[jcifs] understanding server challenge change

Tue Apr 26 18:31:06 GMT 2005

Hi Mike,

the thing is, that I am not accessing different servers during 
the applications life time. the problem is rather that the company was testing my
application in a test environment where everything was working
fine. now they want to move to the production environment
and the access fails. So i am trying to figure out what could possibly be
different with the server that they are using in production compared
with the one they were using during the test phase. they say the servers are 
configured the same, though somewehere has to be a difference no?

-----Original Message-----

>
>On Tue, 26 Apr 2005 12:35:58 +0400
>leostone <leostone at mail.ru> wrote:
>
>> Yes, if I use username and password there is no problem accessig the
>> resource, but thats kinda obvious, if the challenge changes, new hashes
>> get calculated. 
>> I don't now if the network explorer works, I am developing for 
>> a third party and don't have access to their systems.
>> So all i can do is, stuff my application with log lines and
>> do remote analysis.  
>> To me it feels like, as if (and here I start swimming lacking smb insight)
>> the created session (does the session start when i request a challenge?) 
>> gets torn down between the call to get the challenge and the access to the
>> resource. i dont know if this is possible, maybe there is a session timout
>> value somewhere set to a very small value or something like that?
>
>Leo,
>
>If you're going to do the NTLM SSP manually you need to understand how
>the tokens are passed back and fourth. There are a few reasons why the
>challenge would "change" although your not clear at all as to how and when
>exactly it changes. I can only guess that you are storing the challenge
>somewhere such that the second server clobbers it with it's challenge.
>
>Also NetworkExplorer is standard in every jCIFS jar. You need only add
>a section to the filter config.
>
>Mike
>
>> -----Original Message-----
>> 
>> >
>> >Please send all messages to the jcifs mailing list so that if other
>> >people are having the same problem they can benifit from our discussion.
>> >
>> >leostone said:
>> >> thanks, but the resource is on the server for wich i get the challenge.
>> >
>> >Then it should work. Does the NetworkExplorer example work?
>> >
>> >Can you manually create an NtlmPasswordAuthentication object and access
>> >the desired resource?
>> >
>> >Mike
>> >
>> >> -----Original Message-----
>> >>
>> >>>
>> >>>On Mon, 25 Apr 2005 21:41:55 +0400
>> >>>leostone <leostone at mail.ru> wrote:
>> >>>
>> >>>> hi, i have some trouble with changing server challenges.
>> >>>> i do SmbSession.getChallenge(ipOfTargetServer), then i feed this
>> >>>> challenge
>> >>>>
>> >>>> to NtlmSsp.authenticate() wich returns an NtlmPasswordAuthentication
>> >>>> object. Next thing i do is creating a SmbFile using this
>> >>>> NtlmPasswordAuthentication object and do a SmbFile.connect();
>> >>>> The trouble is, on a WinXP target server this works, on a Win2K
>> >server>>> the
>> >>>> challenge changes and i get a SmbAuthException from the
>> >>>> SmbFile.connect()
>> >>>> method. Can someone explain what might be going on and how i could
>> >fix>>> it.
>> >>>
>> >>>An NtlmPasswordAuthentication object is only valid with the server
>> >>>from which it's challenge originated. If you wish to access resources
>> >>>on arbirary hosts you must renegotiate NTLMSSP with a challenge for
>> >>>each host.
>> >>>
>> >>>This can be tricky because you usually need to track these credentials
>> >>>separately. See how jcifs.http.NetworkExplorer keeps track of creds
>> >with>>req.getSession().setAttribute( "npa-" + server, ntlm );
>> >>>
>> >>>Mike
>> >>>
>> >>>--
>> >>>IRC - where men are men, women are men, and the boys are FBI agents.
>> >>>
>> >>
>> >>
>> >> _____, _______!  ______ _____ ______ _-______
>> >> http://r.mail.ru/cln2659/agent.mail.ru
>> >>
>> >>
>> >
>> >
>> 
>> 
>> _____ __________ _________ __ ___ ______ _____
>> http://r.mail.ru/cln2670/soft.mail.ru
>> 
>
>
>-- 
>IRC - where men are men, women are men, and the boys are FBI agents.
>

Найди друга в своем городе! Поиск друзей по странам и городам в новой версии М-Агента http://r.mail.ru/cln2660/agent.mail.ru