[jcifs] RE: FW: ntlm_auth integrated with Tomcat5 filter
Richard Caper
rcaper at gmail.com
Thu Mar 17 19:38:02 GMT 2005
> Good point. I'll keep this in mind but I thik the "no trusted third
> party" scenario is limited to certain domain administrative functions like
> establishing trusts, replication, and so on so still I don't think NTLMv2
> is a high priority. Also I think we would need to implement NETLOGON w/
> SecureChannel to cover the "no trusted third party" scenario so the
> return on investment isn't compelling.
>
One more common scenario would be using SmbFile accessing a file on
server MYSERVER, using a local account on MYSERVER (i.e.
"MYSERVER\user" rather than a domain account like "MYDOMAIN\user").
As the KDC has no knowledge of the machine local users on MYSERVER,
NTLM must be used.
If MYSERVER has LMCompatibilityLevel = 5, NTLMv2 would need to be
used; but as far as I can tell this works currently with the existing
LMv2 support. I thought you were saying jCIFS 2.0 would only use
Kerberos (no NTLM at all, v2 or v1).
> A separate Filter could still call on jCIFS as an external library to
> handle NTLM authentication. I'm just saying because everyone is rapidly
> moving to Kerberos it makes less sense to ship it with jCIFS. It should
> be shipped and supported separately and only call upon jCIFS as necessary
> to support the occasional NTLM client (just like Wedgetail).
>
Makes sense.
More information about the jcifs
mailing list