[jcifs] Problems with certain clients using NTLM filter

eglass1 at comcast.net eglass1 at comcast.net
Thu Feb 19 12:54:45 GMT 2004



> Will this work even if servers are set to 4 or 5? Please review the latest
> FAQ entry and let me know how I can impove any.
> 

Depends; there are really two scenarios.

1) General SMB client stuff (using SmbFiles, etc.).  As far as jCIFS is
concerned in this regard, there are really 3 settings:

    1) jcifs.smb.lmCompatibility = 0 or 1: Send LM and NTLM
    2) jcifs.smb.lmCompatibility = 2: Send NTLM in both fields
    3) jcifs.smb.lmCompatibility = 3, 4, or 5: Send just LMv2

This is consistent with the corresponding registry setting on a Windows
client (except they send LMv2 and NTLMv2 for 3, 4, or 5).

2) NTLM filter (HTTP authentication).  Here, we are effectively a
man-in-the-middle; to the SMB server, we act the same as above.  The
critical difference is that we don't create the hashes, we get them from
the client browser.  What we end up doing is just stuffing the LM/LMv2
response into the CaseInsensitivePassword field and sending it on to the
SMB server.

This will work great if the end client (i.e., web browser) has the registry
setting set to 3, 4, or 5; what ends up happening is we pass the LMv2 response
on to the SMB server and they get authenticated.

It can get tricky, however, if the end client is set to 0, 1, or 2.  From the
jCIFS standpoint we don't care; we just stick the LM response in and send it
on.  From the SMB server's perspective, however, they get an empty
CaseSensitivePassword and a CaseInsensitivePassword containing either the
LM response (0 or 1) or the NTLM response (2).

If the SMB server has the corresponding setting at 3, this will still work
(as it looks like either an LM or NTLM authentication has occurred).  If they
are set to 4, it will work only if the end client was set to 2 (as LM
authentication is disabled under 4).  If they are set to 5, it won't work
at all (as the SMB server will only accept LMv2/NTLMv2 at that level).

So if your clients match your servers, you should be fine.  If they don't, you
may encounter problems; but you'd encounter the same problems with or without
jCIFS.


Eric


More information about the jcifs mailing list