[jcifs] problem with jCIFS and samba (security=share)

Michael B Allen mba2000 at ioplex.com
Sun Oct 31 04:57:38 GMT 2004 

Well I just checked share level access with jcifs against Win98 and it
worked perfectly. I can see the username in the the session setup and the
password in the tconn. So from Chris' description below it *should* work
with samba but I don't think I'm going to go chasing it there.

Mike

On Fri, 1 Oct 2004 13:00:51 -0500
"Christopher R. Hertel" <crh at ubiqx.mn.org> wrote:

> On Fri, Oct 01, 2004 at 01:26:17PM +0200, s-jacobi at web.de wrote:
> > "Michael B Allen"  schrieb am 30.09.04 22:53:35:
> > >
> > > s-jacobi at web.de said:
> > > > hi,
> > > >
> > > > why do i can't login/access a samba-server that is configured with:
> > > > "security=share"
> > > > everything works fine with "security=user" but not all of the target
> > > > machines
> > > > are configured that way.
> > > > as i can see from the jcifs-log, that the user "joker" is set to
> > > > guest!? guest is not allowed so it fails ...
> > >
> > > JCIFS does not permit the server to default to the GUEST account if
> > > another username is specified. Either you must specify user "guest"
> > > explicitly or create the target user on the Samba server with proper
> > > credentials (ie. create the user "joker" with the proper credentials).
> 
> Just FYI...  Samba does not implement "proper" Share Level security.  Most
> 
> newer CIFS servers don't implement share mode at all, since it's 
> depricated.  Here's what Samba does:
> 
> In Security=Share mode:
> 
> - If the client sends a SMB_COM_SESSION_SETUP_ANDX, Samba will look for a 
>   username in that message.  If the username is there, Samba will attempt 
>   assume it is the correct username.  It will then gather the password
>   credentials from the SMB_COM_TREE_CONNECT_ANDX (it may also check for 
>   user mode credentials in the SMB_COM_SESSION_SETUP_ANDX...dunno).
> 
> - If the username in the SMB_COM_SESSION_SETUP_ANDX is blank, or if there 
>   is no SMB_COM_SESSION_SETUP_ANDX, Samba may jump through some hoops 
>   trying to authenticate the user.  It may try guest and/or anonymous 
>   authentication (which are two different things).  There are config file 
>   tweaks for all of this.
> 
> - If user-level authentication (using a valid username in the 
>   SMB_COM_SESSION_SETUP_ANDX) fails, then the guest and/or anonymous auth 
>   may be tried.
> 
> Check the details on all of that, as my memory on the subject is rusty.
> 
> Point is, Samba plays games with fields that may or may not be present, 
> and there are a whole set of configuration options.  All of these are used
> 
> to "fake" Share Level auth.
> 
> There's probably some small, subtle difference in the way jCIFS behaves as
> 
> a Share Level client.
> 
> (I know that smbclient will, if no username is specified, default to 
> reading the environment for the USER variable, and send that.)
> 
> Chris -)-----
> 
> > > Mike
> > 
> > of course i did (guest is undesirable).
> > as i said, its working with security=user, and every other cifs-system
> > implementation that i know (smbclient, explorer) is abled to access
> > this samba server with both security-levels (user/share).
> > 
> > [security=share]
> > smbclient and "exlorer" both need to send the correct password
> > for a login.
> > but jCIFS dont send the password if share-level-security is
> > detected, right?
> > 
> > if so, why is it required by "explorer" and smbclient ?
> > 
> > i read some papers, but specialy the part share-level-security
> > i have never completely understood, because the chapters
> > "a client should ..." and "many clients do ..."
> > discribe the opposite.
> > 
> > i have no idea anymore how to test this misconduct
> > (system-security, samba, jCIFS, java, logic, ...)
> > 
> > ---the code---
> > UniAddress mydomaincontroller = UniAddress.getByName( "192.168.90.90" );
> > NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication(
> > null, "joker", "Password" ); try {
> > SmbSession.logon( mydomaincontoller, mycreds );
> > // SUCCESS
> > return true;
> > } catch( Exception e ) {
> > // FAILURE
> > e.printStackTrace();
> > }
> > ---
> > 
> > 
> > please_help_me
> > sven
> > _______________________________________________________
> > WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern
> > Informationen unter: http://freemail.web.de/?mc=021199
> > 
> 


-- 
Greedo shoots first? Not in my Star Wars.

More information about the jcifs mailing list