I was kicking around the idea of installing a jabber server on my
companies server to allow instant messaging on the local area network.
Would reactos.com be willing to do something like that or is that too
far out of the scope of the project.
I was going to use OpenLDAP for authentication and save all of the
conversations in XML files in both senders and recipients home
folders. I also was going to write an XSL to display those messages.
I think this would help out both developers and users of reactos.
Including future RosMessenger or something like that...
Just a though...
Rick Langschultz
rlangschultz(a)cox.net (Home)
rlangschultz(a)ellemaespa.com (Work)
rlangschultz(a)email.uophx.edu (School)
andrew bartlett, your sarcasm is totally inappropriate, and
you are completely out of line, and you damn well know it.
get a grip, and if you cannot do so, do not embarrass yourself
or the reputation of the samba team, which you represent by
utilising a "samba.org" email address, by replying at all.
i also cannot reply and tell you this because of a decision
made on the 15th december 2004 by the samba team to block all
email sent by me to samba.org and to treat any such attempts as
"net abuse".
if you pick up this message on the mailing lists i hope that
you will, should you wish to make useful contributions to
this discussion, provide a suitable email address to which i
can reply.
anyway: in order to move discussions _forward_ rather than put
it on an actively hostile footing, i will rewrite your message
in a more appropriate manner and i trust that this meets with
your approval.
i will then reply to it.
"dear luke,
thank you for raising this issue. your message is a
bit long, so i will skip most of it and mention just
one thing.
i trust that you are aware that NTLM authentication has
been provided for quite some time to external services,
in a number of ways. as you helped design one of those
methods (the winbind_auth_crap :) and guided tim in its
implementation, i am puzzled by the fact that it was not
mentioned in your message.
there is also an additional method which has been
developed in samba 3, called ntlm_auth, which has even
been utilised by a SOC Google student.
both these methods avoid reimplementation of NTLMSSP:
what therefore are you proposing that is, if at all,
different from this? i don't understand: perhaps you
could explain?
anyway, it is good to hear from you and your design
input even if it is a little bit mad is always welcome.
best regards,
andrew bartlett."
now, pretending that you have written the above paragraphs
instead of the ones below, i will proceed.
without sarcasm and without endeavouring to be totally and
blatantly and unnecessarily cruel.
dear andrew,
thanks for replying,
okay. i re-read my message several times and i _knew_ i had missed
something out - explicitly mentioning winbind.
sorry!
and no, i wasn't aware of ntlm_auth: it's good to hear of that because
yes it might prove useful.
no, of course i am not advocating that NTLMSSP be reimplemented:
i will clarify this later in this reply.
i should be clear (and this will help rob as well) that the specific
focus of my message was directed towards _reactos_ not towards wine (per
se). the requirements are therefore quite different.
yes, for _wine_ - you (and rob) are absolutely correct: ntlm_auth and
winbindd are perfectly adequate.
the reason why? samba can be run ON THE SAME MACHINE. samba is a unix
service: wine is a win32 emulation layer running _on unix_.
the reason why that is inappropriate for reactos? samba cannot run on a
win32 platform. therefore any attempt to contact a unix service will
require implementation of a POSIX subsystem in reactos as a primary
requirement!!!
... oops :)
it's that straightforward.
there is also a second difference (which isn't anything to do with what
you mention - use of winbind or ntlm_auth) which is to do with the
implementation: in reactos, things have to be done "properly" in this
area (authentication) - and that means implementing an LSASS (lsa
security service) MSV1_0.DLL and registering it with the LSASS running
in NTOSKRNL.
i do not know what has been picked / decided upon for Wine, but for
reactos MSV1_0.DLL is definitely the way forward.
what else is relevant that i may have missed... oh, yes: samba tng's
winbindd.
i added an extra "method" to winbindd, which was required for freedce's
"ntlmsspauth.so".
winbindd pre-modifications (and therefore also the version in samba
afaik) does not contain a means to utilise NT+LM hashes plus domain name
in unicode plus username in unicode, and it most certainly doesn't
return a NET_USER_INFO_3 structure.
this is an absolute critical requirement for "authorisation"
purposes - not least because the NET_USER_INFO_3 structure,
as you are undoubtedly aware (but others might not be so i
mention it for completeness), contains the 16-bit "session key".
it also contains the group SIDs etc. which are again essential
to be returned to the LsaLogonUser (and LsaLogonUserEx)
functions - see lsa.c in ReactOS code.
so, anyway, this is what i added to samba tng's winbindd and also to a
client-side function which freedce's ntlmsspauth.so module could then
use.
i do not know what nltm_auth does so i could not advise you as to
whether it would be appropriate: perhaps you could help out by pointing
people to some appropriate documentation on the ntlm_auth API, in order
to evaluate whether it would be suitable (possibly even for reactos: i
won't know until i see the API)
okay. what else.
oh, yes. the use of ntlm_auth and/or winbindd to "outsource"
authentication is, i believe, a "temporary" measure, that allows
the parallel development and maturisation of Wine / ReactOS
specific code (in the case of ReactOS, that's MSV1_0.DLL)
_without_ having to pull in a shed-load of code.
the API is basically this: send (in unicode) a plaintext
password, a domain name and a username, and receive a yes/no
answer along with a NET_USER_INFO_3 structure, from which the
session key and group sids can be "pulled".
there's also the second function LsaLogonUserEx which is i believe
"send NT+LM hashes, plus unicode domain name, unicode username, and
receive..." but it would take a little reverse-engineering to
double-check.
so yes, in conclusion, i believe that the use of ntlm_auth
and/or winbind _may_ be appropriate for Wine, is temporarily
appropriate for proof-of-concept in ReactOS, but for final
code in ReactOS, definitely not.
that's the gist: hope this helps clarify things.
l.
On Fri, Sep 02, 2005 at 11:25:36PM +1000, Andrew Bartlett wrote:
> On Fri, 2005-09-02 at 01:39 +0100, Luke Kenneth Casson Leighton wrote:
>
> I will leave the rest of this mail well aside, but I just wanted to
> clarify exactly how long we have been providing NTLM authentication
> services to external projects:
>
> > 2) write a lovely insecure method of "outsourcing" the username,
> > domain and password to an external server - Samba TNG - which performs
> > the authentication on your behalf and gets back "real" data.
> >
> > this could be done simply with a TCP connection, throw the data
> > in-the-clear over to a simple temporary shim service blah blah,
> > bob's your uncle.
>
> Like, say the winbind_auth_crap (thank Mr Potter for the name) function
> in Samba's winbindd client interface, used successfully by external
> projects (Squid in particular) since Samba 2.2?
>
> Or better still (avoiding reimplementing NTLMSSP) by calling ntlm_auth
> (shipped with Samba 3.0 since release)? Oh wait, we hooked up a Google
> SOC student to do just that, and it's working well! :-)
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc. http://suse.de
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
Hi,
Somewhere in these 14000+ lines, these:
- PUSER_OBJECT_HDR hdr;
+ PUSER_OBJECT_HDR* ppHdr;
"naming" changes are going to turn into bugs. I can only see 1000 lines
of your patch, and I can already see it's more then just "naming
changes". You changed a "pointer" to a "pointer of a pointer". From
experience, I can tell you that somewhere in those 14000 lines, there's
a place where you forgot to change the dereference to match the new
definition. But how can I ever check? The diff isn't posted here, and
doing it manually would waste my time. And it also shows me that this
patch probably has a lot more then "naming" changes.
This is as of now, I think the 4th or 5th gigantic patch in this branch with
1) Dubious changes
2) Changes stuck together (naming changes with code changes, etc)
3) Still no changelog.
I am voicing my public disagreement/outcry with the way this branch is
being handled.
gdalsnes(a)svn.reactos.com wrote:
>mostly naming changes
>
> typedef struct _USER_REFERENCE_ENTRY
> {
> SINGLE_LIST_ENTRY Entry;
>
>
>- PUSER_OBJECT_HDR hdr;
>
>
>+ PUSER_OBJECT_HDR* ppHdr;
>
>
> } USER_REFERENCE_ENTRY, *PUSER_REFERENCE_ENTRY;
>
>
>
>
> *[truncated at 1000 lines; 13185 more skipped]*
Best regards,
Alex Ionescu
Hello,
We still have the cash in the foundation account for the trademark paperwork. ($525) plus about a
hundred in paypal donations not sent to the bank yet. Our lawyer and I have not compleated the
paperwork (his slackness and mine) and I have not cut him a check.
Some of us would like to put the trademark filing on hold and donate the funds to the RedCross. I
would like to have a vote on it among anyone that is a user, tester, developer, or random fan that
has donated to the project in the past. If there is a unanimous vote then I will transfer the
funds that are in our bank account and whatever is in paypal to the RedCross. If there is a single
objection then I will not.
I know this project did not get behind the tsunami relief effort (Which we should have) so even if
there is a not a unanimous vote for reallocating the foundation funds then I ask that each of you
personally donate if you can to the RedCross.
The United States Government has really fucked it up and the truth is not being reported on.
Thanks
Steven
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
why are you even posting this? if big floods come to .cz as it
came few years ago, you'll send the foundation money to .cz? you should
probably realize that there is also live outside USA. anyway, this
is ridiculous ... please cut it.
--
Best regards
Petr Matousek
... when you stare at the sun, what do you see ...
hi, rob, thanks for responding.
On Fri, Sep 02, 2005 at 12:05:24AM -0500, Robert Shearman wrote:
> Luke Kenneth Casson Leighton wrote:
> >that you - the wine team - continue to reinvent an non-interoperable
> >version of MSRPC, for binary-level "DCOM" interoperabiltiy ONLY,
> >demonstrates quite how just as bloody stupid you are being. that _can_
> >be taken as a compliment, as i genuinely i mean it with the greatest of
> >respect.
> >
> >
>
> Ok, I want to condense your huge message into a numbered list of things
> you say we need:
wheeeeee :)
> 1. Type marshaling.
> 2. IDL compiler.
> 3. RPC Server.
more specifically, rpc server "infrastructure" from which to develop,
create, compile run and support RPC servic_es_.
this you gain in the quickest possible way from FreeDCE and in the
grungiest possible way from either samba or samba tng.
> 4. Authentication.
> 5. Services (lsa, netlogon, samr, etc).
yep.
> Ok, so we are we at with Wine and ReactOS?
> 1: We need to implement this anyway because, like you crudely put it, we
> are in the crazy business of getting real code like InstallShield and
> Office 2003 to work.
muhahahahah. hey, Security-Enhanced ReactOS, anyone? :)
> 2. We can either use MIDL and accept the problems that go with it (like
> not generating code that will compile with gcc 4.0) or we can finish
> implementing proxy support in widl.
okay.
the amount of effort required to modify dceidl to support
binary-interoperability with MIDL i do not believe to be very large,
but the key bit which _will_ take some expertise (i.e. there are better
people than myself to do the job) is the adding of Win32 threading
model support to FreeDCE.
going down THIS path will GET you code that will compile with gcc 4.0
(and mingw32) AND it would be binary interoperable with MIDL.
AND it would actually work, without having to reimplement type
marshalling, which if you look at FreeDCE's marshalling/unmarshalling
code is SEVENTY THOUSAND LINES of immensely complex code.
> 3. We have support for named pipes in the RPC server,
what is the "RPC server"? i do not know of such a beast :)
> but Wine doesn't
> support remote named pipes and AFAIK ReactOS doesn't either. This is not
> a problem that should be solved by the RPC runtime.
no. it has nothing to do with the RPC runtime.
you write a plugin that implements thirty or so functions (which have
names like open, write, close etc. funnily enough :) and then register
it with the RPC subsystem (yeh, okay, probably the rpc runtime :)
e.g. the named pipe transport is called ncacn_np - network computing
architecture CoNnection-based named pipes.
and then MSRPC clients and MSRPC services can simply utilise that
transport automatically or by name.
> 4. Kai and Juan are working on delegating NTLM authentication to Samba.
ah. brilliant. that's exactly what i outlined as "stage 1" and it
should be done by implementing MSV1_0.DLL, for use by LSASS, see
LsaLogonUser in the ntoskrnl code, it's a stub at the moment, in the
reactos code.
> We still need to tie this in to the RPC server though.
i do not know what you mean by the "RPC server". no such entity
actually exists afaik.
> That should be a trivial task in comparison.
yes, which is why it is mentioned about 2/3 of the way through my
document, as "stage 1".
> Not sure how this will fit in on ReactOS.
in NTOSKRNL the LSASS implementation, which then has MSV1_0.DLL
register with it. i mentioned it in my document.
see the two occurrences of LsaLogonUser in reactos code.
> 5. Wine isn't really interested in having those types of servers,
tough luck for them.
nt domain services are a necessary and integral part of supporting win32,
even in a stand-alone environment.
wine has _bypassed_ the MSRPC bits by instead of utilising MSRPC to
split client from server they have "linked" the client-side code with
its server-side code, cutting out the MSRPC runtime altogether.
due to the incredible way that MSRPC (actually DCE/RPC) is designed, it
is perfectly feasible to do this sort of thing, and actually have your
code work (just with no networking and no distributed capability)
anyway.
if the wine team cannot be convinced of the necessity of adding
MSRPC into the mix then wine will pretty much remain in the
dark ages of interoperability along the lines of "win95 with networking
removed".
> but it
> would be nice for the client code for those to work. I'm not sure that
> porting them from Samba would be fruitful as they would fundamentally
> need to tie into the registry.
yes? :) and? :)
i have no problem with that. i'd _love_ to see a registry service
implemented in samba tng and then utilised in a samrd to access an
NT SAM hive :)
it's the way that reactos has gotta go, basically.
> So, what you are suggesting is that we instead port FreeDCE and use it
> for 1-3 (and 4?).
basically and ultimately - yep!
BUT, butbutbut - remember, i did say that it is _not_ strictly
necessary at the moment.
there are ways - and it appears that you are already considering them -
to cut down the amount of work required to "GetThingsWorking(tm)", as i
described.
> This while still having to implement (1) anyway
> because of the applications I mentioned that need it.
no, you don't have to.
you hack FreeDCE into interoperability because it IS the
rpc runtime.
remember, microsoft adopts code wholesale if they can get away with it.
they started from DCE 1.1 reference implementation and ported it to NT.
FreeDCE _is_ the DCE 1.1 reference implementation - autoconf'd and
modularised.
> Then we get to
> test two different MSRPC infrastructures and get to fix bugs in one
> without it fixing any bugs in the other. Just porting FreeDCE seems like
> a lot of work;
okay, the reason why it seems that way is because i actually know
what's involved and have described to you what's involved.
if you described to me what you are endeavouring to do in
reimplementing the rpc runtime, i can give you some time estimates on
how long it will actually take, and i guarantee you it will make the
amount of time i've outlined for porting FreeDCE look like a walk in
the park by comparison.
that's all.
remember, i did EXACTLY the same thing. i looked at the OpenGroup's
DCE/RPC documentation, and went "christ almighty i can't possibly be
doing with all this" and ignored it.
THREE YEARS LATER i was wishing in some ways that i hadn't.
the learning curve however of doing on-wire interoperability gave me
enough understanding to appreciate just how good dce/rpc really is, and
quite how much work is involved.
you would do well to LISTEN to that advice of someone who wasted three
years of their life NOT listening to advice, who followed the same path
as you are following (the not-invented-here path).
it will save you a lot of time.
you would do well to bite the bullet and utilise your wealth of
experience and knowledge learned to-date as a means to "tie in" to the
freedce code.
you _have_ enough knowledge and expertise now to be able to do that.
you alone rob have been dealing with rpc type libraries for, what, two
years now?
a function-by-function comparison of freedce and wine's rpc runtime
will show EXACTLY the same functions, EXACTLY the same arguments, and i
started to show you that some six months ago, remember?
now there is the reactos project to take into account, too.
> perhaps more work than implementing the remaining
> features in our own MSRPC infrastructure, even when including the task
> of finishing the IDL compiler. Maybe I am being blind, but it seems to
> make sense just to carry on in the direction we are going with having
> our own MSRPC implementation and being able to "dogfood" our
> implementation (i.e. use it for our own proxies/stubs at the same time
> as letting applications use it).
there is an opportunity to save _everybody_ time, right across the
project board.
i have said this in 2000 on the samba mailing lists.
i have said it on that mailing list discussion six months ago on
the wine-devel lists.
i am saying it now.
freedce is the key to interoperability for samba, wine, reactos,
because it is the same code that microsoft hacked into submission
to make the services which samba, wine and reactos are independently
implementing, without proper reference to each other.
samba is implementing "on-the-wire" interoperability without the
type-libary interoperability and without the IDL-level and
runtime-level interoperability.
wine and reactos are implementing "binary-level" interoperability and
are avoiding IDL-level and on-wire-level interoperability (by
suggesting to developers that they utilise MIDL.EXE)
this is complete madness.
wine will end up with 100,000 lines of hacked-together and
incomplete code. samba has two hacked-together projects
of about 100,000 lines of code each. samba tng has its
own hacked-together and equally but differently incomplete
implementation.
whereas FreeDCE is 250,000 lines of code that provides IDL-level
interoperability, on-wire level interoperability, and the things that
it is missing - win32 threading support, modern (posix) threading
support and exact byte-for-byte type library interoperability are
TRIVIAL trivial TRIVIAL computer-science first and second year
university projects by comparison.
each time i mention this, the people implementing their own
non-interoperable projects in their own little worlds get
deeper and deeper into the shit.
if i can't convince people that this is the way forward then
i will simply have to give up and come back in five years
and see how people are getting on.
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
[please note: due to its cross-discipline and cross-project nature,
this message is going out to SEVERAL related project mailing lists.
when replying, please take EXTRA caution not least because some of
these lists are subscriber-only. also, please note: i _would_
post this also to the samba mailing lists but due to the fascist
censorship in place since the 15th dec 2004, i am unable to do so.
this is their decision and it is their loss. i am not asking you
to respect that decision i am simply making you aware of it.]
hi,
out the woodwork i pop - not necessarily ready to chew anything because
i know just how much work's involved, but what i did want to do was
say "hi, i'm still here" and do a brain-dump of how authentication
ideally needs to be implemented in reactos.
at 2,600 words and 16k, this message is quite long and so i have
placed a copy at http://lkcl.net/software/reports/reactos-auth.txt,
just in case it doesn't make it past various mailing-list limits
(i'll find out in a couple of minutes... :)
it breaks down into a number of sections:
1) i describe the timescales and ways to cut them,
along with some warnings and stuff.
2) amonst other stuff i outline some background as to
why i am posting this to so many lists.
3) i outline a project plan and the dependencies
and "optional" steps,
4) i describe a recommended implementation
roadmap starting with the "minimum" requirements,
and expand on some technical info and references
i found, which would help with some of the
"nice-to-have" steps.
so. first.
please do not be scared by how much work is involved, and how much code
there is. it all hinges one ONE function and that one function... you
are _not_ going to believe how much code that one function drags in,
kicking and screaming, behind it.
please also please i beg you DO NOT consider going "bleedin 'ellfire,
that's so much frakkin work we can't POSSIBLY do it the way you
describe, we MUST do it our own way, starting with what we know, love
and have already started tackling, and can't possibly back out of what
we've already done".
should you choose to exercise the "NIH" option, i frakkin
guarantee you that you will waste about five to eight years
of your (collective) lives reinventing the wheel.
"The Plan" outlined here will shave that down to about 12 to 18 months,
utilising some SIX HUNDRED THOUSAND lines of pre-existing code, and
later in this message i also outline a prioritisation of the necessary
work to "cut down" the time to maybe about ... mmm... three or so
months, by leaving out some of the "nice-to-have" stuff. actually...
_all_ of the nice-to-have stuff :)
that will at least "GetItWorking(tm)" and the rest of the bits
can be considered at leisure once people go "god that's awful,
we can't possibly leave it like that" and hopefully hopefully
things will actually progress from there.
remember - please: this stuff is sufficiently complicated such that
you really can't afford the niceties such as "It Must Be Perfect (tm)"
before it can be accepted. i've seen that shit before, and it's
a baad mxxxxxxxer path to go down, especially with such complex
and heavily interdependant reverse-engineering projects as reactos,
wine, samba and freedce.
anyway.
fyi - before i begin, i should mention a couple of things:
1) this message also goes out the the apache devel mailing
list (specifically the APR one) because the NT style
authentication thing is the sort of thing that really _should_
be in a (special?) APR util library, along with "NT Named Pipes" -
see http://en.wikipedia.org/wiki/NamedPipes
one of the reasons why NT-style NamedPipes is _not_ in an APR util is
because it is believed that NT-style NamedPipes do not fit the
"least common denominator". by having the infrastructure outlined
below, it is possible to move things "up one level" to the point
where unix _has_ that denominononmination.
also, if APR still has support for that god-awful program-running
program called Win95, it would, with not much extra effort, be
possible to port some reactos components to Win95 (!) such that
ThePlan outlined here would make Win95 have proper NT-style
authentication (!) now there's a horrible thought that will give
MS and free software people nightmares both: upgrading Win95 by
installing free software components at it. muhahahahah ahem.
2) i have filled in a number of pages on wikipedia.org. see
http://en.wikipedia.org/wiki/User:lkcl. please take the time to
review these pages, PLEASE help me with my totally biased "POV"
(point-of-view) comments, by either editing the pages direct or by adding
comments on the "talk" pages as appropriate. or alternatively dumping
me in the nearest pond if ever you meet me.
wikipedia is supposed to be encyclopedia-ic and some of my
comments are anything but that.
help!!!
3) please due to the quite broad distribution of this message across
multiple mailing lists, please do NOT ask stupid questions like
"what the hell do we need to use samba tng for, why can't we use samba
in reactos"? and "why is this guy bothering us with this insane stuff?"
and "how do i use killfiles?" or terry pratchett's - more specifically
the librarian's favourite - "where has all the pie and custard gone?"
please do your research: see if nothing else
http://en.wikipedia.org/wiki/Samba_TNG_software and then start googling.
anyway.
onward.
roughly in order of dependence, with "nice-to-have" status added as
well:
1) port FreeDCE to Win32 - more specifically add in autoconf support for an
alternative threading model - the one in reactos. no, this is not a joke:
MSRPC is a critical part of NT infrastructure it's just that very few people
are actually aware of this (including the US DoJ and the EU commission...)
see http://www.google.co.uk/search?q=lkcl+wine+freedce for discussion
links as to why - it's a long story and it took me several dozen
messages spanning over many days to outline it in sufficient detail
for it to be understood (mostly me getting things straight in my
head...)
status: "nice to have" but you will soon wish that you _did_ have it!!!
there is also an opportunity to support Wine, here: essentially
it's the same job, for DCOM, for proper "authentication"
purposes in Wine just like in ReactOS... it's a long story.
2) remove dependence on "unix" security model from Samba TNG's services
starting with samrd (perhaps by finishing off samrtdbd?)
status: "essential".
sub-projects:
a) in Samba TNG, rework winbindd such that it is a REQUIRED service,
and it has "modes" that, instead of "inventing" links between
unix uids and nt sids, it reads smbpasswd and correlates unix uids
with nt sids _just_ like is done now - but hard-coded through
the awful code that has had to dieee since... about two weeks after
i wrote it, back in 1999.
this one's a long story but it's not actually required for
reactos but _might_ be required for wine...
status: "pretty much essential" but not for reactos but for making life
easy to share tng development between reactos and unix.
b) in Samba TNG, make the authentication code (smb-side and rpc server
back-end-wise) contact winbindd BUT ONLY for resolving unix uids and
unix gids - which is actually a VERY small task involving a few
hundred lines of code.
this goes back to the "SURS" stuff i wrote up in 1999 - but instead
of a library it hands off the responsibility for sid<->uid+gid
lookups to winbindd.
it _may_ also be essential for Wine to operate correctly
with authentication (which is a "stub" at the moment just
like it is in reactos), to interoperate with other programs,
to cache login credentials in order to do smb client-side
operations, that sort of thing, under which circumstances,
it will be necessary for Wine to have the same sort of thing.
it's no big deal :)
status: same as for 2a).
c) in Samba TNG, abandon all use of hard-coded MSRPC stuff and utilise
FreeDCE instead, and do a rewrite of all services, one by one
(and because samba tng is modular, this _can_ be done one-by-one,
checking MSRPC interoperability along the way between the "old"
services, the "new" services, and also with NT itself).
in and of itself, this critically depends on making
DCEThreads reliable, though, or adding support (finally!) for
POSIX threads.
status: "non-essential" but you would soon end up wishing that you had :)
3) complete LsaLogonUser, add LsaLogonUserEx, in NTOSKRNL.DLL, and
friends.
my favourites. the LSASS stuff.
these functions are quite simple: they are "redirectors" - a vector
table of functions is required to be passed in, which includes things
like "authenticate with my lovely service" and "free some memory".
there are many LSASS sub-services: one of them is Netware, one of
them is MSV1_0.DLL, one of them is Kerberos.
there are others.
LSASS is based on _exactly_ the same technique that dlopen does e.g
in libdvdcss, and in freedce's ntlmsspauth.so, and in... mmm...
the freedce transport module infrastructure and _many_ other
projects ... except of course it's NT-based table of
higher-order-functions not unix "dlopen()" ones.
i'll stop trying to teach people to suck eggs, now *embarrassed* :)
status: "essential".
sub-projects:
a) write an MSV1_0.DLL which registers with the LSASS service.
this will utilise MSRPC functions that call into the Samba TNG
"NETLOGON" service.
there already exists "basic" functions inside Samba TNG that...
well... it's a bit messy, but they work.
the key function to be calling is cli_nt_login_interactive,
and you will notice _very_ quickly from the arguments hey, some
of those look... kinda... familiar!!
see http://viewcvs.samba-tng.org/cgi-bin/viewcvs.cgi/tng/source/rpc_client/cli_…
status: "essential."
the "porting" bit of this code to FreeDCE i would classify as
"non-essential" but again, you will soon wish that you _were_ using
FreeDCE.
that's basically it: there are other sub-projects such as
turning the "Registry" code in ReactOS (or Wine) into an MSRPC
service (yes, i did say pretty much everything that's anything
critical in NT is an MSRPC service, didn't i? :) but they aren't
"essential".
i say basically it, but that ONE stupid function, cli_nt_login_interactive,
drags in quite literally HALF A MILLION lines of code - 250,000 lines of
it in FreeDCE, alone (which, like i said, could possibly be avoided but
the hard-coded MSRPC stuff in samba tng is sufficiently awkward to make
a rewrite utilising FreeDCE very attractive).
what i would suggest is the following:
1) write an MSV1_0.DLL "test stub" in combination with completing the
LSASS functions, which supports a username "test", domain of "test" and
password of "test".
code up a hard-coded "blob" - a NET_USER_INFO_3 structure - that contains
the response / essential information of groups, gids, sids, user session
key etc.
see http://viewcvs.samba-tng.org/cgi-bin/viewcvs.cgi/tng/source/include/rpc_net…
(note: i _did_ say it would be nice to utilise FreeDCE didn't i? well,
the NET_USER_INFO_3 structure in that header file is a "messy" version that
i recreated from off-the-wire back in about ... mmmm... 1997. there
_do_ exist IDL-generated versions of this data structure, thanks to
matthew chapman - NETLOGON.idl for example).
once that works...
2) write a lovely insecure method of "outsourcing" the username,
domain and password to an external server - Samba TNG - which performs
the authentication on your behalf and gets back "real" data.
this could be done simply with a TCP connection, throw the data
in-the-clear over to a simple temporary shim service blah blah,
bob's your uncle.
3) port samba tng's netlogond, samrd and lsarpcd to ReactOS.
this is quite straightforward: about the only really essential
"missing" bit is to tie the services in to "NT Named Pipes" rather
than unix domain sockets.
_but_ - they only need to be plugged in to a back-end transport
which all services - any of samba tng's MSRPC services - would
use. so there's a key bit of work needed - probably under
400 lines of code - and the rest should fall into place.
this is where it would be SO much easier to be utilising FreeDCE.
all that's needed would be to write a FreeDCE "transport"
plugin for ReactOS - ncacn_np - and then you'd be DONE.
it's a long story...
hey, has someone implemented TransactNamedPipe() and CreateNamedPipe()
in ReactOS?
if not, it's quite straightforward to do, and it involves dropping
opaque data blobs onto smbd (again, smbd ported to reactos...)
i _did_ say it's a long story, didn't i? :)
4) finally: track down how "LsaLogonUserEx" works. LsaLogonUser
utilises cleartext passwords. LsaLogonUserEx i BELIEVE utilises NT and
LM password hashes, or some brain-dead encrypted variant thereof.
once 1) is completed, then TA-DAAAAA!!! lib/secur/lsa.c's "LsaLogonUser"
function actually gets REAL DATA!
okay.
notes:
1) regarding FreeDCE. see http://en.wikipedia.org/wiki/FreeDCE
freedce is an interoperable version of MSRPC that is derived from
EXACTLY the same source code (DCE 1.0 reference implementation) that
is present in Windows NT.
DCE/RPC was co-opted / adopted / borg-ified by microsoft to form
the basis of NT domains because paul leach, a co-founder of
apollo computers and originator of NCS which became DCE/RPC,
ended up working for microsoft back at the time when dave
cutler was doing the original NT 3.1.
using FreeDCE is non-essential for small projects of less than about
8,000 lines of code. Samba TNG's MSRPC code comprises OVER ONE HUNDRED
THOUSAND lines of code.
that i carried on hand-crafting MSRPC packets for three years simply
demonstrates quite how bloody stupid i am.
that you - the wine team - continue to reinvent an non-interoperable
version of MSRPC, for binary-level "DCOM" interoperabiltiy ONLY,
demonstrates quite how just as bloody stupid you are being. that _can_
be taken as a compliment, as i genuinely i mean it with the greatest of
respect.
2) regarding a strategy to "minimise" the amount of time needed to
"Get Things Working".
a) utilise samba tng as-it-is, porting it as-is to ReactOS (mingw32)
b) utilise cli_nt_login_interactive() as-it-is.
c) complete MSV1_0.DLL.
this will be SUFFICIENT and would only take a few months. enhancements
come later, roughly in this order:
a) complete a port of FreeDCE to ReactOS, by beating DCEthreads to
death and replacing it with Win32 (NT) threads - #ifdef style,
autoconf style.
b) locate NETLOGON.idl, samr.idl and lsarpc.idl from matthew chapman's
stuff, or from "todd sabin's" http://razor.bindview.com, or from
the samba web site.
actually... see: http://www.bindview.com/services/razor/utilities/
compile up CLIENT-SIDE ONLY, using dceidl, and create a
library for use inside MSV1_0.DLL.
i know todd developed interoperable versions of these idl files,
because he was using them, compiled with MIDL.EXE, to do security
tests against NT 4.0. remember: these IDL files are what microsoft
DOESN'T want anyone to have, and there are very good _legitimate_
reasons for it: they are "behind-the-scenes" APIs which, if some
idiot inside microsoft went and wrote a tool which became publicly
used and relied on, they would be stuffed: they have ENOUGH apis
which date back 15 years and they don't need any more. that
having been said, i hate the fact that they are forcing people
to pay $50k up-front and then $100 per-client for frakkin
_information_. bastards.
c) replace cli_nt_login_interactive() with a function that utilises
the above library that utilises netlogon, samr and lsarpc client-side
stuff from b) above.
basically, what it boils down to is that the functions inside
cli_nt_login_interactive i wrote BY HAND after examining MSRPC
traffic. those functions neeeed too dieeee and they can easily
be replaced one-by-one with the "proper" versions from doing
"dceidl -client lsarpc.idl". it takes a couple of seconds and
you get a header file lsarpc.h and a lsarpc.o and you're DONE.
question. why did i spend so long doing hand-marshalling of the
nt domains code. perhaps because i would not be able to give
microsoft absolute hell for three frakkin years?
d) consider porting, one-by-one, the Samba TNG services lsarpcd,
netlogond and samrd (or better samrtdbd) to FreeDCE runtime
infrastructure.
this is NOT essential but it is very worthwhile. every project
needs to do at least two throw-aways and with the samba tng
code, there has been approximately one and a half throwaways
so far... time for a major one, ESPECIALLY in light of the reactos
project.
FINALLY:
e) consider writing that winregd service but actually picking up REAL
registry hive files. someone did write a "reader" of registry files,
i do not recall who it was.
[note: YESSSS!!! yeeeeeehawww, todd i could KISS you!!]
http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm
todd wrote a registry-hive-reader as a linux filesystem driver!!!!!
todd, you are bloody mad. *smooch*.
f) consider writing a samr service with the FreeDCE runtime
that utilises "registry" functions RegXXXX - _properly_.
anyway, if you got this far: congratulations and welcome to a brief
nightmare history of the development behind NT Domains Authentication.
all of the infrastructure above _already_ exists - in Samba TNG.
it's just... it works. it's a bit creaky at the edges, but it works.
how about it?
l.
p.s. it almost goes without saying, but i will hint at it once again:
you will not find the samba team's goals and strategic direction to be
compatible with reactos. as a team, they lack the insight, vision and
project management skills to be able to cope with such inter-dependant
insane gibberish. this i say with much sadness because they are highly
respected individuals in the free software community, and yet they are
taking the samba project in very different - and ultimately
time-consuming - directions from what is really really needed. due
to pride they cannot admit this in public but they have been known
to admit it in private. much much disappointment and sadness and there's
absolutely nothing i can do about it.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
ReactOS 'Support Database' for the new ReactOS Homepage
I wrote down a lot of ideas, questions, soulutions, goals, etc. for the
upcoming Support Database!
We need more ideas, suggestions, comments, etc! Please read the whole text
and then write an email to the mailing list! This text should start
discussion about that topic !!!
Thanks!
Note:
* some of the ideas are not completely new, i copy&paste the from winehq's
newsletter archive (i quoted the winehq's ideas and add the original post
date)!
* I have added some useful links at the of the text! Please try out the
links and explore the compatibility databases from other projects! You will
need it if you want to join the discussion. And I *hope* a lot of persons
join the discussion! So please visite the links and write down what could be
better or what's key features our database also should *clone*!
The 'Support Database' will contain the following 'databases':
* Compatibility Database (application, driver and hardware)
* Package Database (a list of download-able applications/driver; principal
for the ReactOS Package Manager)
(* Media Database (like the ReactOS Fansite Media Database; maybe we can
implement this later))
The 'Support Database' (project codename 'RosDB') will base on the package
manager alpha page that i have created april 2005.
Note: the package database will be combined with the compatibility datbase.
Both 'databases' will share the same 'application tree'! So it will be easy
e.g. you browse the compatibility db, you found a working app and think, "i
also want to download this app", then you will be able to click on a link
(on a central position) and you will be redirected to the package database.
In near future it should be possible (if you run ReactOS or Win32 with
installed and runing ReactOS Package Manager), that you can select your
favorite apps/driver you want to install (navigation like
amazone/ebay/compatibility db) and then click install (a normal link on the
package manager page) and your running (maybe as a service) ReactOS Package
Manager check/capture every clipboard item and if it is a valid 'package
style link' then it will connect to the online database and download all the
selected apps/driver and download it from mirror server (from their
developers/sourceforge/etc.) and then install all items (without or with
minimum of user interaction). In my (frik85) opinion, that would be one of
the 'hottest' feature someone can imagine (in connection with a homepage,
package manager, etc.).
This feature will became a main feature and everyone will use that *hope*
for ReactOs and also possible for Win32 (from MS). :) -- frik85
"ReactOS Compatibility Database
ReactOS has an Compatibility Database where Windows
application/driver/hardware compatibility is recorded. Registered users can
submit new items, and comment on existing ones. Screen shots are also
available for many apps. Users can also vote on their favorite apps." -- a
possible description
Design goals User wants to know following things:
* Does my application/driver/hardware work?
* How can I make it work?
* Does it work in the new ReactOS/application/driver/hardware version?
* Where can i download the application (maybe with the ReactOS Package
Manager)?
* list all working and non working application/driver/hardware
Management Issues/Goals:
We need a high 'input data quality', then the administration work will be a
minimum.
To reach this high data quality, i want to code a simple to use wizard for
the 'submit item' page.
You can view the sample wizard on the package manager alpha page (see link).
Have some form of a moderation system to let end users know the quality of a
given persons entry.
Maybe like the appDB from winehq? Where a registered user can ask for a kind
of moderator right for one specific item (e.g. application), so he can
manage the comments, add new info, etc.
-> taking ownership of an item (e.g. application): monitor comments on it,
track bugs (close bugs), and make sure quality level is high for application
description.
NO redundant entries for the same product! We need moderators who review all
new entries. The moderators should be able to read as many comments as
possible and help the normal users, report bugs to the bugzilla system, etc.
Reviews (aka user comments) should expire. (expire time 1 year?)
Track hit counts on each item (auto magic way of knowing which apps are most
desired) and maybe voting like in appDB (WineHQ) or in C4 (CodeWeaver).
Some ideas i found in old winehq's neewsletters: (maybe useful for our
project!)
"Idea: Tie the apps database to the api database. The idea is that we know
from the apps database which apps are the most popular. We know from the api
database which DLLs/entry points are used by those apps. We can then create
a report out of the api database of the list of the DLLs most needed by the
top ten apps, and then people writing test scripts (something Alexandre and
John Sturtz are working on), have a prioritized todo list. Again, this helps
us find useful things for the many volunteers to do." -- winehq newsletter
from 18 Oct 2000
Note: maybe a good idea to create such a api database; -> a simalar api
status output is currently generated from the svn server (with a small
console based application, see build tools).
You can view the api status on the svn server. A great chance to import the
data to the database and make the idea above possible! The only question, is
it usefull for someone? -- frik85
"Idea: Tie the apps database to bugzilla. If users have a problem with an
app, it's a bug, and should be in bugzilla. If we can get to a point where
we can easily get a report that says 'here are all the bugs that Quicken
depends on'. Or, here are the five bugs, the fixing of which will make 50
apps suddenly work. This would be wicked cool." -- winehq newsletter from 18
Oct 2000
Note: the bugzilla will be a subsystem of the RosCMS, so it will be (maybe)
possible to implement the idea above. Is something like this usefull for
someone? -- frik85
"if we add some 'relay statistics' in Wine code (of course, there will be
problems with COM objects where relaying does not work for now) and
incorporate these statistics in the database, we could have a list of the
most frequently used Windows calls.
(feel free to add new ideas for improvements :-) )" -- winehq newsletter
from 28 Dec 2000
"He [who take ownership of an item] definitely should have the application
installed and, very preferably, he should also be using it regularly (or
testing it regularly if it is not yet in the usable state). You are right in
pointing out that he cannot test all possible but I contend he does not have
to. His role would be to:
read the comments entered in the application's comment section.
engage into a discussion with the users who post interesting tricks,
information, report a sub-version as not working, report problems with a
specific Wine/Windows combination
extract and summarize the above in his application status report. This
section would come first in the application's page and only the application
maintainer would be allowed to modify it (whether it's strictly enforced or
not is another issue)
test the application regularly and update the information on the
application's page
help users having problems with that application " -- winehq newsletter from
28 Dec 2000
"Jeremy White proposed some scheme to help keeping the database usable: I
think the biggest problem with the app database is that we get garbage in,
it produces garbage out. I think we should not report or even use any user
scores until a trusted app db maintainer has validated that user experience
(and possibly users can become trusted reporters). Too many people say 'Hey!
The main screen came up! That's a 5! Witness the Slashdot post about MS
Office 2k. (anyone actually try to use Office 2K in Wine to author a sizable
document?)." -- winehq newsletter from 28 Dec 2000
The information we will gain from the support database
* the progress of ReactOS (for devs and normal user)
* the most wanted applications (when we implement a voting / hit counts
feature)
* a reference for application/driver/hardware that doesn't work without
tweaking, to get them working
* people may be able taking 'ownership' of an application and do regular bug
reports / regression testings).
Several questions, where we need a answer:
"How to 'classify' applications ?: the main point was how an application
should be identified (think of Word 5 vs. WinWord 5 cs. Word 7.0, and lots
of other quirks (limited versions, demo version, patched versions...)
What information should we have about an application ?: this would help in
knowing the correct context of execution of such an application (target
Windows version, used DLLs, used APIs...)" -- winehq newsletter from 28 Dec
2000
* And about a ReactOS releases ?
* How about scoring ?
* What additional information should one application/driver/hardware have?
We need as much ideas, (feedback after the relaunch/while the testing
phase), comments, (and flames) as possible the next weeks. After the website
relaunch We need volunteers to take responsibility for updating Apps in the
Compatibility Database.
We need to discuss this!
Then after the discussions ... only remains the hours of coding and
debugging to put it in place :)
Compatibility Databases from other projects:
http://appdb.winehq.org/http://www.codeweavers.com/compatibility/http://www.linuxcompatible.org/compatibility.htmlhttp://www.ntcompatible.com/compatibility.htmlhttp://www.microsoft.com/whdc/hcl/default.mspxttp://www.realtimesoft.com/multimon/search.asphttp://hardwaredb.suse.de/index.php?LANG=en_UKhttp://www.testingstandards.co.uk/compatibility_-_database.htmhttp://www.yellowtab.com/support/hardware/http://www.iyonix.com/software/http://www.ardi.com/compat_search.php?name=ALL&category=ALL&status=ALL
A kind of Package Database:
http://rpmseek.com/index.html?hl=en
If you know other websites that should be listed here, please write an email
to the mailing list!
Best regards,
Klemens Friedl <frik85>
PS: if you write a comment, do NOT quote whole passages or do NOT quote the
whole text! The reason, emails should be readable ...
--
GMX DSL = Maximale Leistung zum minimalen Preis!
2000 MB nur 2,99, Flatrate ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
This makes it totally perfect for embedded applications like Set-top-boxes or Routers or why not game consoles right?
/Jaix
----Ursprungligt meddelande-----
From: Emanuele Aliberti ea(a)iol.it
Date: Thu, 1 Sep 2005 06:37:19 +0200
To: ReactOS Development List ros-dev(a)reactos.com
Subject: Re: [ros-dev] New Webserver System
> Richard Campbell wrote:
>
> > Well, i don't know about other devs around here, but i don't WANT
> > ReactOS to become another XP.
> >
> > Windows XP typically consumes over a GB of space.
> >
> > Remember NT4? It took between 30 and 100 mb of space depending on
> > features. Windows 95? About 15 MB. If users want additional apps,
> > they can either download them, or use a custom ROS distro that will
> > include such things. The source tree is cluttered enough as it is.
> > ReactOS should only include the basic software that earlier versions
> > shipped with...a notepad clone, possibly a wordpad clone, basic net
> > utils, etc.
>
> Also the Win32 subsystem is not technically necessary. All Win32 pieces
> could be moved off the main reactos tree and included as optional
> linking them from modules. I proposed it years ago. It is not an easy
> task, though, because setup should know that, if the user asks for no
> personalty at all, it should install none (now win32 is by default in).
> Personalities (win, posix, os2, vms, ...) should come on the cd-rom as
> separate cab files and post install procedures add registry entries,
> create directoryes etc. A no-personality ReactOS will be a really light
> OS, perfect for custom text/graphics boxes (you just need writing an
> entry in the registry for the session manager to start your native
> program, which will be the only user program in the box (excluding the
> sm itself).
>
> --
> :Emanuele Aliberti
>
> _______________________________________________
> Ros-dev mailing list
> Ros-dev(a)reactos.com
> http://reactos.com:8080/mailman/listinfo/ros-dev
Yours sincerely,
Jaix Bly