[jcifs] problem with jCIFS and samba (security=share)
Christopher R. Hertel
crh at ubiqx.mn.org
Fri Oct 1 18:00:51 GMT 2004
On Fri, Oct 01, 2004 at 01:26:17PM +0200, s-jacobi at web.de wrote:
> "Michael B Allen" schrieb am 30.09.04 22:53:35:
> >
> > s-jacobi at web.de said:
> > > hi,
> > >
> > > why do i can't login/access a samba-server that is configured with:
> > > "security=share"
> > > everything works fine with "security=user" but not all of the target
> > > machines
> > > are configured that way.
> > > as i can see from the jcifs-log, that the user "joker" is set to guest!?
> > > guest is not allowed so it fails ...
> >
> > JCIFS does not permit the server to default to the GUEST account if
> > another username is specified. Either you must specify user "guest"
> > explicitly or create the target user on the Samba server with proper
> > credentials (ie. create the user "joker" with the proper credentials).
Just FYI... Samba does not implement "proper" Share Level security. Most
newer CIFS servers don't implement share mode at all, since it's
depricated. Here's what Samba does:
In Security=Share mode:
- If the client sends a SMB_COM_SESSION_SETUP_ANDX, Samba will look for a
username in that message. If the username is there, Samba will attempt
assume it is the correct username. It will then gather the password
credentials from the SMB_COM_TREE_CONNECT_ANDX (it may also check for
user mode credentials in the SMB_COM_SESSION_SETUP_ANDX...dunno).
- If the username in the SMB_COM_SESSION_SETUP_ANDX is blank, or if there
is no SMB_COM_SESSION_SETUP_ANDX, Samba may jump through some hoops
trying to authenticate the user. It may try guest and/or anonymous
authentication (which are two different things). There are config file
tweaks for all of this.
- If user-level authentication (using a valid username in the
SMB_COM_SESSION_SETUP_ANDX) fails, then the guest and/or anonymous auth
may be tried.
Check the details on all of that, as my memory on the subject is rusty.
Point is, Samba plays games with fields that may or may not be present,
and there are a whole set of configuration options. All of these are used
to "fake" Share Level auth.
There's probably some small, subtle difference in the way jCIFS behaves as
a Share Level client.
(I know that smbclient will, if no username is specified, default to
reading the environment for the USER variable, and send that.)
Chris -)-----
> > Mike
>
> of course i did (guest is undesirable).
> as i said, its working with security=user, and every other cifs-system
> implementation that i know (smbclient, explorer) is abled to access
> this samba server with both security-levels (user/share).
>
> [security=share]
> smbclient and "exlorer" both need to send the correct password
> for a login.
> but jCIFS dont send the password if share-level-security is
> detected, right?
>
> if so, why is it required by "explorer" and smbclient ?
>
> i read some papers, but specialy the part share-level-security
> i have never completely understood, because the chapters
> "a client should ..." and "many clients do ..."
> discribe the opposite.
>
> i have no idea anymore how to test this misconduct
> (system-security, samba, jCIFS, java, logic, ...)
>
> ---the code---
> UniAddress mydomaincontroller = UniAddress.getByName( "192.168.90.90" );
> NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication( null, "joker", "Password" );
> try {
> SmbSession.logon( mydomaincontoller, mycreds );
> // SUCCESS
> return true;
> } catch( Exception e ) {
> // FAILURE
> e.printStackTrace();
> }
> ---
>
>
> please_help_me
> sven
> _______________________________________________________
> WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern
> Informationen unter: http://freemail.web.de/?mc=021199
>
More information about the jcifs
mailing list