[jcifs] RE: FW: ntlm_auth integrated with Tomcat5 filter

Michael B Allen mba2000 at ioplex.com
Fri Mar 18 00:09:05 GMT 2005 

Richard Caper said:
>> Good point. I'll keep this in mind but I thik the "no trusted third
>> party" scenario is limited to certain domain administrative functions
>> like
>> establishing trusts, replication, and so on so still I don't think
>> NTLMv2
>> is a high priority. Also I think we would need to implement NETLOGON w/
>> SecureChannel to cover the "no trusted third party" scenario so the
>> return on investment isn't compelling.
>>
>
> One more common scenario would be using SmbFile accessing a file on
> server MYSERVER, using a local account on MYSERVER (i.e.
> "MYSERVER\user" rather than a domain account like "MYDOMAIN\user").
> As the KDC has no knowledge of the machine local users on MYSERVER,
> NTLM must be used.

Good point again. I guess this is the most compelling reason to fully
support NTLM in full.

> If MYSERVER has LMCompatibilityLevel = 5, NTLMv2 would need to be
> used; but as far as I can tell this works currently with the existing
> LMv2 support.

Yeah, if you're just logging in with a local account I don't think
NETLOGON / Secure Channel is necessary so existing NTLMv1 and LMv2 support
should be ok. Actually I think the reason we don't support NTLMv2 is
because we would need to do NETLOGON / Secure Channel to get the plaintext
equivalent password hashes (Eric G. did the work so I don't recall the
details). So if one joins the domain using Kerberos that might give us the
necessary keys to do NTLMv2 properly. Mmm ...

>  I thought you were saying jCIFS 2.0 would only use
> Kerberos (no NTLM at all, v2 or v1).

I said we would "very likely not support NTLMv2 because it was obsoleted
by Kerberos". As you've pointed out the obsoleted part is not really true
and I don't know about "very" anymore if we can get the necessary hashes
without doing NETLOGON / SecureChannel. The API is going to change though.

I think the plan remains the same though - do Kerberos and hobble along
with what NTLM support we have and see what happends....

Mike

More information about the jcifs mailing list