[jcifs] NTLM Authentication and multiple domains
eglass1 at comcast.net
eglass1 at comcast.net
Thu Apr 22 08:14:30 GMT 2004
> Thanks a million Eric. I have a quick follow up question though. Say we do
> have trust relationships between the relevant NT domains, what if we have a
> scenario like:
>
> --> jorourke.foo.com
> --> jorourke.bar.foo.com
>
> How does the that get resolved by the domain controller? Is this possible?
>
Is "jorourke" the username or a hostname? jCIFS uses the NT4-style domain
model based on NetBIOS; so while a machine might be in a DNS-style domain
"foo.com", that would be mapped to some NetBIOS domain (i.e. "FOO").
In the above, if "jorourke" is a machine name, both machines (I believe)
would need to have unique NetBIOS names; I *think* the namespace is global
(Mike or Chris could tell you for sure). So while you could have machines
in different primary domains/workgroups, the machine names would still need
to be unique globally.
If "jorourke" is a username above, the username needs to be unique within the
domain; this would typically be written as "FOO\jorourke" and "BAR\jorourke".
The full domain + username is used during NTLM authentication, so it would
generally be fully qualified. There are some edge cases; if you are
authenticating using a machine-local account to another machine, for example,
it will do some "fuzzy" authentication (basically seeing if there is a
user with the same username and password on the target).
Eric
More information about the jcifs
mailing list