[jcifs] SmbSession.logon and multiple domains

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Fri Jul 25 09:08:18 EST 2003


> -----Original Message-----
> From:	Colonna-Romano, John [SMTP:JCRomano at infoclarus.com]
> Sent:	Thursday, July 24, 2003 12:25 PM
> To:	jcifs at lists.samba.org
> Subject:	[jcifs] SmbSession.logon and multiple domains
> 
> I am trying to write an app that authenticates a domain and username and then
> uses the two fields to access some information in a database.
> SmbSession.login seems to work correctly with multiple domains, and also with
> trust relationships.  The problem (at least for me) is that it ignores the domain
> name.  If I create an NtlmPasswordAuthentication object, and put any domain
> name in it, if the username and password are valid for some domain that the
> host trusts, then the authentication succeeds.
> 
	I don't think it's ignoring it. You cannot use a username and password for host
	[a] with domain B right? A security identifier is keyed by domain and userid.

> For example, if I have two domains (A and B) and domain B trusts domain A.  I
> then have machine [a] in domain A and machine [b] in domain B.  If I set my
> host (first argument to SmbSession.logon) to [a] then I can use any domain 
> 
	What do you mean by "my host"? The first parameter of SmbSession.logon() is
	the host against which you would like to authenticate the supplied credentials
	(presumably a domain controller).

> name and a valid username and password in domain [a] and the authentication
> succeeds.  If I set my host to [b], I can use any domain name and any valid
	\username and password in either A or B and the authentication succeeds.
> However, I don't know in which domain the valid username and password
> authenticated in.  I was hoping that the returned NtlmPasswordAuthentication
> object might update the domain to the domain name that succeeded, but the
> domain name passed in isn't changed.
> 
	I do not know the details of trust relationships but this sounds like normal
	behavior to me. NtlmPasswordAuthentication objects do not update like you
	describe.

> I may be doing something wrong, or maybe SmbSession.logon wasn't supposed
> to handle this the way I need.
> 
	If you are trying to determin the domain a user is in that would require DCE/RPC
	which is not supported at this time (or the near future).

	Mike




More information about the jcifs mailing list