[jcifs] Jarapac

eglass1 at comcast.net eglass1 at comcast.net
Wed Nov 12 11:32:38 EST 2003 

Mike/Chris/All,

I've set up a new project on Sourceforge, and just finished uploading version
0.0.0:

http://sourceforge.net/projects/jarapac/

This is a transport-independent framework for DCE/RPC in Java.  Key goals of
the project are:

1) Support for both client and server side RPC, both connection-oriented
   and connectionless.

2) Pluggable transport support, with provided support for the following
   transports:

    ncacn_ip_tcp (Connection-oriented DCE/RPC over TCP)
    ncadg_ip_udp (Connectionless DCE/RPC over UDP)
    ncacn_np (Connection-oriented DCE/RPC over SMB named pipes, using jCIFS
              as the transport provider)

4) Pluggable session security models, with provided support for NTLMSSP
    (and possibly Kerberos).

5) Client and server stub generation from IDL.

Various parts of these are at various stages; the status and todo list is
below.  There is a (more-or-less working) usage example provided, demonstrating
binding and a bogus function call.  Remember that this is effectively
pre-alpha, so your results may vary wildly ;)

If you want to have a look, you can download it from:

    http://sourceforge.net/project/showfiles.php?group_id=94432

To run the example, you would add all the jarfiles in the distribution to
your classpath, compile *.java in the "examples" directory, and run:

    java Example 'ncacn_ip_tcp:SERVER[135]'

which would bind to and invoke against the endpoint mapper over TCP, or:

    java Example 'ncacn_np:SERVER[\PIPE\epmapper]'

to do the same thing over SMB named pipes.  Also, take a look at the
example.properties for setting up authenticated binds (probably necessary
to run the named pipes example as well).


Eric


--------------------------------------------------------------------------------
Overall Status:

    Anonymous and authenticated binds (with or without NTLM1 signing & sealing)
    can be done over TCP and SMB named pipes, and it is *theoretically*
    possible to hand-code working RPC client stubs and invoke them over those
    transports.

    Client-side connection-oriented framework is more or less complete.
    Client-side connectionless framework is ~40% complete.
    Server-side (both connection-oriented and connectionless) is almost totally
    not there.

ncacn_np (Connection-oriented DCE/RPC over SMB named pipes):

    Client side is implemented, but somewhat poorly (should use an initial
    SMB transaction for PDUs, followed by reads and writes for overflow;
    this implementation just uses reads and writes, which means at least
    one extra roundtrip per request).

ncacn_ip_tcp (Connection-oriented DCE/RPC over TCP):

    Client side is implemented.

ncadg_ip_udp (Connectionless DCE/RPC over UDP):

    Client side is partially implemented; transport is mostly complete,
    but connectionless framework is only partially done.

NTLM security:

    NTLMv1 authentication with NTLM1 session security is fully implemented;
    includes:
    
        Support for signing and/or sealing with user session keys, as well as
        40-bit and 56-bit LAN Manager session keys (there is no 128-bit under
        NTLM1).

        Support for NTLMSSP key exchange.

    LMv2 authentication could maybe work, but is currently not used (there
    is some question as to the session key established; more experimentation
    is needed).
    NTLMv2 authentication could probably work, but isn't yet supported in
    jCIFS.
    NTLM2 session security is not yet implemented; since the algorithm
    for NTLM2 signatures under RPC isn't fully understood, there didn't seem
    to be much point (as sealing implies signing).


To-Do List (in rough order):

    Test the NDR encoding more thoroughly (I'm fairly certain there are
    still errors).

    Lots of Javadoc, and documentation in general.

    Add big-endian support to the NDR formatter (possibly EBCDIC as well).

    Implement the Endpoint Mapper client stub.

    Finish the connectionless client-side framework.

    Implement the Conversation Manager client stub.

    Start implementing some more exciting client stubs, such as samr, etc.

    Design and implement the server-side connection-oriented and
    connectionless frameworks.

    Look at removing the NTLM dependency on jCIFS (as it would be neighborly
    to support other SMB client implementations without requiring jCIFS
    as well just for NTLM).  It's also possible that big-endian NDR support
    would require an overhaul of the NTLM messages (as I'm not clear yet
    whether they are NDR structures or not).

    Find/write an IDL compiler to generate interface and stub classes.
    There was talk on #samba-technical surrounding an IDL compiler in
    the works which would generate intermediary XML; this would be ideal, as
    XML processing is fairly easy in Java.

    Implement the NetLogon secure channel and netlogon client stub.

    Experiment with NTLM2 session security.

More information about the jcifs mailing list