[jcifs] problem with jCIFS and samba (security=share)
Michael B Allen
mba2000 at ioplex.com
Sun Oct 31 04:57:38 GMT 2004
Well I just checked share level access with jcifs against Win98 and it
worked perfectly. I can see the username in the the session setup and the
password in the tconn. So from Chris' description below it *should* work
with samba but I don't think I'm going to go chasing it there.
Mike
On Fri, 1 Oct 2004 13:00:51 -0500
"Christopher R. Hertel" <crh at ubiqx.mn.org> wrote:
> On Fri, Oct 01, 2004 at 01:26:17PM +0200, s-jacobi at web.de wrote:
> > "Michael B Allen" schrieb am 30.09.04 22:53:35:
> > >
> > > s-jacobi at web.de said:
> > > > hi,
> > > >
> > > > why do i can't login/access a samba-server that is configured with:
> > > > "security=share"
> > > > everything works fine with "security=user" but not all of the target
> > > > machines
> > > > are configured that way.
> > > > as i can see from the jcifs-log, that the user "joker" is set to
> > > > guest!? guest is not allowed so it fails ...
> > >
> > > JCIFS does not permit the server to default to the GUEST account if
> > > another username is specified. Either you must specify user "guest"
> > > explicitly or create the target user on the Samba server with proper
> > > credentials (ie. create the user "joker" with the proper credentials).
>
> Just FYI... Samba does not implement "proper" Share Level security. Most
>
> newer CIFS servers don't implement share mode at all, since it's
> depricated. Here's what Samba does:
>
> In Security=Share mode:
>
> - If the client sends a SMB_COM_SESSION_SETUP_ANDX, Samba will look for a
> username in that message. If the username is there, Samba will attempt
> assume it is the correct username. It will then gather the password
> credentials from the SMB_COM_TREE_CONNECT_ANDX (it may also check for
> user mode credentials in the SMB_COM_SESSION_SETUP_ANDX...dunno).
>
> - If the username in the SMB_COM_SESSION_SETUP_ANDX is blank, or if there
> is no SMB_COM_SESSION_SETUP_ANDX, Samba may jump through some hoops
> trying to authenticate the user. It may try guest and/or anonymous
> authentication (which are two different things). There are config file
> tweaks for all of this.
>
> - If user-level authentication (using a valid username in the
> SMB_COM_SESSION_SETUP_ANDX) fails, then the guest and/or anonymous auth
> may be tried.
>
> Check the details on all of that, as my memory on the subject is rusty.
>
> Point is, Samba plays games with fields that may or may not be present,
> and there are a whole set of configuration options. All of these are used
>
> to "fake" Share Level auth.
>
> There's probably some small, subtle difference in the way jCIFS behaves as
>
> a Share Level client.
>
> (I know that smbclient will, if no username is specified, default to
> reading the environment for the USER variable, and send that.)
>
> Chris -)-----
>
> > > Mike
> >
> > of course i did (guest is undesirable).
> > as i said, its working with security=user, and every other cifs-system
> > implementation that i know (smbclient, explorer) is abled to access
> > this samba server with both security-levels (user/share).
> >
> > [security=share]
> > smbclient and "exlorer" both need to send the correct password
> > for a login.
> > but jCIFS dont send the password if share-level-security is
> > detected, right?
> >
> > if so, why is it required by "explorer" and smbclient ?
> >
> > i read some papers, but specialy the part share-level-security
> > i have never completely understood, because the chapters
> > "a client should ..." and "many clients do ..."
> > discribe the opposite.
> >
> > i have no idea anymore how to test this misconduct
> > (system-security, samba, jCIFS, java, logic, ...)
> >
> > ---the code---
> > UniAddress mydomaincontroller = UniAddress.getByName( "192.168.90.90" );
> > NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication(
> > null, "joker", "Password" ); try {
> > SmbSession.logon( mydomaincontoller, mycreds );
> > // SUCCESS
> > return true;
> > } catch( Exception e ) {
> > // FAILURE
> > e.printStackTrace();
> > }
> > ---
> >
> >
> > please_help_me
> > sven
> > _______________________________________________________
> > WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern
> > Informationen unter: http://freemail.web.de/?mc=021199
> >
>
--
Greedo shoots first? Not in my Star Wars.
More information about the jcifs
mailing list