[jcifs] Domain Controller and PreAuth
Michael B Allen
miallen at ioplex.com
Wed Sep 26 21:00:09 GMT 2007
On Wed, 26 Sep 2007 14:33:46 -0400
"Brown, Melonie" <mbrown at microstrategy.com> wrote:
> There's an older post to the list (copied below) that says preauth and domaincontroller do not work.
>
> Has this been resolved?
I don't recall changing anything wrt that.
Mike
> [I wasn't sure from the descriptions of the changes from the various releases. ]
> -------------------------------------------------------------
> >On Thu, 19 Jan 2006 16:20:41 +0000
> >João Mota <jmota at criticalsoftware.com <https://lists.samba.org/mailman/listinfo/jcifs> > wrote:
> >
> >
> >
> >>Hello,
> >>
> >>I am having some problems getting transparent authentication to work
> >>with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the
> >>negotiation.
> >>The domain Controller is a windows 2003 server.
> >>
> >>The error that shows in the log at the same time that the dialog box to
> >>enter username/password shows up is (i replaced the sensitive data for a
> >>meaningfull word in caps):
> >> NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022:
> >>jcifs.smb.SmbAuthException: Access is denied.
> >>
> >>
> >
> >No doubt this is an SMB signing issue. You need "preauthentication".
> >
> >
> >
> >>Filling in the user and password in the dialog box, the authentication
> >>works ok.
> >>
> >>My questions are:
> >>1) Is it possible to have transparent authentication with the
> >>jcifs.http.domainController specified ?
> >>
> >>
> >
> >No, it was recently discoverd that preauthentication only works if
> >jcifs.http.domainController is NOT used. I would use:
> >
> >
> >
> >> <filter>
> >> <filter-name>NtlmHttpFilter</filter-name>
> >> <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >> <init-param>
> >> <param-name>jcifs.netbios.wins</param-name>
> >> <param-value>IP</param-value>
> >> </init-param>
> >> <init-param>
> >> <param-name>jcifs.smb.client.domain</param-name>
> >> <param-value>DOMAIN</param-value>
> >> </init-param>
> >> <init-param>
> >> <param-name>jcifs.smb.client.username</param-name>
> >> <param-value>USER</param-value>
> >> </init-param>
> >> <init-param>
> >> <param-name>jcifs.smb.client.password</param-name>
> >> <param-value>PASSWORD</param-value>
> >> </init-param>
> >> <init-param>
> >> <param-name>jcifs.util.loglevel</param-name>
> >> <param-value>2</param-value>
> >> </init-param>
> >>
> >>
> >
> >If you don't have wins then you could try setting jcifs.netbios.lmhosts
> >[1] to a file that maps the IP you had for domainController to DOMAIN.
> >
> >Otherwise, we need to fix the code so that preauth works with
> >domainController. It's on The List.
> >
> >Mike
> >
> >http://jcifs.samba.org/src/docs/resolver.html
> >
> >
> >
> >
> >
>
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the jcifs
mailing list