it's okay, i'm hanging about, just in case of exactly that sort of thing.
my comments were based on someone setting up "opengfs" which i am pretty confused about.
Previously, the DCE source was only available under a traditional license. Making it available under a recognized open source license (LGPL) both increases the accessibility of DCE as an interoperability technology, and permits a broader community to work on the source to expand its features and keep it current.
what goes around comes around: if DCE/RPC's profile is raised, it will hopefully stop people from reinventing technological problems that DCE solved _years_ ago, and will still need for certain kinds of software.... not to mention that there are contracts and systems still in existence that mean DCE just ain't gonna diiieeeee:)
plus, Corba is object-orientated, and its "counterpart" is DCOM (which uses DCE/RPC underneath). a lot of people make this mistake - seen it about five times on slashdot in the past hour already!!!
not entirely: MAC addresses can be faked. the uuid algorithm is quite complex, only relying on PRNG for the full 128 bits if it's absolutely necessary.
none - the reference implementation was available almost right from the start - i _think_ - otherwise microsoft wouldn't have been able to get hold of it and use it for Windows NT 3.1.
FreeDCE, however, has _two_ security plugins: GSS-API (thanks to luke howard), and NTLMSSP (code from samba tng which i wrote, based on my and paul ashton's "welcome to the samba domain" work in august 1997)
if IBM hadn't stalled the release for four years, but, they're interested in making money: if there were major contracts they were still pulling in, there was no reason for them to hand it all over on a plate.
remember, they would have _just_ finished adding LDAP to their DCE 3.0 internal proprietary version.
now, of course, this code is end-of-lifecycle as far as they are concerned, and a large number of companies and universities are in deep doodoo unless the open source community can pull together.
also, remember, code doesn't decay or rust, it just _looks_ old...:)
... mr fink, i'm sorry but i do have to correct you on a couple of points.
namely, that microsoft got hold of the BSD-like-licensed DCE 1.1 "reference" implementation so the "stripping of all security" was done by TOG not by microsoft.
MS, who had and still have someone from Apollo working for them, knew and knows how DCE/RPC works _in_side out, and so was able to sort stuff out for them.
MS _did_ have to add some stuff like "implicit handles" and MSRPC _does_ have the ability to do Unicode Strings (and between Wez Furlong, Luke Howard and myself, that's all now been added to FreeDCE).
i'm still working on adding NTLMSSP and NT Named Pipes to FreeDCE - something that luke howard has already done for his proprietary XAD server (www.ldap.com).
the differences are not _that_ significant, is the bottom line.
the lock-out you describe was done by _microsoft_ as part of their use of kerberos in "active directory": they used the "application specific" field in order to save on round-trips (and then extended their bloody SMB protocol in order to _add_ a couple. bastards).
DCE did a "proper" job by using the available fields of kerberos for the correct - documented - purpose.
my mama was an alien, my daddy was an engineer, and i was spawned from the borg one morn with keyboards in my ears, in my eeeeearrs.
they call me the microsoft hacker, once upon a pair of wires, and i'm gooonne
*crack my numbers* i wonder how your PC's feeln'
*ba ba ba baaaa* scoot down the wires,
*crack my numbers* i wonder how your PC's feeln' *ba ba ba baa baa*
Copyright (C) Luke Kenneth Casson Leighton 2004 All rights reserved
It is very unfortunate that DCE had the US BXPA export restrictions to contend with: it meant that the US govt REALLY got heavy with a lot of people.
now, of course, all that free software projects must do is to notify the US govt of what encryption is involved, where they can get it, and you're done. which is very sensible and realistic.
so now we can start adding kerberos back in - Luke Howard (www.padl.com) has already added GSSAPI as a FreeDCE plugin and that's actually better than going directly via kerberos.
yes they are!! DCE 1.1 - the RPC runtime and development environment reference implementation, only 250,000 lines of code, has been available for nearly a decade under the OSF BSD-like license.
this is _really_ different: 3.5 _MILLION_ lines of code, including CDS and DFS, under the LGPL.
they didn't steal it but from what i can gather they took the DCE 1.1 reference implementation (available under a BSD-like license before most people had even _heard_ of free software licenses!) which is basically "stubs"...... and then they integrated it with NetBIOS and SMB (inventing ncacn_np which is DCE/RPC over NT's NamedPipes - heard of those? look up CreateNamedPipe on the MSDN:)... and then they added WINS as a resolver...... and then they added NTLMSSP authentication...... and then they created NT Domains with it...... and then they put _every_ single administrative interface behind a DCE/RPC client-server architecture (really easy: the Win32 Registry API is one!)...... and then they started on exchange...... and then they created ncacn_http which is RPC over HTTP because some idiots started blocking exchange packets and they needed to punch a hole through firewalls [what do you mean, the web _is_ the internet, you stupid microsoft support idiot!]... oh, and don't forget DCOM on which an entire generation of MSDN-created software is based!
hijacked? naaah. microsoft _really_ recognised a good thing, and unlike a lot of people who go "duuuh, i wish...", just snowballed with it.
have a quick read of the advogato article as well it gives a few more details. this stuff some people have been working on or with for _twenty years_:)
we're so so incredibly privileged to have been granted this opportunity.
_and_ keeping an eye on the bloody bittorrent client and the server i borrowed to host a mirror of the code - it's a wonder i get to do any work at all, really.
Slashdot Mirror
it's okay, i'm hanging about, just in case of exactly that sort of thing. my comments were based on someone setting up "opengfs" which i am pretty confused about.
from the press release:
Previously, the DCE source was only available under a traditional license. Making it available under a recognized open source license (LGPL) both increases the accessibility of DCE as an interoperability technology, and permits a broader community to work on the source to expand its features and keep it current.
what goes around comes around: if DCE/RPC's profile is raised, it will hopefully stop people from reinventing technological problems that DCE solved _years_ ago, and will still need for certain kinds of software. ... not to mention that there are contracts and systems still in existence that mean DCE just ain't gonna diiieeeee :)
plus, Corba is object-orientated, and its "counterpart" is DCOM (which uses DCE/RPC underneath). a lot of people make this mistake - seen it about five times on slashdot in the past hour already!!!
fucking alphabet soup. no wonder my head has turned to jelly from too much slashdotting.
DCOM is to DCE/RPC as
CORBA is to CORBA's underlying RPC mechanism.
DCE/RPC bears no relation to CORBA's RPC mechanism.
Sun's ONC/RPC bears no relation to DCE/RPC.
ONC/RPC uses something called XDR for its data representation;
DCE/RPC uses NDR (network data representation) which was designed by Apollo (who were acquired by HP)
not entirely: MAC addresses can be faked. the uuid algorithm is quite complex, only relying on PRNG for the full 128 bits if it's absolutely necessary.
none - the reference implementation was available almost right from the start - i _think_ - otherwise microsoft wouldn't have been able to get hold of it and use it for Windows NT 3.1.
FreeDCE, however, has _two_ security plugins: GSS-API (thanks to luke howard), and NTLMSSP (code from samba tng which i wrote, based on my and paul ashton's "welcome to the samba domain" work in august 1997)
i fear that you are right.
:)
if IBM hadn't stalled the release for four years, but, they're interested in making money: if there were major contracts they were still pulling in, there was no reason for them to hand it all over on a plate.
remember, they would have _just_ finished adding LDAP to their DCE 3.0 internal proprietary version.
now, of course, this code is end-of-lifecycle as far as they are concerned, and a large number of companies and universities are in deep doodoo unless the open source community can pull together.
also, remember, code doesn't decay or rust, it just _looks_ old...
that's since been sorted out. FreeDCE now basically is wire-compatible and IDL-compatible with MSRPC.
it's been a long time (like almost a decade) but it's there.
i'm sorry you didn't have my email address when you needed it, i could have done with the extra work.
... mr fink, i'm sorry but i do have to correct you on a couple of points.
namely, that microsoft got hold of the BSD-like-licensed DCE 1.1 "reference" implementation so the "stripping of all security" was done by TOG not by microsoft.
MS, who had and still have someone from Apollo working for them, knew and knows how DCE/RPC works _in_side out, and so was able to sort stuff out for them.
MS _did_ have to add some stuff like "implicit handles" and MSRPC _does_ have the ability to do Unicode Strings (and between Wez Furlong, Luke Howard and myself, that's all now been added to FreeDCE).
i'm still working on adding NTLMSSP and NT Named Pipes to FreeDCE - something that luke howard has already done for his proprietary XAD server (www.ldap.com).
the differences are not _that_ significant, is the bottom line.
ah - that's the beauty: GSS-API has been added to FreeDCE already, by Luke Howard of www.ldap.com.
and if it's added to FreeDCE, then DCE 1.2.2 gets it too - once DCE 1.2.2 has been autoconf'd and brought up-to-date like FreeDCE already is.
DCE did a "proper" job by using the available fields of kerberos for the correct - documented - purpose.
the use of CDS being largely irrelevant was recognised by TOG in 1999: you need to pay IBM stacks of $$$ to get the code _but_ it was recognised: OpenGroup link here. fortunately, someone has created a set of free software plugins - nss and pam etc. already
AFS, OpenAFS, DFS - it's a long long story for another day, methinks :)
yes, dammit. it still is, but in different ways: companies like IBM and Fujitsu and Entegrity still make hundreds of millions of dollars out of it.
DCE/RPC is to DCOM as
Corba's RPC mechanism is to CORBA.
i mention a bit about it in my advogato article: it's _very_ stupid that TOG didn't release DCE/RPC (and DCOM) a _lot_ earlier than this.
never mind....
yessss :) i aaaaaam the greatest!
my mama was an alien,
my daddy was an engineer,
and i was spawned
from the borg one morn
with keyboards in my ears,
in my eeeeearrs.
they call me the microsoft hacker,
once upon a pair of wires,
and i'm gooonne
*crack my numbers*
i wonder how your PC's feeln'
*ba ba ba baaaa*
scoot down the wires,
*crack my numbers*
i wonder how your PC's feeln'
*ba ba ba baa baa*
Copyright (C) Luke Kenneth Casson Leighton 2004
All rights reserved
It's already been done! Also see this for details of TOG meetings etc.
It is very unfortunate that DCE had the US BXPA export restrictions to contend with: it meant that the US govt REALLY got heavy with a lot of people.
now, of course, all that free software projects must do is to notify the US govt of what encryption is involved, where they can get it, and you're done. which is very sensible and realistic.
so now we can start adding kerberos back in - Luke Howard (www.padl.com) has already added GSSAPI as a FreeDCE plugin and that's actually better than going directly via kerberos.
yes - i gather it's something like that :)
yes they are!! DCE 1.1 - the RPC runtime and development environment reference implementation, only 250,000 lines of code, has been available for nearly a decade under the OSF BSD-like license.
this is _really_ different: 3.5 _MILLION_ lines of code, including CDS and DFS, under the LGPL.
Distributed COM.
yep!
they didn't steal it but from what i can gather they took the DCE 1.1 reference implementation (available under a BSD-like license before most people had even _heard_ of free software licenses!) which is basically "stubs"... ... and then they integrated it with NetBIOS and SMB (inventing ncacn_np which is DCE/RPC over NT's NamedPipes - heard of those? look up CreateNamedPipe on the MSDN :) ... and then they added WINS as a resolver... ... and then they added NTLMSSP authentication... ... and then they created NT Domains with it... ... and then they put _every_ single administrative interface behind a DCE/RPC client-server architecture (really easy: the Win32 Registry API is one!)... ... and then they started on exchange... ... and then they created ncacn_http which is RPC over HTTP because some idiots started blocking exchange packets and they needed to punch a hole through firewalls [what do you mean, the web _is_ the internet, you stupid microsoft support idiot!] ... oh, and don't forget DCOM on which an entire generation of MSDN-created software is based!
hijacked? naaah. microsoft _really_ recognised a good thing, and unlike a lot of people who go "duuuh, i wish...", just snowballed with it.
afaik, the documentation is available online too, you just have to hunt for it.
okay - last time i looked (1998) it was available online.
the reason why it's available for a charge is because it's a MASSIVE download.
the source code alone is 90mbytes, and TOG _belieevved_ in documentation.
the code's _crawling_ out the woodwork today. thirteen _years_. bittorrent too although it's a lot smaller than 90mbytes...
have a quick read of the advogato article as well it gives a few more details. this stuff some people have been working on or with for _twenty years_ :)
we're so so incredibly privileged to have been granted this opportunity.
_and_ keeping an eye on the bloody bittorrent client and the server i borrowed to host a mirror of the code - it's a wonder i get to do any work at all, really.