[jcifs] NTLM Authentication and multiple domains

Thu Apr 22 19:35:05 GMT 2004

On Thu, Apr 22, 2004 at 02:46:17PM -0400, Michael B Allen wrote:
> eglass1 at comcast.net said:
> >
> >> Thanks a million Eric. I have a quick follow up question though. Say we
> >> do
> >> have trust relationships between the relevant NT domains, what if we
> >> have a
> >> scenario like:
> >>
> >> -->   jorourke.foo.com
> >> -->   jorourke.bar.foo.com
> >>
> >> How does the that get resolved by the domain controller? Is this
> >> possible?
> >>
> >
> > Is "jorourke" the username or a hostname?  jCIFS uses the NT4-style domain
> > model based on NetBIOS; so while a machine might be in a DNS-style domain
> > "foo.com", that would be mapped to some NetBIOS domain (i.e. "FOO").
> 
> I believe the jcifs.smb.client.domainController can be a DNS name. I would
> have to look at the code but a DNS name in the SMB URL is valid and is not
> mapped to NetBIOS in any why. The first label is used to guess the
> "calling name" during session establishment but that's not too important
> with NT 4 or above which acceptes the special calling name "SMBSERVER*".

Leading '*'...  "*SMBSERVER".  That's only in the TCP/139 Session Request.

The SMB URL allows you to locate an SMB server using either the DNS name 
or the NetBIOS name (or a raw IP address).  The *SMBSERVER name is used 
when no valid NetBIOS name is known.  Again, that's only needed over 
NBT-based filesharing.

The use of a NetBIOS name for NT Domain authentication is a different
puppy.  In an NT Domain environment, the NT Domain name is needed to
identify the NT Domain controller(s) that hold the SAM database against
which the authentication is performed.

If the server (could be a web server, could be an SMB server) is doing 
pass-through authentication, then it only really needs the IP address (or 
DNS name) of the password server.  I doubt that Windows machines will 
interpret an IP or DNS name properly, however.  I *think* that they will 
require a NetBIOS name.  Worth testing the theory.

On the other hand, jCIFS (operating on the webserver) could easily make 
use of a DNS name or IP address, if it's doing pass-through auth.

If NT Domain auth is being done (that's the RPC-based stuff) then I have 
no idea whether a DNS name/IP address would work.

> > In the above, if "jorourke" is a machine name, both machines (I believe)
> > would need to have unique NetBIOS names; I *think* the namespace is global
> > (Mike or Chris could tell you for sure).  So while you could have machines
> > in different primary domains/workgroups, the machine names would still
> > need
> > to be unique globally.
> 
> Provided what I claim above is true I think DNS names will work. They do
> not have to be unique. I don't think domain authentication interacts too
> much (at all?) with NetBIOS.

Not sure.  Worth playing with it.

NT Domain auth means that the server (web or SMB) does a machine logon to 
the DC and accesses the SAM directly using RPC calls.  I don't think that 
jCIFS does those RPC calls yet, so I don't think that we can do "real" NT 
Domain auth yet.  If jCIFS is running on the server, my understanding is 
that we're doing pass-through.  If the client is a Windows client, it's 
likely to send us the NT Domain name, so having NT Domain name conflicts 
won't work.

If jCIFS is running as the client, then it could send an IP address or DNS 
name in the Domain field of the request.  I don't know how a Samba or 
Windows server will handle that.  It may or may not depend on the auth 
mode of the server (pass-through vs. NT Domain).

Geez this is complex goo.

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org