[jcifs] NTLMv2 support
Eric
eglass1 at comcast.net
Fri Sep 26 10:00:50 EST 2003
> I am new to the jcifs and have a question regarding supporting NTLMv2. The
> latest API documentation mentions about jcifs.smb.lmCompatibility property
> which allows LMv2 response. I also stumbled on one of the archived messages
> which talked about LMv2 being effectively same as NTLMv2. Does anybody know
> the latest plans on supporting NTLMv2 in jcifs ? Is LMv2 response enough to
> work with Windows 2003 domain server configured to use NTLMv2?
> Thanks.
> Amar
>
jCIFS just sends the LMv2 response, rather than both the LMv2 and
NTLMv2; this should authenticate properly in *most* cases.
Cryptographically, the LMv2 and NTLMv2 responses are more or less
identical; there are, however, some semantics attached to the NTLMv2
TargetInformation structure that are difficult to reconstruct without
CIFS extended security.
Basically, the TargetInformation structure is sent in the NTLM type 2
message along with the challenge; this is normally copied verbatim into
the type 3 NTLMv2 response. Under extended security, you get a full
NTLM type 2 message, so you can do this properly.
With jCIFS, we don't do extended security currently; we just get a
challenge, and would have to "fake" an appropriate TargetInformation
structure. In many scenarios, the TargetInformation isn't checked, so
doing NTLMv2 this way works properly. I had difficulties, however, when
authenticating a user in Domain A against a machine whose primary domain
was Domain B.
Sending only the LMv2 response seems to alleviate most of these issues.
I have seen some issues authenticating against standalone servers and
with local accounts; it may be that LMv2 without NTLMv2 only works in a
passthrough scenario. More research is probably warranted. But in most
cases, it works fine. This is probably a roundabout way of answering
your question ;)
Eric
More information about the jcifs
mailing list