[jcifs] Authentication problem using NTLMHttpFilter with jcifs
0.9.5
Michael B Allen
mba2000 at ioplex.com
Mon Jul 5 20:29:13 GMT 2004
On Mon, 5 Jul 2004 09:54:56 +0200
"Holger Hartmann" <Holger.Hartmann at abaxx.de> wrote:
> Hi,
>
> i use the the NTLMHttpFilter in Version 0.8.3 with jcifs property
> jcifs.http.domainController = 10.1.1.10 and it all worked very well.
>
> After upgrading to release 0.9.5 i get an authentication error with my
> account.
>
> I examined the logfile (with property -Djcifs.util.log=ALL in 0.8.3 and
> -Djcifs.util.loglevel=10 in 0.9.5) and
> the only difference i can see is that in 0.9.5 i have the following
> output:
>
> ...
> treeConnect: unc=\\10.1.1.10\IPC$,service=?????
> sessionSetup: accountName=myAccount,primaryDomain=myDomain
> treeConnect: unc=\\10.1.1.10\IPC$,service=?????
> sessionSetup: accountName=GUEST,primaryDomain=?
> LM_COMPATIBILITY=0
> ...
>
> In contrast the 0.8.3 ouput is as following:
>
> Jul 5 09:29:24.625 - smb tree connect warning
> requesting tree connect with unc=\\10.1.1.10\IPC$,service=?????
> Jul 5 09:29:24.625 - smb session setup warning
> requesting session with accountName=myAccount,primaryDomain=myDomain
> Jul 5 09:29:24.640 - smb sent
>
>
> Why does jcifs try to authenticate as user GUEST with Version 0.9.5 ?
I suspect what was happening was that you were authenticating all users
against the domain controller as GUEST. Prior to jCIFS 0.9.1 if the
credentials passed to the server could not be authenticated the server
would return success anyway but indicate that the user is "logged in as
GUEST". JCIFS would treat the success as a successful authentication for
the provided credentials which is not true. A user could change their
IE security settings to present the Network Password Dialog every time
credentials are negotiated, enter completely bogus credentials and get
in. Try it on the old setup. I bet it works. To prevent this, with 0.9.1
we check to see if the "is logged in as GUEST" bit is on and throw an
SmbAuthException. This is probably what you're seeing. For most networks
the GUEST account is disabled so this isn't a problem.
The remedy is to determine why the credentials are failing. I suspect
the domain controller isn't really an authority for your domain or the
client workstations aren't really members the domain. Most setups are
basically IE on a Windows workstation that is "joined" to a Windows domain
controller that is an authority for (or has a trust relationship with a
domain that is an authority for) users logging into that workstation. If
your setup deviates from this please indicate so.
Not a separate problem is why 0.9.5 is trying to use GUEST at all. Equally
strange is why GUEST fails to authenticate if you have it enabled.
Please send me the full log directly.
Mike
--
Greedo shoots first? Not in my Star Wars.
More information about the jcifs
mailing list