RpcImpersonateClient (and ImpersonateNamedPipeClient)
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Thu Jan 20 11:45:02 CST 2005
On Thu, Jan 20, 2005 at 09:08:27AM -0800, Juan Lang wrote:
> Hi Luke, you said:
> > that's where you'd need the cooperation of samba / samba tng:
> > it's got "SIDs" behind it, and "SIDs" means a SAMR server
> > and a NETLOGON server and an LSARPC server (and in the
> > case of windows 2000 interoperability, access to an Active
> > Directory Server).
>
> Another possibility is that we implement our own version of a SAM. Right
> now we just return a fake Administrator SID every time we're asked for
> one. But if we absolutely needed to, we could implement a local version
> and it needn't even be a separate process. The NT SAM registry is pretty
> well reverse engineered here:
> http://neworder.box.sk/files/nullak_ntsecurity/index.php
hah, coooool! that's so hilarious.
okay, yep - the bit here:
\HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%RID%\V
(variable length, 424+)
that's just a SAMR_USER_INFO_21 structure - been there, done that.
see here:
http://viewcvs.samba-tng.org/cgi-bin/viewcvs.cgi/tng/source/include/rpc_samr.h?rev=1.18&content-type=text/vnd.viewcvs-markup
by the way - does anyone understand the SamrQueryAliasMembers function
and the SamrQueryUserAliases function?
these are the _weirdest_ functions i ever heard about and i really
haven't understood them well.
> > you can always still implement RpcImpersonateClient as a stub.
>
> Yah. I think that's more likely than that we go whole-hog on it.
_great_ because if you do that, i'm likely to rip that off whole-sale
for use behind a DCE/RPC interface - using samr.idl (from which samr.h
has been generated) - see:
http://hands.com/~lkcl/samr
> From
> experience, it's often more important to get things like parameters and
> error codes just the way Windows programs expect than it is to make a
> function "really work." By implementing a stubbed or local-only version,
> we can figure out all this stuff, and maybe make a full-blown version
> later.
see below, because if you implement "stub" versions, and
the intercommunications (in this case DCE/RPC), it will be
possible to "drop in" a replacement like samba tng's services
or even if the samba team will cooperate, a samba 3 or even
a samba 4 server.
at run-time.
because that's what DCE/RPC gives you: binary-level separation and
network-defined interface points.
it's just so utterly cool.
> and later,
> > it _does_ mean careful design because i doubt very much whether people
> > will be happy to have samba tng as a dependency on Wine.
>
> Agreed. The focus for the Wine folks is generally, does this get my app
> to work? Unless it's fixing an app, not too many folks are likely to get
> real excited by anything.
>
> Feel free to point out what we've been missing. Patches speak louder than
> anything here :)
would you be _really_ ready for a couple of hundred thousand lines of
code??? virtually the _entire_ samba tng project _and_ the freedce
project???
*lol* :)
no, but seriously, as you can see by the thing sparked off by
rob's RpcImpersonateClient question, there's a whole _truck_
load of code needed that sort of "hangs together".
combine that with the fact that you (wine) _must_ conform
_exactly_ to the required APIs at both a header-file level,
IDL file level, binary level, pretty-much-everything level,
if one group implements one part (behind, say, samr.h to
produce samr.dll) then that's _exactly_ what's needed for
samba tng.
and also the corrolololorary is that if you can get the
rpcrt4.dll working _properly_ - i.e. wire-compatible with
DCE/RPC / MSRPC, then you won't _need_ to do any work on
producing a samr dll, you can just communicate directly with
samba tng's samr server.
plus various other combinations along the same lines that
would do everyone's heads in to enumerate.
l.
More information about the wine-devel
mailing list