[jcifs] Resolution and Authentication

Michael B Allen mba2000 at ioplex.com
Wed Oct 6 05:01:14 GMT 2004 

On Wed, 6 Oct 2004 00:30:27 +0000 (UTC)
Gary <juan_dough at mac.com> wrote:

> I hope this is appropriate for this list.
> 
> We've been using the JCIFS resolution and NTLM authentication
> functionality within an application to verify that a user is who they say
> they are and that they (still) work for our company.  We use public key
> encryption to get login credentials from our client application to our
> server, and from the server we use JCIFS/NTLM to verify the credentials. 
> Users login with<domain>\<userID>  and password. If the user successfully
> authenticates, then the application queries it's own database to see if
> the user has rights to use the application.
> 
> There are around 30 or 40 of theses Systems deployed, in a large
> enterprise across multiple business units and multiple subnets.  Each
> system may have anywhere from 2 to 200 users from various domains
> connecting to the server. The Server is implemented as a Servlet with
> desktop clients  connecting via RMI.
> 
> The Application's properties file has an entry for a local domain
> controller which is used to hobble  together a <1B> lookup for a
> controller for the

1b is a local master browser. Do you mean <1C>?

> user's domain in the event that JCIFS can't find one via  it's normal
> lookup process.  We have had challenges resolving across subnets, but the
> application
>  is important enough that the folks in operations will make adjustments to
>  the network until things seem to work.  The network is a mixture of NT4
>  and Win2K
> 
> NT4 is soon to go away and the entire organization will be "Active
> Directoy enabled" by the beginning of 2005.  My challenge is to make
> Operations happy. They, of course, want user authentication within our
> application to be completely transparent, with no machine names or IP
> address in the properties file and no adjustments to the network.  I'm
> being told to look at options.
> 
> I'd appreciate any feedback.  Is it possible to use JCIFS host resolution
> and NTLM authentication as described without providing physical address on
> a large multi domain network? Would LDAP be a better choice in the new
> environment?

Let's think about this from two angles. 1) what is the "proper" way to
do this and 2) how would you do this with jcifs.

For 1 I think you would have to use a Java 1.4 LogonModule with
Kerberos provider. I think the client would still need to start with
an address for a KDC and a principle name. I believe this would
be just a DNS name like kdc.mycompany.com and an email alias like
juan at mycompany.com. Unfortunately I don't know a lot about setting
that up and I cannot guarantee that the LogonModules really work with
MS kerberos at this point. And of course it will only work on Windows
clients. Eventially JCIFS is moving in this direction which will enable
transparent authentication from any Java 1.4 capable client and not
just Windows.

For 2 you basically want to lookup the user's domain controller and do a
SmbSession.logon against it. Ideally you want to use WINS to do a 0x1C
lookup for the users domain and then do SmbSession.logon against that
server. Of course this means you must have a WINS server address (or
preferribly multiple addresses) in the client's properties file. If for
some reason you don't want to use WINS JCIFS can actually authenticate
against any server provided it has a trust relationship with the target
domain. Is the user's workstation a member of the target domain or a
domain that has a trust relationship with the target domain? If so you
could just do:

	SmbSession.logon( UniAddress.getByName( "127.0.0.1" ),
				new NtlmPasswordAuthentication( domain, username, password
);

If this throws an exception the logon failed. This is nice because it
requires zero configuration. It relies on the local hosts configuration.

If this doesn't work for you I think your next best bet is something like:

	UniAddress dc = new UniAddress( NbtAddress.getByName( domain, 0x1c, null
));
	SmbSession.logon( dc, new NtlmPasswordAuthentication( domain, username,
password );

But this requires that jcifs.netbios.wins is set. It's very unusual that
a company doesn't have WINS setup.

Otherwise to be honest I'm not really sure what it is that you're trying to
do exactly. I don't fully understand why you need "30 to 40 systems" to do.
One instance of JCIFS can efficiently authenticate thousands of users. If
you can make that clearer I can tell you how what the optimal setup would
be.

Mike

-- 
Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list