[jcifs] RE: FW: ntlm_auth integrated with Tomcat5 filter
Michael B Allen
mba2000 at ioplex.com
Fri Mar 18 02:11:39 GMT 2005
Richard Caper said:
>> Yeah, if you're just logging in with a local account I don't think
>> NETLOGON / Secure Channel is necessary so existing NTLMv1 and LMv2
>> support
>> should be ok. Actually I think the reason we don't support NTLMv2 is
>> because we would need to do NETLOGON / Secure Channel to get the
>> plaintext
>> equivalent password hashes (Eric G. did the work so I don't recall the
>> details). So if one joins the domain using Kerberos that might give us
>> the
>> necessary keys to do NTLMv2 properly. Mmm ...
>>
>
> I did some Googling and came up with these entries:
>
>
> http://lists.samba.org/archive/jcifs/2003-September/002557.html
> http://lists.samba.org/archive/jcifs/2003-September/002564.html
> http://lists.samba.org/archive/jcifs/2003-July/002282.html
> http://lists.samba.org/archive/jcifs/2004-March/003127.html
Yeah, it sounds like the real problem with NTLMv2 is getting the
TargetInformation structure. That is available through extended security.
I actually have all of Erics code and notes so I think it will be pretty
straight forward to add NTLMv2.
I'm working on extended security right now. Actually I'm off on a little
tangent rewriting the transport layer but once that's out of the way
extended security is next. But stiiillll I think the plan should be to get
everything else working with Kerberos first. By then NTLMv2 will probably
be a relatively simple addition.
Mike
More information about the jcifs
mailing list