[jcifs] NTLMv2 support
Christopher R. Hertel
crh at ubiqx.mn.org
Fri Sep 26 14:15:29 EST 2003
Amar,
See: http://ubiqx.org/cifs/SMB.html#SMB.8.5
It's a writeup of the basic workings of LMv2 and NTLMv2, and it explains
the difference between the two.
Chris -)-----
On Thu, Sep 25, 2003 at 08:00:50PM -0400, Eric wrote:
>
> >I am new to the jcifs and have a question regarding supporting NTLMv2. The
> >latest API documentation mentions about jcifs.smb.lmCompatibility property
> >which allows LMv2 response. I also stumbled on one of the archived messages
> >which talked about LMv2 being effectively same as NTLMv2. Does anybody know
> >the latest plans on supporting NTLMv2 in jcifs ? Is LMv2 response enough to
> >work with Windows 2003 domain server configured to use NTLMv2?
> >Thanks.
> >Amar
> >
>
> jCIFS just sends the LMv2 response, rather than both the LMv2 and
> NTLMv2; this should authenticate properly in *most* cases.
>
> Cryptographically, the LMv2 and NTLMv2 responses are more or less
> identical; there are, however, some semantics attached to the NTLMv2
> TargetInformation structure that are difficult to reconstruct without
> CIFS extended security.
>
> Basically, the TargetInformation structure is sent in the NTLM type 2
> message along with the challenge; this is normally copied verbatim into
> the type 3 NTLMv2 response. Under extended security, you get a full
> NTLM type 2 message, so you can do this properly.
>
> With jCIFS, we don't do extended security currently; we just get a
> challenge, and would have to "fake" an appropriate TargetInformation
> structure. In many scenarios, the TargetInformation isn't checked, so
> doing NTLMv2 this way works properly. I had difficulties, however, when
> authenticating a user in Domain A against a machine whose primary domain
> was Domain B.
>
> Sending only the LMv2 response seems to alleviate most of these issues.
> I have seen some issues authenticating against standalone servers and
> with local accounts; it may be that LMv2 without NTLMv2 only works in a
> passthrough scenario. More research is probably warranted. But in most
> cases, it works fine. This is probably a roundabout way of answering
> your question ;)
>
>
> Eric
>
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the jcifs
mailing list