[jcifs] NTLM Authentication and multiple domains

Christopher R. Hertel crh at ubiqx.mn.org
Thu Apr 22 21:54:52 GMT 2004

On Thu, Apr 22, 2004 at 05:24:42PM -0400, Michael B Allen wrote:
> > Domain auth yet.  If jCIFS is running on the server, my understanding is
> > that we're doing pass-through.
> Actually we don't even do true "pass-through" authentication. That
> requires RPCs as well IIRC. We just tree connect on IPC$ using UniAddress
> to resolve jcifs.smb.client.domainController.

Pass-through doesn't use RPCs.  It's what Win9x boxes do when they are 
"domain members" (which they aren't, but that's another issue).  With 
pass-through, the server performs a man-in-the-middle attack.  Sort of.

Basically, the client connects to the server and says "I want to log on".  
The server then SMB-connects to the password server (any SMB server will 
do, but it's generally a DC) and says "I want to log on".  The password 
server (DC) sends back a challenge which the server passes along to the 
client.  The client generates the response and hands it to the server, 
which passes it through to the password server (DC).  Basically, the 
pickle-in-the-middle is faking the logon using the client's response.

All of that is done with standard SMBs.  No RPC required.

> Now if we're talking about jcifs.smb.client.domain. That *does* need to be
> a NetBIOS name as it is the domain name queried unsing the NBNS.

Not sure.  Yet another bit of jCIFS I need to understand better.

Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the jcifs mailing list