[jcifs] SPNEGO and Kerberos

Michael B Allen mba2000 at ioplex.com
Tue Apr 19 17:43:53 GMT 2005

On Tue, 19 Apr 2005 12:04:30 -0500
"Kimberlin, Michael" <Michael.Kimberlin at savvis.net> wrote:

> Ahh, yes...excellent.  Thanks for the direction.
> It looks like quite a lot of functionality is there.  I'll have to take
> some time to weed through it.  Any idea (off the top of your head)
> whether these classes have PAC support?  If not, maybe I'll add that
> in...

The PAC is encrypted with the Domain Controller's secret key so jCIFS
will never have direct "PAC support". We do need the ticket with the
PAC but it's passed to the target (the DC) for it to decrypt and use
the group membership information inside to make access control decisions.

I suspect what you mean is, can jcifs-ext do group membership lookups? The
answer is "yeah, but ...". It uses RAP calls to get group information to
implement isInRole however it is limited to 64K transactions which means
large group lists will fail. Full RAP also will never be integrated into
jCIFS as it is a deprecated technology.

To properly implement group membership functionality it will be necessary
to implement RPC. We have RPC support via Jarapac but I want to implement
Extended Security with Kerberos so that I get a new "proper" security
context model working before I implement all sorts of security related
APIs. However once I do that it's not crystal clear that the builtin
Java 1.4 Kerberos client will support the mechanism necessary to get
the Kerberos ticket with the PAC.

So it's in the works but it's been slow going and there are some questions
remaining about the implementation. If you really want full RPC based
group membership lookups you could peice together the jcifs-ext filter
with the jarapac examples that lookup sids and make a new package but
you would have to use NTLM [1].


[1] To do RPCs against the DC you must authenticate with it and to
authenticate with it using Kerberos you need Extended Security which we
do not support. Currently the jcifs-ext filter just communicates with
the KDC directly and not using SMB (thus it has nothing to do with CIFS).

IRC - where men are men, women are men, and the boys are FBI agents.

More information about the jcifs mailing list