[jcifs] SmbSession.logon and multiple domains
Allen, Michael B (RSCH)
Michael_B_Allen at ml.com
Fri Jul 25 09:08:18 EST 2003
> -----Original Message-----
> From: Colonna-Romano, John [SMTP:JCRomano at infoclarus.com]
> Sent: Thursday, July 24, 2003 12:25 PM
> To: jcifs at lists.samba.org
> Subject: [jcifs] SmbSession.logon and multiple domains
>
> I am trying to write an app that authenticates a domain and username and then
> uses the two fields to access some information in a database.
> SmbSession.login seems to work correctly with multiple domains, and also with
> trust relationships. The problem (at least for me) is that it ignores the domain
> name. If I create an NtlmPasswordAuthentication object, and put any domain
> name in it, if the username and password are valid for some domain that the
> host trusts, then the authentication succeeds.
>
I don't think it's ignoring it. You cannot use a username and password for host
[a] with domain B right? A security identifier is keyed by domain and userid.
> For example, if I have two domains (A and B) and domain B trusts domain A. I
> then have machine [a] in domain A and machine [b] in domain B. If I set my
> host (first argument to SmbSession.logon) to [a] then I can use any domain
>
What do you mean by "my host"? The first parameter of SmbSession.logon() is
the host against which you would like to authenticate the supplied credentials
(presumably a domain controller).
> name and a valid username and password in domain [a] and the authentication
> succeeds. If I set my host to [b], I can use any domain name and any valid
\username and password in either A or B and the authentication succeeds.
> However, I don't know in which domain the valid username and password
> authenticated in. I was hoping that the returned NtlmPasswordAuthentication
> object might update the domain to the domain name that succeeded, but the
> domain name passed in isn't changed.
>
I do not know the details of trust relationships but this sounds like normal
behavior to me. NtlmPasswordAuthentication objects do not update like you
describe.
> I may be doing something wrong, or maybe SmbSession.logon wasn't supposed
> to handle this the way I need.
>
If you are trying to determin the domain a user is in that would require DCE/RPC
which is not supported at this time (or the near future).
Mike
More information about the jcifs
mailing list