[jcifs] Re: jcifs versions

Gary Rambo c-grambo at aventail.com
Thu Jan 8 01:50:23 GMT 2004 

Michael,

I'm fairly sure I saw the same Unverifiable signature exception using 
8.0b chasing a dfs root a couple of weeks ago.

Thanks.

Gary

Michael B Allen wrote:

>Ah. Ok. 0.7.18 coming up....stay on target...stay on target...
>
>
>  
>
>>>Prior to jCIFS 0.7.13 there is no support for signing. So how are you
>>>      
>>>
>using
>  
>
>>>0.7.3 if your Windows 2003 server is configured to require signing?
>>>      
>>>
>Is it
>  
>
>>>possible that it does not require signing? Is it possible that you
>>>      
>>>
>are really
>  
>
>>>authenticating against a different server? JCIFS will only use
>>>      
>>>
>signing if the
>  
>
>>>server requires it or if jcifs.smb.client.signingPreferred is
>>>      
>>>
>explicitly set
>  
>
>>>to true. Also, signing and NTLM HTTP Authentication do NOT work
>>>      
>>>
>together
>  
>
>>>because the original password or precursor password hash is required
>>>      
>>>
>to
>  
>
>>>generate the MAC signing key. So I am very interested in how you
>>>      
>>>
>managed to
>  
>
>>>get a version of jCIFS that doesn't support SMB signing at all to
>>>      
>>>
>work with
>  
>
>>>your Windows 2003 server that requires it! Perhaps you could take a
>>>      
>>>
>packet
>  
>
>>>capture of your current working setup with jcifs-0.7.3 and verify
>>>      
>>>
>that the
>  
>
>>>server is really requiring signing.
>>>      
>>>
>>This is an edge case (though I suspect a prevalent one); currently,
>>    
>>
>jCIFS
>  
>
>>throws an exception in SmbTransport.initSigning if the
>>NtlmPasswordAuthentication object has "external" hashes (i.e., in the
>>    
>>
>case of
>  
>
>>HTTP auth).  In reality, however, signing doesn't start until the
>>    
>>
>session
>  
>
>>setup response from the server.  So previous jCIFS versions would
>>    
>>
>authenticate
>  
>
>>successfully; you just wouldn't be able to perform any SMB operations
>>    
>>
>*after*
>  
>
>>authentication.  The current implementation fails artificially before
>>authentication completes, so the noted behavior occurs.
>>
>>One remediation would be to remove the exception throw in initSigning
>>    
>>
>(just
>  
>
>>set useSigning to false); HTTP auth would work normally except in the
>>    
>>
>case of
>  
>
>>something like Davenport (where it is expecting to use the
>>NtlmPasswordAuthentication object to access resources after
>>    
>>
>authentication).
>  
>
>>Eric
>>
>>    
>>
>
>
>  
>

More information about the jcifs mailing list