Apache / jCIFS Collaboration was: Re: [jcifs] Absence of 'automagical' WINS server resolution in jcifs when compared to smb/nmb/winbind

Michael B Allen mba2000 at ioplex.com
Wed Jul 27 01:57:38 GMT 2005

On Tue, 26 Jul 2005 18:07:23 -0400
Enrique Rodriguez <enriquer9 at gmail.com> wrote:

> > Incedentially I've started to develop JAAS infrastructure for Windows
> > integration (actually did this a while ago and stopped to do other
> > things) in the form of a WindowsLoginModule. Currently it just gets
> > the dom/user/pass from the usual places and adds a WindowsPrincipal
> > and Ntlm1Credential but once I get extended security going I plan to
> > have kerberos credentials.
> Very cool.  We created Safehaus to focus on security projects and to 
> start to get interop doco together.  I recently pounded out some HOWTO's 
> on using my KDC with Windows machines.  We have an 
> open-source/non-profit license for the Confluence wiki and that is 
> making doco much easier.
> http://docs.safehaus.org/display/TRIPLESEC/HOWTO+Login+to+Windows+2003+with+TripleSec+on+Linux+as+the+KDC

Nice. So do you have serious KDC functionality for Windows clients or
is this mostly proof of concept right now?

Did you ever find (or implement) an RC4-HMAC implimentation?

Regardless, I think I'm going to have to try this. It would be very
handy if I could run a Windows friendly KDC on my Linux box while I work
out jCIFS Kerberos support (through my W2K laptop joined to said KDC)
before I turn it loose on the real thing.

> ... and ...
> http://docs.safehaus.org/display/TRIPLESEC/Overview+of+TripleSec+logs

You look like your making some real progress!

> > So natrually I'm wondering if we should be coordinating a little
> > here. We've both developed our own ASN1 and SPNEGO code and probably
> > some form of WindowsPrincipal. I guess I shouldn't bother to mention
> > this until I'm ready to release some code but I thought I'd mention it.
> Exactly.  I didn't really have a specific area of coordination in mind, 
> but this is what I was getting at.  We've overlapped on ASN.1 and 
> SPNEGO, a bunch of us at Apache/Safehaus would like to see a CIFS server 
> in Java, and I'm going to start focusing more on Windows interop.  I'm 
> working on trust relationships right now and I'll be on SASL support for 
> LDAP next, in preparation for SASL/GSSAPI (Kerberos V5) for Apache 
> Directory.  After that I'd like to tie in webapps with SPNEGO and get 
> the doco for the whole stack much much tighter.

Actually it's funny - aside from the relatively simple bits already
mentioned I can't think of a really significant overlap between our
codebases. If you used JAAS's Subject based security appratus as your
object model internally we might stumble on some neat collaborations but
I don't suppose you have any other really compelling reason to do that
(and it might even cause you grief). You could use Jarapac with JCIFS
transport to "replicate" group membership for encoding PACs although I
suppose there are other ways to get that. No clear overlap ... mmm.


PS: I read RFC1510 about five times over on the train to/from the city
a while ago. What a nicely written RFC. Kerberos is a nice protocol. I'm
looking forward to working with it.

More information about the jcifs mailing list