[jcifs] Re: jcifs versions (packet-signing)

[Michael B Allen]

> I just found out that we do have packet signing turned on to required in
> the win2003 domain controller. jcifs authentication seems to work with
> 0.7.3.  I am using only the HttpFilter functionality of jcifs and do not
> use jcifs after authentication.

As described by Eric, only SMBs that follow authentication need to be actually
signed. That is why versions that do not support signing actually work with
servers that require it. Because it was assumed that SMBs would follow
authentication an Exception was coded to be thrown if password hashes are
determined to be inadiquate to generate MAC signing key. However because the NTLM
HTTP filter does not send additional SMBs signing will never actually occur. The
Exception is only generated if the password hashes are "externel" meaning from the
NTLM HTTP Filter but this is precisely the case where signing will never occur.
Therefore, the solution is simple matter of eliminating this exception so that
additional SMBs will generate a signing error but the NTLM HTTP Filter will be
permitted to proceed without error.

I'll fix this and post 0.7.18 tonight.

> I will try to send you guys a packet
> capture ASAP. I have to figure out how to do it first..:-(

Well I don't think we need it any more but for future reference:

  http://users.erols.com/mballen/jcifs/capture.html

>
> Where do I get jcifs jar of 0.7.12 ?  Does that version have the benign
> "socket closed" stack trace issue?...

Yes it does. Use 0.7.18.

Mike

-- 
A program should be written to  model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the  potential for it  to be applied  to tasks that are
conceptually similar and, more  important, to tasks that have not
yet been conceived.