[jcifs] RE: FW: ntlm_auth integrated with Tomcat5 filter

Richard Caper rcaper at gmail.com
Fri Mar 18 01:09:24 GMT 2005


> Yeah, if you're just logging in with a local account I don't think
> NETLOGON / Secure Channel is necessary so existing NTLMv1 and LMv2 support
> should be ok. Actually I think the reason we don't support NTLMv2 is
> because we would need to do NETLOGON / Secure Channel to get the plaintext
> equivalent password hashes (Eric G. did the work so I don't recall the
> details). So if one joins the domain using Kerberos that might give us the
> necessary keys to do NTLMv2 properly. Mmm ...
>

I did some Googling and came up with these entries:


http://lists.samba.org/archive/jcifs/2003-September/002557.html
http://lists.samba.org/archive/jcifs/2003-September/002564.html
http://lists.samba.org/archive/jcifs/2003-July/002282.html
http://lists.samba.org/archive/jcifs/2004-March/003127.html


Someone with more understanding of this stuff could probably grasp it
better; it seems that the LMv2 can be built without extended security
whereas NTLMv2 needs information that is only in that.  From what I
have read Kerberos needs extended security too, so maybe NTLMv2 would
not be too hard (if it is already there)?

It also seems to say that LMv2 may not work when accessing resources
in a different domain or using local accounts.  The latter seems to
work fine for me but I don't know about the former (as I only have one
domain).


More information about the jcifs mailing list