[jcifs] NtlmPasswordAuthentication & domain

Michael B Allen mba2000 at ioplex.com
Wed Oct 29 10:56:06 EST 2003

> being a bit Windows illiterate, i'm not really sure if the account i'm
> testing the authentication with is a local account or not. i was
> assuming the account is not local because it can be found in the 'test
> users' container in the directory tree.
> testing with a valid domain name + user information the authentication
> succeeds. with a bogus domain name the authentication still goes fine as
> long as user name + password are correct.

Is 'server' a PDC? If so I think it will treat the SAM database as "local"
which by our reasoning will result in success as you have found. I have
also tested the below code and confirmed this behavior; If I run it
against a PDC it succeeds with a bogus domain whereas if I run it against
a workstation where the account is not local to the machine it will fail
with a bogus domain.

What is ultimately the issue Aspa? If this is in regard to general
security I don't believe there is anything to be concerned about. The user
must supply a valid username and passord.


> here's the piece of test code i'm using:
>         try {
>             UniAddress mydomaincontroller =
> UniAddress.getByName(server);
>             NtlmPasswordAuthentication mycreds =
>                 new NtlmPasswordAuthentication(domain, user, pass);
>             SmbSession.logon(mydomaincontroller, mycreds);
>             return true;
>         } catch (UnknownHostException uhe) {
>         } catch (SmbAuthException sae) {
>         } catch (SmbException se) {
>         }
> 	return false;

A program should be written to  model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the  potential for it  to be applied  to tasks that are
conceptually similar and, more  important, to tasks that have not
yet been conceived.

More information about the jcifs mailing list