[jcifs] Account locks in AD - is this a BUG with JCIFS?

Tapperson Kevin Kevin.Tapperson at hcahealthcare.com
Fri Jun 24 18:18:25 GMT 2005 

We have seen that jcifs will cause accounts to be locked out under the following conditions:

1) jcifs is running with jcifs.smb.lmCompatibility set to 3 or higher
2) a client pc is running with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel set to 0, 1 or 2
3) the user does not have an LM hash in Active Directory (there are a couple of ways to set this up)

In this case, the client browser sends an NTLM (v1) authentication response.  Because jcifs is running with lmCompatibility set to 3, it removes the NT portion of the response (as it assumes it is an NTLMv2 hash which it cannot handle).  This then leaves only the LM hash to be forwarded to the domain controller.  If the domain controller does not have an LM hash for the user, it will reject the authentication request.  Do this 3 times and the account will be locked.

OR

1) jcifs is running with jcifs.smb.lmCompatibility set to 0, 1 or 2
2) a client pc is running with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel set to 3 or higher

In this case, the client browser sends an NTLMv2 authentication response.  With jcifs running with lmCompatibility set to 0, 1 or 2, it will forward both the NTLMv2 and LMv2 hashes to the domain controller (making the assumption that they are NTLM v1 hashes).  The NTLMv2 response will not match the domain controller's version of the hash and access will be denied.  Again, do this 3 times and the account will be locked.

I think I had previously posted a fix for this problem.  The jcifs.ntlmssp.Type3Message.parse method can be changed as follows:

remove this line:
        if (LM_COMPATIBILITY < 3) setNTResponse(ntResponse);
add this line in its place:
        // NTLMv2 issues w/cross-domain authentication; leave NT empty if NTLMv2 was sent by the client
        // NTLM response will always be 24 bytes; NTLMv2 response will always be longer
        if (ntResponse.length == 24) setNTResponse(ntResponse);

The above code detects whether the user is sending an NTLMv1 or NTLMv2 response and acts appropriately (by only removing the NTLMv2 hash).  It takes care of both cases as described above.


-----Original Message-----
From: jcifs-bounces+kevin.tapperson=hcahealthcare.com at lists.samba.org
[mailto:jcifs-bounces+kevin.tapperson=hcahealthcare.com at lists.samba.org]
On Behalf Of Michael B Allen
Sent: Friday, June 24, 2005 12:42 PM
To: Tazwell Jeffries
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Account locks in AD - is this a BUG with JCIFS?


On Fri, 24 Jun 2005 14:13:04 +0100
"Tazwell Jeffries" <taswell.jeffries at perspicuity.co.uk> wrote:

> HI,
> We have implemented Single SignOn for one of our WebApplications - and we found that when we tried implementing it - we got a large number of accounts locked out in AD.
>  
> The version of JCIFS that was used is 1.1.11..

Post your filter section from your web.xml and any exceptions you have
in your log.

Mike

More information about the jcifs mailing list