On Mon, 2009-12-14 at 19:22 +1100, Brad Hards wrote: > I couldn't find a specific description of what "encrypted" means > in this context, but there is a bit of description in MS-RPCE > (Section 3.3.1.5.2.2 "Using a Security Context")
Hi Brad, I made a bit researches + wireshark captures digging and I think I've finally came up with a solution. The RPC_C_AUTHN_LEVEL_PKT_PRIVACY is implemented in Samba4 as DCERPC_AUTH_LEVEL_PRIVACY dcerpc Auth_Level flag. This flag can be activated when the binding string includes the "seal" flag. I have written a very basic/preliminary patch (attached to this email) which I've tested against Exchange 2003. The communications (RFR,NSPI and EMSMDB) are set with SPNEGO and PRIVACY (6) flags and contents crypted as expected. If this patch solves the issue with Exchange 2010, I'll refactor it to make it more reliable and target inclusion within 0.9 release. > > > Finally we may definitely need to implement and use the Exchange2003 > > pipe versions (EcDoConnectEx and EcDoRpcExt2). > It looks like backwards compatibility may have saved us :-) This isn't to > suggest we don't need those at all (and indeed we may need them for > the encrypted case here). Exchange 2003 + encryption works fine with our pipe implementation. I'll see if similar behavior happens with 2k10. Cheers, Julien. Julien Kerihuel [email protected] OpenChange Project Manager GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
Index: libmapi/IMSProvider.c
===================================================================
--- libmapi/IMSProvider.c (revision 1601)
+++ libmapi/IMSProvider.c (working copy)
@@ -97,7 +97,7 @@
mem_ctx = (TALLOC_CTX *)session;
profile = session->profile;
- binding = talloc_asprintf(mem_ctx, "ncacn_ip_tcp:%s%s", server, ((global_mapi_ctx->dumpdata == true) ? "[print]" : "[]"));
+ binding = talloc_asprintf(mem_ctx, "ncacn_ip_tcp:%s%s", server, ((global_mapi_ctx->dumpdata == true) ? "[print,seal]" : "[seal]"));
status = provider_rpc_connection(mem_ctx, &pipe, binding, profile->credentials, &ndr_table_exchange_ds_rfr, global_mapi_ctx->lp_ctx);
talloc_free(binding);
@@ -144,7 +144,7 @@
profile = session->profile;
*serverFQDN = NULL;
- binding = talloc_asprintf(mem_ctx, "ncacn_ip_tcp:%s%s", profile->server, ((global_mapi_ctx->dumpdata == true) ? "[print]" : "[]"));
+ binding = talloc_asprintf(mem_ctx, "ncacn_ip_tcp:%s%s", profile->server, ((global_mapi_ctx->dumpdata == true) ? "[seal,print]" : "[seal]"));
status = provider_rpc_connection(mem_ctx, &pipe, binding, profile->credentials, &ndr_table_exchange_ds_rfr, global_mapi_ctx->lp_ctx);
talloc_free(binding);
@@ -185,7 +185,7 @@
switch(provider_id) {
case PROVIDER_ID_EMSMDB:
- binding = talloc_asprintf(mem_ctx, "ncacn_ip_tcp:%s%s", profile->server, ((global_mapi_ctx->dumpdata == true) ? "[print]" : "[]"));
+ binding = talloc_asprintf(mem_ctx, "ncacn_ip_tcp:%s%s", profile->server, ((global_mapi_ctx->dumpdata == true) ? "[seal,print]" : "[seal]"));
status = provider_rpc_connection(mem_ctx, &pipe, binding, profile->credentials, &ndr_table_exchange_emsmdb, global_mapi_ctx->lp_ctx);
talloc_free(binding);
OPENCHANGE_RETVAL_IF(NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED), MAPI_E_NETWORK_ERROR, NULL);
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list [email protected] http://mailman.openchange.org/listinfo/devel
