[jcifs] Dealing with simultaneous users in a Win2k3 environment

Eric eglass1 at comcast.net
Mon Mar 22 01:00:58 GMT 2004

>>>>1. new SmbFile("smb://").listFiles()  --> Fails (expected because no
>>>>authentication was given)
>>>Actually I don't recall ever seeing this fail. All systems that I work
>>>with use null credentials to get the list of domains. Maybe Win2k3
>>>that. Donno. What was the error?

Our problem (I *think*) is that we're trying to verify the server's 
signature on the session setup response when the session setup was 
unsuccessful.  The server is sending back a session setup response 
indicating an error condition; we're trying to verify that the signature 
on that response is valid according to the credentials we used (which it 
apparently isn't, which makes sense since the setup didn't succeed).  We 
then throw the "Unverifiable signature" error on our side and close the 
connection (rather than retrying as anonymous, which would probably work).

The reason this works *after* connecting as a valid user is that signing 
is per-transport rather than per-session; once signing is set up as the 
authenticated user, future sessions use the same signing credentials (so 
the signature is valid irrespective of the credentials provided for the 
guest user).

We should probably try adding a check after verifying to reset signing 
if the verification failed and the packet is a session setup response 
with an error condition:

if( useSigning ) {
     response.verifyFailed = verify(rcv_buf, 0, response);
     if (response.verifyFailed && response.errorCode != 0 &&
             (response instanceof SmbComSessionSetupAndXResponse)) {
         macSigningKey = null;
         response.verifyFailed = false;

Doing the reset after the verification allows us to keep going normally 
in the event signing is already established for the channel (i.e., we 
get an error during session setup, but the signature is fine).


More information about the jcifs mailing list