[FreeDCE-DCOMdev] patches for freedce cvs - not for faint-hearted [NTLMSSP, MSRPC]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

loic, freedce'ers, opendce'ers, samba-tng'ers and samba-tech'ers, hi,

okay this is from some stuff i have had kicking about since 2001.
i'm relaying it here for people who may be interested.

basically it revives freedce to the point where it is almost actually
useful for development work as an MSRPC-compatible development
environment.

the only issues to resolve to make a usefulrelease: out-sourcing
of authentication to some sort of NT Domain Clone authentication
server, and making the "Named Pipes" transport inherit the
authentication context.

FUNDING FOR THIS STRATEGICALLY IMPORTANT PROJECT WOULD HELP LOTS OF PEOPLE.

patches are obtainable at http://hands.com:~lkcl

freedce-patch.txt and ncklib-auth.tgz.

it's patches against freedce.sf.net cvs main, _not_ the dce-rpc 1.1
release just made by loic last month.

therefore, some of the issues (like --enable-dcom or --disable-dcom)
_may_ have been fixed in that release - but not in freedce cvs main.

merging the dce-rpc 1.1 release into cvs main is going to take
time, expertise and effort that at present is not available.

if i had cvs access to freedce.sf.net, this would be the cvs commit
message:

1) adding expression so that size_is( data_len / 2) and
   length_is( (data_len + 7) & ~7) etc. will work *gibber*

   it's not my code, i can't recall where it came from.

   it is essential for both dcom and MSRPC interoperability.

   the /2 is essential for correctly transferring UCS-2 unicode
   strings.

   the 8-byte aligmnent is essential for dcom in transferring
   data blobs.

   apparently.

2) adding gss-api auth.  again - no clue where it comes from.

3) adding ntlmssp auth.  this is mine, but is now "public domain",
   at least the bits of it that _are_ mine are public domain (e.g.
   excluding the smbdes.c code etc.)

   it's hardcoded to workgroup WORKGROUP, principle name HIGHFIELD,
   username TEST and password TEST.

   once there exists client-side library implementing the NETLOGON api,
   (which is a trivial couple-of-days job _if_ access to the
   netlogon.idl file is available) then this plugin will of course have
   an easy mechanism to be able to do "outsourced" authentication.

   if anyone can think of a better way to do this, please say so.

   e.g. would it be better to bounce the authentication off to winbindd?

   e.g. revive pam_ntdom?

   e.g. write a simple special interface (root-only-accessible) that sends domain+user+pass?

   e.g. write an IDL file, create a service (which needs to be
   root-only accessible) that does the above?

   etc.

4) correcting AUTH3 pdu problems, client-side.

   this is a little scary because i really don't have a clue as to how
   the state machine really works: i can only guess.

   i've made three simple changes, the exact implications of
   which i can only guess at, and all i can say is "they seem
   to work".

   you know the difference between amateur and professional: amateur is
   happy it worked once, professional is happy it never fails.

   well, this is "amateur" and i am _very_ happy :)

   ... but, like all open source, it's good enough for "first version".

5) removing dcom *AGAIN* because it's not properly / totally
   autoconf'd and doesn't compile properly in cvs main with either
   --enable-dcom _or_ --disable-dcom.

6) updating uuid-gen which appears to now have a g++ stl compile-related
   error.

7) removing *AGAIN* the defaults which make dceidl stop everything from
   compiling without warnings (g++ is the default instead of gcc)

   this really needs to be dealt with properly by giving dceidl
   a "-cpp" argument which is used in Makefiles where it is
   needed, rather than being the default behaviour.

   if it hasn't already.

   i haven't really checked to be honest: as you are no doubt aware,
   i'm in "get it working" mode.

8) adding in a couple of essential - but hard-coded - name service
   resolutions into what would otherwise be a "dummy" DCE library.

   these are the points at which the DCE 1.2.2 code would add "real"
   functionality.

   except that the DCE 1.2.2 code would add "real" DCE-related
   functionality - it wouldn't add MSRPC/WINS resolver functionality,
   which this [unattributed] patch _does_ add even if not very well.

   oops :)

9) yaccisms.  yukk :)  now compiles with flex 2.5.X series.

10) adding "implicit handles" to the IDL syntax, which are presently
    missing.  these are ESSENTIAL.

	and i can't remember who added it.

11) disabled atfork because you can guarantee a crash if you
    don't disable it.

when i say "can't remember", it's been four years, and the
only other two people i remember who worked on this were Wez
Furlong and Luke Howard.

build prerequisites are:

- patience.

- autoconf 2.13 NOT 2.5whatever.

  [debianites: apt-get install autoconf2.13]

- dce-rpc 1.1 dcethreads library released last month on
  http://sf.net/projects/freedce, but you MUST export
  LD_ASSUME_KERNEL=2.4.19 if you are using a 2.6 kernel.

  i _do_ have a badly-fixed freedce dcethreads library -
  which doesn't entirely work either (passes tests 1 and 2) -
  which doesn't suffer from the "atfork" segfault problem that
  the dce-rpc 1.1 dcethreads library does (test_atfork1 doesn't
  compile), but it _does_ suffer from some other exception
  handling issues, but it passes enough of the tests in the
  dcethreads suite to actually be useable.

  just :)

  anyone interested in using hacked code, let me know, i can
  prepare a patch :)

- samba TNG built with ./configure.nonpsec.developer because
  this DISABLES the security-context transfer mechanism of
  the "Named Pipe" outsourcing system in samba-tng, which is
  presently NOT implemented in freedce.

  yet.

  so, for those people who have been following the tng-technical
  discussions between myself and jelmer, the semantics of
  freedce's "Named Pipe" system are at present identical to
  samba 4's "ncalrpc" transport NOT the samba-tng's "ncalrpc"
  transport, and consequently you must build samba-tng with
  ./configure.nonpsec.developer to give it [effectively]
  the same semantics as samba 4's "ncalrpc" transport.

- on termination of a service (e.g. rpcd) you must MANUALLY delete
  /usr/local/samba/var/locks/.msrpc/<the endpoint mapper socket name>
  before restarting the service.

  yes, i know.

  it's due to the way that unix domain sockets work, and that the
  FreeDCE code ncalrpc implementation uses the standard BSD transport
  as a temporary hack.  this obviously has to change.

  any advice here greatly appreciated.

  l.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--