MS RPC, EPMAPPER and MS Exchange

casey at casey at
Mon Nov 29 14:14:34 GMT 1999

I recently joined this list because Im trying to add code to 
samba that will enable it to authenticate logins from MS Outlook 
clients that expect to login to an Exchange server. This is part of 
a larger effort to create an opensource replacement for MS 
back office applications. 

I've searched through the list archive and only found one reference 
to someone trying to use the samba rpc code to enable exchange 
logins but nothing substantial. Has anyone looked at this, and is 
it just vastly more complex than it appears ? 

When Outlook tries to login to an exchange server it tries to 
connect to the the RPC service on the exchange server through 
a named pipe /PIPE/EPMAPPER. 
After reading the and pages I suspect 
EPMAPPER ( the MS RPC EndPoint Mapper, maps services to port 
numbers )  tells outlook on which port to contact the Exchange 
server and I imagine the client is authenticated in the NT domain 
through this interface aswell. 

Outlook can be configured to make this request over tcp/ip to 
port 135 of the exchange server, which would probably make 
more sense than going through the filesystem on a samba server, 
but since a lot of the RPC code appears to be present in samba 
I would like to use this rather than implement the RPC code 
from scratch. 
documents the rpc trafffic between 2 Exchange servers and Im 
assuming the outlook client is doing somethign similar. 
Unfortunatly I dont have access to an Exchange server to sniff 
the traffic myself, so Id very much like this confirmed. 

To test this hypothesis I added a hook for EPMAPPER to 
smbd/ipc.c : named_pipe( .. ) 
where LANMAN and all the other names pipe commands are 
directed to api_reply( ) or api_fd_reply( ) and added an
 epmapper_reply( .. ) 
which basically just reports the command and goes to 
send_trans_reply( .. ).

This gives me an SMBopenX command which generates an error in 
smbd/pipes.c : reply_open_pipe_and_X( .. ) 

To get around this, I added an entry for EPMAPPER in 
rpc_parse/parse_rpc.c : pipe_names [ ] 

with an SYNT_EPMAPPER_V0 structure based on the UUID mentioned
in the Q159/2/98 article above for the End Point Mapper.

So far, Im getting: 
smbd/ipc.c  : reply_trans    trans <\PIPE\EPMAPPER> data=0 params=0 setup=2
			     its a pipe, so go to named_pipe( ) 
smbd/ipc.c  : named_pipe     initial command with setup = 83
smbd/pipes.c: reply_open_pipe_and_X( )  to open the pipe

smbd/ipc.c  : reply_trans    trans <\PIPE\> data=0 params=2 setup=2
			     now we can actually do something with it
smbd/ipc.c  : api_fd_reply   Got API command 0x1 on pipe "epmapper" 
			     0x01 = Set Named Pipe Handle state

smbd/ipc.c  : reply_trans    trans <\PIPE\> data=72 params=0 setup=2
smbd/ipc.c  : api_fd_reply   Got API command 0x26 on pipe "epmapper" 
			     0x26 = dce/rpc command 
            : rpc_command    RPC_BIND .. call api_pipe_bind_req
                             bind \PIPE\epmapper to .. epmapper ? 

smbd/ipc.c  : reply_trans    trans <\PIPE\> data=164 params=0 setup=2
			     Got API command 0x26 on pipe "epmapper" 
        : rpc_command        RPC_REQUEST with 164 bytes of data 
	: api_pipe_request   an entry I added in  api_fd_commands
		    	     calls api_epmapper_rpc.
        : api_epmapper_rpc   
     According to the Q159/2/98 document we should get a request with 
     opnum 0x03 so I setup and entry in api_fd_commands so this calls 
     api_rpcTNP with a pointer to api_epmapper_cmds which has one 
     entry .. EPMAPPER_GETUUID for opnum 0x03 
	: api_epmapper_getuuid  

 Apparently this is the request for a port number based on a UUID.
Sure enough, in the 164 bytes of data, 16 of which look like the normal 
rpc header, there's a UUID 
   8A885D04 - 1CEB - 11C9 - 9F E8 08 00 2B 10 48 60
which would be the exchange server it's looking for, but so far I havent 
seen ANY documentation on the interpretation of the rest of the request 
or, for that matter, the reply. 

Is this an acceptable way to deal with the epmapper requests ? Has 
anyone else tried to provide similar functionality or researched the 
issue and maybe have information about the format of the RPC request 
packets to map a UUID to a port number ? 

Case van Rij

More information about the samba-technical mailing list