FW: samba port 135 conflict with dce service on hpux

Wed Jan 17 07:45:43 UTC 2018

On Wednesday, 17 January 2018 00:48:18 CET Jeremy Allison via samba-technical 
wrote:
> On Wed, Jan 17, 2018 at 07:14:05AM +1300, Andrew Bartlett wrote:
> > On Tue, 2018-01-16 at 09:12 -0800, Jeremy Allison wrote:
> > > On Tue, Jan 16, 2018 at 04:49:56AM +0000, Kumar, Arjit (SSTO) via samba-
technical wrote:
> > > > Hi Andrew,
> > > > 
> > > > 
> > > > 
> > > > dced/rpcd provides below services depending on how it is invoked.
> > > > 
> > > > ·         Endpoint Mapper
> > > > 
> > > > ·         Local Location Broker
> > > > 
> > > > ·         Host Data Management
> > > > 
> > > > ·         Server Management
> > > > 
> > > > ·         Security Validation
> > > > 
> > > > ·         Key Table Management
> > > > 
> > > > 
> > > > 
> > > > For more details of dced or services please refer
> > > > dced(1m)<http://nixdoc.net/man-pages/HP-UX/dced.1m.html>.> > 
> > > How hard would it be to port these services to Samba,
> > > so that you can use the Samba DCE-RPC implementation
> > > as-is ? You need the IDL plus a backend implementation
> > > inside Samba.
> > > 
> > > Might not be harder than doing the reverse, plus the
> > > DCE-RPC implementation I would bet is a lot more secure
> > > than the old OSF code (at least people have already
> > > had a go at bashing our implementation with security
> > > review :-).
> > 
> > G'Day Jeremy,
> > 
> > Even that much might not be needed.  To use Samba's endpoint mapper the
> > HP-UX services just have to be able to register with us.  This (mostly
> > the work to have Samba accept such registrations) might not be any more
> > work than having Samba use the external one.
> > 
> > (The source3 endpoint mapper can accept registrations I think, but as
> > the source4 code never learnt how to make them it isn't used in the AD
> > DC).
> > 
> > Thankfully the endpoint mapper is one of the most boring parts of Samba
> > (which is naturally why we have two of them) and likely behaves
> > similarly enough between the original OSF code and Samba.  The only
> > 'special' thing on Samba's side in terms of externally visible features
> > would be authentication, but I can't ever recall seeing authentication
> > to port 135.
> > 
> > Beyond all that, this is simply a matter of programming (unlike say if
> > someone wanted to share the LDAP port...).
> 
> Oh if we already have the epm registration in source3 then
> it shouldn't be too hard to fix it up in the samba daemon.

I've implemented EPM registration over ncalrpc (unix socket). Only 'root' is 
able to register new services over that unix socket.

Services are using the epm_register() DCERPC call to register their enpoints.

	Andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org