Michael B Allen
mba2000 at ioplex.com
Wed Nov 12 04:47:55 GMT 2003
Whaooo! This should be handy.
> I've set up a new project on Sourceforge, and just finished uploading
> This is a transport-independent framework for DCE/RPC in Java. Key goals
> the project are:
> 1) Support for both client and server side RPC, both connection-oriented
> and connectionless.
> 2) Pluggable transport support, with provided support for the following
> ncacn_ip_tcp (Connection-oriented DCE/RPC over TCP)
> ncadg_ip_udp (Connectionless DCE/RPC over UDP)
> ncacn_np (Connection-oriented DCE/RPC over SMB named pipes, using
> as the transport provider)
> 4) Pluggable session security models, with provided support for NTLMSSP
> (and possibly Kerberos).
> 5) Client and server stub generation from IDL.
> Various parts of these are at various stages; the status and todo list is
> below. There is a (more-or-less working) usage example provided,
> binding and a bogus function call. Remember that this is effectively
> pre-alpha, so your results may vary wildly ;)
> If you want to have a look, you can download it from:
> To run the example, you would add all the jarfiles in the distribution to
> your classpath, compile *.java in the "examples" directory, and run:
> java Example 'ncacn_ip_tcp:SERVER'
> which would bind to and invoke against the endpoint mapper over TCP, or:
> java Example 'ncacn_np:SERVER[\PIPE\epmapper]'
> to do the same thing over SMB named pipes. Also, take a look at the
> example.properties for setting up authenticated binds (probably necessary
> to run the named pipes example as well).
> Overall Status:
> Anonymous and authenticated binds (with or without NTLM1 signing &
> can be done over TCP and SMB named pipes, and it is *theoretically*
> possible to hand-code working RPC client stubs and invoke them over
> Client-side connection-oriented framework is more or less complete.
> Client-side connectionless framework is ~40% complete.
> Server-side (both connection-oriented and connectionless) is almost
> not there.
> ncacn_np (Connection-oriented DCE/RPC over SMB named pipes):
> Client side is implemented, but somewhat poorly (should use an initial
> SMB transaction for PDUs, followed by reads and writes for overflow;
> this implementation just uses reads and writes, which means at least
> one extra roundtrip per request).
> ncacn_ip_tcp (Connection-oriented DCE/RPC over TCP):
> Client side is implemented.
> ncadg_ip_udp (Connectionless DCE/RPC over UDP):
> Client side is partially implemented; transport is mostly complete,
> but connectionless framework is only partially done.
> NTLM security:
> NTLMv1 authentication with NTLM1 session security is fully
> Support for signing and/or sealing with user session keys, as well
> 40-bit and 56-bit LAN Manager session keys (there is no 128-bit
> Support for NTLMSSP key exchange.
> LMv2 authentication could maybe work, but is currently not used (there
> is some question as to the session key established; more
> is needed).
> NTLMv2 authentication could probably work, but isn't yet supported in
> NTLM2 session security is not yet implemented; since the algorithm
> for NTLM2 signatures under RPC isn't fully understood, there didn't
> to be much point (as sealing implies signing).
> To-Do List (in rough order):
> Test the NDR encoding more thoroughly (I'm fairly certain there are
> still errors).
> Lots of Javadoc, and documentation in general.
> Add big-endian support to the NDR formatter (possibly EBCDIC as well).
> Implement the Endpoint Mapper client stub.
> Finish the connectionless client-side framework.
> Implement the Conversation Manager client stub.
> Start implementing some more exciting client stubs, such as samr, etc.
> Design and implement the server-side connection-oriented and
> connectionless frameworks.
> Look at removing the NTLM dependency on jCIFS (as it would be
> to support other SMB client implementations without requiring jCIFS
> as well just for NTLM). It's also possible that big-endian NDR
> would require an overhaul of the NTLM messages (as I'm not clear yet
> whether they are NDR structures or not).
> Find/write an IDL compiler to generate interface and stub classes.
> There was talk on #samba-technical surrounding an IDL compiler in
> the works which would generate intermediary XML; this would be ideal,
> XML processing is fairly easy in Java.
> Implement the NetLogon secure channel and netlogon client stub.
> Experiment with NTLM2 session security.
A program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the potential for it to be applied to tasks that are
conceptually similar and, more important, to tasks that have not
yet been conceived.
More information about the samba-technical