outsourcing DCE/RPC to alternate programs - runtime config option

[Luke Kenneth Casson Leighton]

On Sun, Dec 12, 2004 at 05:06:37PM +0100, Jelmer Vernooij wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Luke Kenneth Casson Leighton wrote:
> | On Sun, Dec 12, 2004 at 12:16:13PM +0000, Luke Kenneth Casson Leighton
> wrote:
> |>>|  i assume the samba 4 ncalrpc implementation is
> root-only-accessible, yes?
> |>>Yes, at the moment.
> |>>
> |>>|  or, did you find a solution to opening /var/ncalrpc/ local transports
> |>>|  as ordinary users?
> |>>We haven't looked at that yet though we will need to in the future -
> |>>I've been working on some GUI utilities that need to talk to the local
> |>>smbd somehow - ncalrpc would fit in perfectly here.
> |  summary: no it wouldn't, because ncalrpc solves a different problem.
> |
> |  

> ...but a ncacn_ux or ncacn_shmem _would_ fit the scenario you envisage.

 ah :)  no it wouldn't - not entirely.

 the key difference between ncacn_ux and samba tng's ncalrpc is the
 ability, like ncacn_np, to inherit the callee's security context.

 ncacn_ux cannot do that: it starts off as an unauthenticated transport,
 and you have to _perform_ authentication over it.

 that takes CPU cycles, in the case of NT authentication it takes dozens
 of round-trip communications waking up four or five separate services.

 ... you just can't afford to let that happen all the time,
 just because you're contacting another service - you could
 potentially end up with disastrous recursive authentication
 behaviour (and before i added sec-ctx inheritance to tng's
 ncalrpc,  i _did_ once get a massive number of samrd, netlogond
 and lsad processes until the box fell over :)

 hence the optimisation in samba tng's ncalrpc implementation: once you
 have a security context, pass it around, in the knowledge that you are
 passing it between services that are running _as_ root, over a
 transport that is root-only-accessible.

 saves an awful lot of time.

 l.