[jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain controller

John Jih John.Jih at Halliburton.com
Thu Jul 22 15:56:59 GMT 2004 

Eric:

Please advise the following method:

Use the following <init-param> to pre-authenticate with one workstation
user ID.

<init-param>
    <param-name>jcifs.smb.client.domain</param-name>
    <param-value>MYDOMAIN</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.username</param-name>
    <param-value>myusername</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.password</param-name>
    <param-value>mypassword</param-value>
</init-param>
<init-param>
    <param-name>jcifs.netbios.wins</param-name>
    <param-value>10.10.2.20</param-value>
</init-param>


then add the following param to authenticate the web application user's
information with a specific or group of Domain Controllers. Is this the
recommended way to work with the windows 2003 Domain Controller
environment?

        <init-param>
            <param-name>jcifs.http.domainController</param-name>
            <param-value>10.10.3.55,10,10.3.56</param-value>
        </init-param>

Thanks,
John Jih


-----Original Message-----
From: Eric Glass [mailto:eric.glass at gmail.com] 
Sent: Wednesday, July 21, 2004 7:21 PM
To: John Jih
Cc: jCIFS Mailing List
Subject: Re: [jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain
controller

1)  I see the confusion.  "http.auth.ntlm.domain" (not
"jcifs.http.auth.ntlm.domain") is used for client-side HTTP
connections.  This is used to connect to an NTLM protected site from
an application, using something like:

    URL url = new URL("http://server/dir/file.txt");
    url.openStream();

Sun's JDK on Windows can connect to NTLM servers; jCIFS allows other
platforms to do the same.  The "http.auth.ntlm.domain" parameter is
used by Sun, so we use it as well for compatibility.  This client-side
functionality is unrelated to the server-side filter functionality,
however.

2)  Windows 2003 servers use SMB signing by default.  Try specifying
the "jcifs.smb.client.domain", "jcifs.smb.client.username", and
"jcifs.smb.client.password" parameters, i.e.:

<init-param>
    <param-name>jcifs.smb.client.domain</param-name>
    <param-value>MYDOMAIN</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.username</param-name>
    <param-value>myusername</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.password</param-name>
    <param-value>mypassword</param-value>
</init-param>

The filter will connect with the domain controller for MYDOMAIN using
this password to set up signing (which requires knowledge of an
account password).  Subsequent authentications can use this
preauthenticated connection, which should eliminate the errors you are
getting.  You can specify any valid account credentials.

3)  If you don't specify a domain controller (using
"jcifs.http.domainController") or a domain (using
"jcifs.smb.client.domain") it will find the local host (i.e. the
servlet container).  That server will have its own connection to a
domain controller somewhere (doesn't really matter where in most
cases).

The preferred method is to specify "jcifs.smb.client.domain" (giving a
domain name) and "jcifs.netbios.wins" (which specifies the address of
a WINS server for name resolution).  This allows jCIFS to load balance
between multiple domain controllers on the back end (it will find the
available domain controllers for the domain you specify).  Note that
since your controllers are Windows 2003, you may need to specify a
username and password as mentioned above to set up the domain
controller connections.  So you'd probably be pretty well off with
something like:

<init-param>
    <param-name>jcifs.smb.client.domain</param-name>
    <param-value>MYDOMAIN</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.username</param-name>
    <param-value>myusername</param-value>
</init-param>
<init-param>
    <param-name>jcifs.smb.client.password</param-name>
    <param-value>mypassword</param-value>
</init-param>
<init-param>
    <param-name>jcifs.netbios.wins</param-name>
    <param-value>10.10.2.20</param-value>
</init-param>

If you don't know your WINS server address, you can do "ipconfig /all"
under a Windows command prompt; one or more will typically be listed
in the output.

Alternatively, you should also be able to continue connecting to the
local box (your application server).  It's a bit strange that you're
seeing intermittent issues doing so; you might try specifying it's IP
address explicitly (using "jcifs.http.domainController" =
appServerIPAddress).  The advantage to this would be that you can be
relatively certain the SMB server will be up and running (since it's
on the same box as the application server).


Eric

----- Original Message -----
From: John Jih <john.jih at halliburton.com>
Date: Wed, 21 Jul 2004 15:46:21 -0500
Subject: RE: [jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain
controller
To: Eric Glass <eric.glass at gmail.com>
Cc: jCIFS Mailing List <jcifs at lists.samba.org>


















Eric:



 



1. Please visit this site to see the documentation of the
'jcifs.http.auth.ntlm.domain'.



http://jcifs.samba.org/src/docs/httpclient.html



 



2. No matter I use 'jcifs.http.domainController' or
'jcifs.smb.client.domain',
if it is for windows 2003 Domain Controller, I got the following
authentication
prompt, it does not happen on windows 2000 DC. Even typing in correct
password,
it still not let me in.



 







 



3. You were right on the web.xml file, if I clean-up all the
<init-param>,
it allows me to visit the page. Would you explain how it can be done?
Does it
use the Web application server to authenticate the user? but from which
Domain
Controller?



 



Thanks,



John Jih





 



-----Original Message-----

From: Eric Glass [mailto:eric.glass at gmail.com] 

Sent: Wednesday, July 21, 2004 12:32 PM

To: John Jih

Cc: jCIFS Mailing List

Subject: Re: [jcifs] jcifs-0.9.5 timeout on the Windows 2003 domain
controller



 



> 1. We used jcifs.http.domainController (with jcifs-0.7.14 or 0.9.1
and



> beyond)on win2000 DC before, until all our DC will be upgraded to



> win2003, this parameter caused the ID and Password prompt, after
three



> tries, it gives us the blank web page. We tried on jcifs-0.8.2, it



> actually worked for us without the ID, Password prompt.



> 



 



Sending a packet trace to either Mike or myself would help in



troubleshooting this.



 



> 2. The "jcifs.http.auth.ntlm.domain" works for
jcifs-0.9.1 and beyond at



> least, but the only problem is we got 1 to 4 timeouts a day or no



> timeout for several days for win2003 DC. That is higher frequency
than



> using win2000 DC, we suspect the network traffic or DC overload or
maybe



> helpdesk support messed with the DC at that time.



> 



 



"jcifs.http.auth.ntlm.domain" isn't a valid jCIFS parameter;
it is



meaningless.  You would get the same result removing it
completely. 



jCIFS will end up using the local netbios name you've defined using



the "jcifs.netbios.hostname" parameter.  In your
example, this is



"MY_DEV_9009"; that's the box that will end up being used as
the DC.



 



Eric

More information about the jcifs mailing list