[jcifs] NTLMv2 support

Christopher R. Hertel crh at ubiqx.mn.org
Fri Sep 26 14:15:29 EST 2003


See: http://ubiqx.org/cifs/SMB.html#SMB.8.5

It's a writeup of the basic workings of LMv2 and NTLMv2, and it explains 
the difference between the two.

Chris -)-----

On Thu, Sep 25, 2003 at 08:00:50PM -0400, Eric wrote:
> >I am new to the jcifs and have a question regarding supporting NTLMv2. The
> >latest API documentation mentions about jcifs.smb.lmCompatibility property
> >which allows LMv2 response. I also stumbled on one of the archived messages
> >which talked about LMv2 being effectively same as NTLMv2. Does anybody know
> >the latest plans on supporting NTLMv2 in jcifs ? Is LMv2 response enough to
> >work with Windows 2003 domain server configured to use NTLMv2?
> >Thanks.
> >Amar
> >
> jCIFS just sends the LMv2 response, rather than both the LMv2 and 
> NTLMv2; this should authenticate properly in *most* cases.
> Cryptographically, the LMv2 and NTLMv2 responses are more or less 
> identical; there are, however, some semantics attached to the NTLMv2 
> TargetInformation structure that are difficult to reconstruct without 
> CIFS extended security.
> Basically, the TargetInformation structure is sent in the NTLM type 2 
> message along with the challenge; this is normally copied verbatim into 
> the type 3 NTLMv2 response.  Under extended security, you get a full 
> NTLM type 2 message, so you can do this properly.
> With jCIFS, we don't do extended security currently; we just get a 
> challenge, and would have to "fake" an appropriate TargetInformation 
> structure.  In many scenarios, the TargetInformation isn't checked, so 
> doing NTLMv2 this way works properly.  I had difficulties, however, when 
> authenticating a user in Domain A against a machine whose primary domain 
> was Domain B.
> Sending only the LMv2 response seems to alleviate most of these issues. 
>  I have seen some issues authenticating against standalone servers and 
> with local accounts; it may be that LMv2 without NTLMv2 only works in a 
> passthrough scenario.  More research is probably warranted.  But in most 
> cases, it works fine.  This is probably a roundabout way of answering 
> your question ;)
> Eric

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the jcifs mailing list