[jcifs] A bunch of NTLM stuff

Michael B. Allen miallen at eskimo.com
Thu Oct 10 03:21:54 EST 2002 

On Wed, 9 Oct 2002 03:50:04 -0400
"Glass, Eric" <eric.glass at capitalone.com> wrote:

> > -----Original Message-----
> > 
> > Thanks  for  this  code.  It was thought provoking. I have 
> > converted to the
> > stateless approach and it does seem more correct.
> > 
> > Note  however  that  your  code will choke after soTimeout 
> > because the same
> > NtlmPasswordAuthentication  object  is  being  used  by  
> > SmbSession and you
> > create  new  ones.  My old code updated the hashes in-place 
> > so SmbSession's
> > pointer   didn't   need   to  be  updated.  Regardless,  I've 
> >  changed  the
> > SmbTransport.getSmbSession()      method      to     assign   
> >   the     new
> > NtlmPasswordAuthentication  object  to the SmbSession so that 
> > this will not
> > happing in my code or yours (post 0.7.0b3).
> > 
> 
> Thanks for the heads up.  I haven't come across this as of yet, but this
> will probably save me some hair-pulling at some point.  When would this
> occur?  I've set the soTimeout to 10 minutes -- would I see the issue
> globally after that time?  How would this manifest itself?

After  10  minutes  the  transport  will be dropped invalidating the 8 byte
challenge  in  the NtlmPasswordAuthentication object held by SmbSession. In
my original code, when reconnecting the password hashes could be updated in
place  because  it  was  in  the  NtlmPasswordAuthentication object held by
SmbSession    held    by    NtlmHttpSession.    You    create    a    *new*
NtlmHttpAuthentication  object  which  means  the  new  challenge cannot be
known.  The  fix  is  to set the new NtlmHttpAuthentication object when you
dole out new SmbSessions in SmbTransport.getSmbSession(). 

> 
> > Also, note that the "domain" in the type-1-message is the 
> > workgroup and not
> > the  authentication domain. Frequently they are the same but 
> > not always. In
> > my  code,  I  do not even bother to use this field as a 
> > fallback domain and
> > instead  just  require a domainController property. The real 
> > authentication
> > domain is in the type-3-message.
> > 
> 
> Good to know.  Thanks again!
>  
> **************************************************************************
> The information transmitted herewith is sensitive information intended only
> for use by the individual or entity to which it is addressed. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any review, retransmission, dissemination, distribution, copying or other
> use of, or taking of any action in reliance upon this information is
> strictly prohibited. If you have received this communication in error,
> please contact the sender and delete the material from your computer.


-- 
A  program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes  the  potential  for it to be applied to tasks that are
conceptually  similar and, more important, to tasks that have not
yet been conceived.

More information about the jcifs mailing list