[jcifs] ntlmv2
Christopher R. Hertel
crh at ubiqx.mn.org
Wed Dec 1 19:57:19 GMT 2004
Doing an upper-case conversion is probably the correct thing in this case.
The Samba client tools always convert to upper-case (if I recall the
source correctly, this is in the NBT name handling code). This isn't
necessarily a good idea, since Microsoft and others have introduced
lower-case and mixed-case names. I suspect that the programs that do this
are dealing directly with the NetBIOS API, and not going through
intermediate layers that would do the up-case conversion for them.
The upshot is that I had to write my own tools in order to work with these
names. Old IBM docs say that the names must be all upper-case, but it
becomes a theory vs. practice issue.
There are also other programs out there that register names with a <20>
suffix byte. Ick.
Chris -)-----
On Wed, Dec 01, 2004 at 01:54:21PM -0500, Michael B Allen wrote:
> On Wed, 1 Dec 2004 10:43:24 -0800
> "O'Rourke, James" <jorourke at rsasecurity.com> wrote:
>
> > I'm am seeing an issue whereby when I force NTLMv2 on jcifs, domain
> > controllers and the client (IE), authentication fails when I try to
> > enter the domain name in lowercase. It succeeds when I enter it in upper
> > case. Essentially the configuration is as follows:
> >
> > client connects via IE to our servers which essentially proxy the NTLMv2
> > handshake for domain controllers. We talk to the domain controllers
> > through jcifs.
> >
> > Any suggestions would be of help.
>
> Oh, crud I forgot about this. Someone reported that the fix is to add
> toUpperCase() in src/jcifs/ntlmssp/Type3Message.java:
>
> --- src.0/jcifs/ntlmssp/Type3Message.java Wed Dec 1 13:50:22 2004
> +++ src/jcifs/ntlmssp/Type3Message.java Wed Dec 1 13:49:38 2004
> @@ -325,7 +325,7 @@
> byte[] domain = null;
> if (domainName != null && domainName.length() != 0) {
> domain = unicode ?
> - domainName.getBytes("UnicodeLittleUnmarked") :
> +
> domainName.toUpperCase().getBytes("UnicodeLittleUnmarked") :
> domainName.toUpperCase().getBytes(oem);
> }
> int domainLength = (domain != null) ? domain.length : 0;
>
> BTW: We do not support NTLMv2 but if you choose lmCompatibility of 3 it
> will negotiate LMv2.
>
> I'll wait a few days to make sure there are no suprises in the 1.1.3 fix
> and do another release. Maybe you can patch a jar yourself for a while.
>
> Mike
>
> --
> Greedo shoots first? Not in my Star Wars.
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the jcifs
mailing list