[jcifs] Various and sundry jCIFS patches

eglass1 at comcast.net eglass1 at comcast.net
Fri Jul 4 06:50:55 EST 2003 

Mike/Chris/All,

Attached are various updates stemming from the NTLM research I have been doing 
lately (it looks to be about 16K, so I'm going to take a chance that it will 
make it out to the list...)

This includes:

* Additions and updated documentation on the NTLM flags.

* Fix to NtlmSsp to only provide the target when requested by the client via 
the NTLM "request target" flag (this is the correct behavior).

* Bugfix to NtlmSsp to do Base64.encodeBytes(bytes, false) instead of 
Base64.encodeBytes(bytes) (a linewrap in the header can cause an error).

* Patch to SmbComSessionSetupAndX/SmbComTreeConnectAndX to allow variable-
length LM/NTLM responses.

and the big one,

* Support for NTLMv2 authentication.

Most of these are one-or-two-line changes, except the last one.

This adds a "jcifs.smb.lmCompatibility" property to enable NTLMv2, which mimics 
the Windows LMCompatibilityLevel registry setting:

0,1:    Send LM/NTLM responses (this is the default)
2:      Send only NTLM response
3,4,5:  Send LMv2/NTLMv2 responses

Actually, this really only sends LMv2; there are issues involving cross-domain 
authentication with NTLMv2 which made it infeasible to implement properly 
without doing significant overhauls and guesswork for minimal benefit (the code 
for NTLMv2 is in there, but commented out since it won't work across domains 
right now).  The servlet/filter will accept both the LMv2 and NTLMv2 responses 
from the browser, but only send the LMv2 in the SMB session setup request.  
Similarly, the NtlmHttpURLConnection only sends the LMv2 in the Type 3 message.

To enable LMv2 in the filter, you would just add:

<init-param>
    <param-name>jcifs.smb.lmCompatibility</param-name>
    <param-value>3</param-value>
</init-param>

Likewise, enabling LMv2 for SmbFile/NtlmHttpURLConnection just involves 
specifying:

    -Djcifs.smb.lmCompatibility=3

I have also finished the NTLM documentation at

http://davenport.sourceforge.net/ntlm.html

(or as finished as it's going to get for awhile).  I was hoping it could be 
linked/copied to the jCIFS page as a reference.

I'm going to be in and out of vacations for about the next 5 weeks, but I'll 
try to keep reasonably in touch.  I'm going to dig into the Davenport stuff and 
see about getting WebDAV locks implemented; I might not be able to really focus 
on it until things wind down a bit, though.

On a side note, have either of you guys looked into setting up a Sourceforge 
project for jCIFS?  I've been pretty happy with using it for Davenport, so I 
figured I'd bring it up.


Eric

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/x-tar
Size: 15608 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20030703/536dc477/attachment.tar

More information about the jcifs mailing list