[jcifs] NTLM Authentication and multiple domains

[Michael B Allen]

O'Rourke, James said:
> So given this case, it implies that an application with access to NetLogon
> RPC such as IIS in this case is able to defer resolving the domain until
> message 3, however using jCIFs as it currently stands, is not able to do
> this.

Right.

> Is it the case that in this current jCIFs scenario that the SMB server
> which
> provides the challenge in Type2, once it receives the Type3 response from
> the client, then in fact takes this response (Type3) + the challenge it
> provided and forwards it to the appropriate domain controller based on the
> actual domain information for the account being authenticated as is
> encapsulated in the Type3 message or is this not necessary. Perhaps I'm
> way off target.

No. JCIFS authenticates credentials by attempting to access IPC$ with the
supplied creds on the machine identified by the
jcifs.smb.client.domainController property or one of possibly several
machines resolved using the jcifs.smb.client.domain NetBIOS domain name.
At no time does jCIFS negotiate any domain information with clients.

If the machine against which jCIFS is authenticating is not an authority
for the domain of the authenticating user, the machine will forward the
authenitcation request [1] to domains with which it has trust
relationships.

[1] or maybe it has those domain sam databases locally?

> Finally, when a domain controller (say DC1) receives a Type3 message to
> authenticate joeuser say, but joeuser has only an account on another
> domain
> (with say DC2), which DC1 has a trust relationship with, then will this
> request be authenticated nonetheless?

Yes as described above.

Mike