[jcifs] Dealing with simultaneous users in a Win2k3 environment
Eric
eglass1 at comcast.net
Mon Mar 22 01:00:58 GMT 2004
>>
>>>>1. new SmbFile("smb://").listFiles() --> Fails (expected because no
>>>>authentication was given)
>>>
>>>Actually I don't recall ever seeing this fail. All systems that I work
>>>with use null credentials to get the list of domains. Maybe Win2k3
>>
>>changed
>>
>>>that. Donno. What was the error?
Our problem (I *think*) is that we're trying to verify the server's
signature on the session setup response when the session setup was
unsuccessful. The server is sending back a session setup response
indicating an error condition; we're trying to verify that the signature
on that response is valid according to the credentials we used (which it
apparently isn't, which makes sense since the setup didn't succeed). We
then throw the "Unverifiable signature" error on our side and close the
connection (rather than retrying as anonymous, which would probably work).
The reason this works *after* connecting as a valid user is that signing
is per-transport rather than per-session; once signing is set up as the
authenticated user, future sessions use the same signing credentials (so
the signature is valid irrespective of the credentials provided for the
guest user).
We should probably try adding a check after verifying to reset signing
if the verification failed and the packet is a session setup response
with an error condition:
if( useSigning ) {
response.verifyFailed = verify(rcv_buf, 0, response);
if (response.verifyFailed && response.errorCode != 0 &&
(response instanceof SmbComSessionSetupAndXResponse)) {
macSigningKey = null;
response.verifyFailed = false;
}
}
Doing the reset after the verification allows us to keep going normally
in the event signing is already established for the channel (i.e., we
get an error during session setup, but the signature is fine).
Eric
More information about the jcifs
mailing list