exception handling issues, but it passes enough of the tests in the dcethreads suite to actually be useable. just :) anyone interested in using hacked code, let me know, i can prepare a patch :) - samba TNG built with ./configure.nonpsec.developer because this DISABLES the security-context transfer mechanism of the "Named Pipe" outsourcing system in samba-tng, which is presently NOT implemented in freedce. yet. so, for those people who have been following the tng-technical discussions between myself and jelmer, the semantics of freedce's "Named Pipe" system are at present identical to samba 4's "ncalrpc" transport NOT the samba-tng's "ncalrpc" transport, and consequently you must build samba-tng with ./configure.nonpsec.developer to give it [effectively] the same semantics as samba 4's "ncalrpc" transport. - on termination of a service (e.g. rpcd) you must MANUALLY delete /usr/local/samba/var/locks/.msrpc/<the endpoint mapper socket name> before restarting the service. yes, i know. it's due to the way that unix domain sockets work, and that the FreeDCE code ncalrpc implementation uses the standard BSD transport as a temporary hack. this obviously has to change. any advice here greatly appreciated. l. -- -- <a href="http://lkcl.net">http://lkcl.net</a> -- |