[jcifs] JCIFS and Locked NT Accounts

Michael B Allen mba2000 at ioplex.com
Sat Oct 16 04:03:02 GMT 2004 

Please send all messages to the jcifs mailing list (unless they contain
sensitive informaiton).

On Fri, 15 Oct 2004 15:32:19 -0400 (EDT)
Mark Lassiter <mlassiter at lassitercg.com> wrote:

> Thank you for the response.  We, however, are not using the NTLMHTTP
> method, but are using JAAS with JBoss.  We wrote our own module using the
> JCIFS code.  During our test, the user entered 5 successive failure
> attempts to lock the account then a successful attempt.  They later logged
> out of the app and NT, tried logging in using the locked account and it
> was indeed locked.  They then logged in using another account, then
> attempted to log into the application using the locked account.  It worked
> even the account was still locked.  So it appears not to be session
> related.
> 

If there is already a session established for a given set of credentials,
JCIFS will not reauthenticate with the server until the session is closed
because of resource pressure or after jcifs.smb.client.soTimeout idle
time. Arguably this is a flaw but currently that's the way it works. So
maybe your successive attempts are not really causing the account to
be locked. Check with user manager tools to verify that the account is
locked. Otherwise get a packet capture of the jcifs authentication that
you claim should fail because the account it locked.

> I wonder if either the JCIFS code does not respect the locked status

JCIFS does not interpret any responses from the server regarding login
failures [1].

> or if, perhaps, our domain controller did not receive the information from
> the PDC?

Donno. I suppose there could be some replication that didn't occur yet.

> I guess I just want to verify that the code SHOULD respect the lock status
> so I don't waste time researching other issues.

Yes. Absolutely it should. When an account is locked out, authentication
should fail with NT_STATUS_ACCOUNT_LOCKED_OUT. JCIFS does not interpret
these errors and will throw an SmbAuthException wherever encountered.

Mike

[1] Although if a session is established as "GUEST" when the username
is not "GUEST" jcifs will trap this condition and artifically throw
an NT_STATUS_LOGON_FAILURE SmbAuthException even though the client
successfully authenticated. But this clearly has nothing to do with the
problem you observe.

-- 
Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list