[jcifs] problem with jCIFS and samba (security=share)

Christopher R. Hertel crh at ubiqx.mn.org
Fri Oct 1 18:00:51 GMT 2004

On Fri, Oct 01, 2004 at 01:26:17PM +0200, s-jacobi at web.de wrote:
> "Michael B Allen"  schrieb am 30.09.04 22:53:35:
> >
> > s-jacobi at web.de said:
> > > hi,
> > >
> > > why do i can't login/access a samba-server that is configured with:
> > > "security=share"
> > > everything works fine with "security=user" but not all of the target
> > > machines
> > > are configured that way.
> > > as i can see from the jcifs-log, that the user "joker" is set to guest!?
> > > guest is not allowed so it fails ...
> >
> > JCIFS does not permit the server to default to the GUEST account if
> > another username is specified. Either you must specify user "guest"
> > explicitly or create the target user on the Samba server with proper
> > credentials (ie. create the user "joker" with the proper credentials).

Just FYI...  Samba does not implement "proper" Share Level security.  Most 
newer CIFS servers don't implement share mode at all, since it's 
depricated.  Here's what Samba does:

In Security=Share mode:

- If the client sends a SMB_COM_SESSION_SETUP_ANDX, Samba will look for a 
  username in that message.  If the username is there, Samba will attempt 
  assume it is the correct username.  It will then gather the password
  credentials from the SMB_COM_TREE_CONNECT_ANDX (it may also check for 
  user mode credentials in the SMB_COM_SESSION_SETUP_ANDX...dunno).

- If the username in the SMB_COM_SESSION_SETUP_ANDX is blank, or if there 
  is no SMB_COM_SESSION_SETUP_ANDX, Samba may jump through some hoops 
  trying to authenticate the user.  It may try guest and/or anonymous 
  authentication (which are two different things).  There are config file 
  tweaks for all of this.

- If user-level authentication (using a valid username in the 
  SMB_COM_SESSION_SETUP_ANDX) fails, then the guest and/or anonymous auth 
  may be tried.

Check the details on all of that, as my memory on the subject is rusty.

Point is, Samba plays games with fields that may or may not be present, 
and there are a whole set of configuration options.  All of these are used 
to "fake" Share Level auth.

There's probably some small, subtle difference in the way jCIFS behaves as 
a Share Level client.

(I know that smbclient will, if no username is specified, default to 
reading the environment for the USER variable, and send that.)

Chris -)-----

> > Mike
> of course i did (guest is undesirable).
> as i said, its working with security=user, and every other cifs-system
> implementation that i know (smbclient, explorer) is abled to access
> this samba server with both security-levels (user/share).
> [security=share]
> smbclient and "exlorer" both need to send the correct password
> for a login.
> but jCIFS dont send the password if share-level-security is
> detected, right?
> if so, why is it required by "explorer" and smbclient ?
> i read some papers, but specialy the part share-level-security
> i have never completely understood, because the chapters
> "a client should ..." and "many clients do ..."
> discribe the opposite.
> i have no idea anymore how to test this misconduct
> (system-security, samba, jCIFS, java, logic, ...)
> ---the code---
> UniAddress mydomaincontroller = UniAddress.getByName( "" );
> NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication( null, "joker", "Password" );
> try {
> SmbSession.logon( mydomaincontoller, mycreds );
> return true;
> } catch( Exception e ) {
> e.printStackTrace();
> }
> ---
> please_help_me
> sven
> _______________________________________________________
> WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern
> Informationen unter: http://freemail.web.de/?mc=021199

More information about the jcifs mailing list