Making DCE/RPC Calls to Active Directory Time Bound

Tue Sep 13 | 2:00pm
Location:
Fremont A/B
Abstract

DCE/RPC is a popular library for sending RPC calls to Active Directory from Linux/Unix systems. So far, DCE/RPC calls to Active Directory are synchronous and they actually wait for the response from Active Directory. Till that time, a thread inside DCE/RPC keeps on waiting until the response is received. This mechanism for send/receive fails and causes stuck calls in case of network disruptions, slow network, or rather flaky connections. It is required to have a solution that obviates such unnecessary hangs and handles connection issues more gracefully. Apparently, the DCE/RPC code is by design synchronous and adding timeouts or making it asynchronous would end up overhauling the whole code.

The proposal here is to leverage SMB redirector between DCE/RPC and Active Directory and add timers to the redirector for every call to Active Directory. The DCE/RPC can act as an aqueduct to redirector, passing the timeout information for each call involved. The redirector can implement its own timeout mechanism by making its SMB calls asynchronous to Active Directory. In case of a call timeout, the redirector can appropriately send error message - such as TRANSACTION_TIMED_OUT - back to DCE/RPC, which will then be returned to the caller.

Learning Objectives

  • Understand complexities involved in DCE/RPC calls
  • Analyze why SMB redirector is the best place to make DCE/RPC calls time bound
  • Watch how SMB redirector can seamlessly handle SMB calls through DCE/RPC

---

Amit Gaurav
Dell Technologies
Related Sessions