outsourcing DCE/RPC to alternate programs - runtime config option

Jelmer Vernooij jelmer at samba.org
Sun Dec 12 16:21:59 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Luke Kenneth Casson Leighton wrote:
| On Sun, Dec 12, 2004 at 01:07:52AM +0100, Jelmer Vernooij wrote:
|>|>In Samba4 you would do this:
|>|>
|>|>	server services = rpc
|>|>
|>|>and this would make Samba only start the rpc server (so it would not
|>|>start the builtin smb or ldap servers). It will only be listening on
|>|>tcp ports 135 and 1024, plus any local rpc transports that are defined
|>|>(such as /var/ncalrpc/DEFAULT and /var/ncalrpc/EPMAPPER) and any fixed
|>|>ncacn_ip_tcp ports defined in the builtin IDL files.
|>|
|>I think what Tridge means is actually 'forwarding' the RPC data (for
|>which Samba4 already has support, e.g. you can redirect a complete pipe
|>to a remote server) instead of having a hack that bypasses the local
|>endpoint and talks to a local pipe.
|  is it possible to convey the security context that has been established
|  up until that point?
Not yet, currently the whole thing is root-accessible-only. We do
actually do auth over it, as does Windows (see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/string_binding.asp).

|  the purpose of the root-only-accessible ncalrpc transport is to provide
|  communication optimisations *inside services running as root*.
Why? Windows uses them for regular users as well, otherwise there
wouldn't be much point in authentication
info passing...

What would the purpose of such a root-only-accessible ncalrpc-like
transport you propose be ?

|  in other words, you don't want the headache of communicating
|  between services over globally-accessible interfaces and
|  having to prove authenticity once more, whether those interfaces be
|  ncadg_ip_udp, ncacn_ip_tcp or ncacn_np or Other.
|
|  and you _also_ need to add a "ncacn_ux" to the list of available
|  transports just like there are ncacn_np etc listed above.
Already did that. Samba 4 currently supports ncacn_ip_tcp, ncacn_np,
ncacn_unix_stream and ncalrpc. For example, epmapper is available on:
ncacn_np:[\\pipe\\epmapper]", "ncacn_ip_tcp:[135]",
"ncalrpc:[EPMAPPER]", "ncacn_unix_stream:[/tmp/epmapper]

|  it is vital that you do not confuse the roles of the two interfaces:
|  they are mutually incompatible for the uses to which they are put.
Which interfaces are you referring to here - ncacn_unix_stream and
ncalrpc ?
What is their difference, other then that they are two different transports?

Cheers,

Jelmer

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBvHAnPa9Uoh7vUnYRAqoEAKCS60WiF7XmDHFcwnYxXkBBgOs3cwCeMzvY
W6JXBllDouLdjvCmJakZ27A=
=M9w+
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list