[jcifs] Re: Request: Jcifs + Win 2003 / Active Directory

SAlappatt at unicacorp.com SAlappatt at unicacorp.com
Thu Jan 22 01:03:52 GMT 2004 

Hi Andrew,

            We have in our environment Win2003 server with AD support and 
server side signing turned on. We had issues because of the signing stuff 
but that has been resolved in the 07.18 drop of jcifs. So if you are 
planning to use the jcifs code ONLY for authentication. I think you should 
be ok if you use 0.7.18.  I am not sure about the NTLMv2 stuff. though .. 

I quote the famous words of the DEVELOPER == "it work on my machine".

cheers,
-Siby



"Michael B Allen" <mba2000 at ioplex.com> 
Sent by: jcifs-bounces+salappatt=unicacorp.com at lists.samba.org
01/21/2004 07:45 PM

To
"Andrew Stevens" <andrew.stevens at gsjbw.com>
cc
jcifs at samba.org
Subject
[jcifs] Re: Request: Jcifs + Win 2003 / Active Directory






Andrew Stevens said:
> I hope you don't mind that I've emailed you directly. Here's my 
problem...

Hi Andrew,

I work for a large financial as well so I know you have certain privacy
considerations but this *is* an Open Source project so we need to try to
keep this high level stuff on the mailing list.

> We have a nice implementation of jcifs NTLM HTTP (filter) authorisation
> working --> Tomcat on Linux / NT4 Servers for domains etc.
> To get the implementation approved, our Security Manager wants me to
> definitively state whether this will work with Win2000 and Win2003.
> Specifically to state whether this will work with Active Directory.
> He has a test environment running Win2003 & AD. I supplied a bundled
> Tomcat
> & JCIFS to try in that environment.
> Apparently it didn't work, but he couldn't provide much details as to 
why
> (maybe he doesn't want it to work. I'm not sure.)
>
> So, can you provide me with a summary of the state of Jcifs with Active
> Directory?

I don't think AD is involved at all. All JCIFS is doing is using NTLM
password hashes supplied by IE to authenticate users against IPC$ on the
domain controller (or an intermediate machine that will commuicate with
the domain controller such as the web server). But frankly I do not know a
lot about AD.

> Does this imply NTLMv2? I've read JCIFS may or may not work with NTLMv2.
> Do
> know much about the conditions which allow this to work or not?

JCIFS does NOT support NTLMv2. It does however support LMv2 which from a
security standpoint is claimed to be as good as NTLMv2. How that would
work in the recommended MS environment with AD I just don't know yet.

> Are there specific settings which I can change to make this work? Or is 
it
> a
> case of me needing to develop a custom NTLM HTTP filter based on the 
JCIFS
> packages?

The only practical way to determine what would be necessary for it to work
in the said environment is to try it.

Mike

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list