[jcifs] SMB signing without a WINS server
Michael B Allen
mba2000 at ioplex.com
Fri Sep 16 19:13:25 GMT 2005
On Fri, 16 Sep 2005 09:51:31 +0200
Jeroen ter Voorde <j.tervoorde at home.nl> wrote:
> Hi Mike,
>
> Sorry it took me so long te create the captures. This reason is that,
> while creating them, at one point the setup without the wins
> server actually worked. I've tried creating a capture of that too to no
> avail yet. Anyway here are the captures and debug logs
> of the (successfull) WINS setup and (failed) no-WINS setup. I'll keep
> trying to capture a succesfull no-wins authentication.
Ok, now we're getting somewhere. I see what the problem is. Actually
there are two problems.
First, I don't think there's actually any problem with SMB signing.
It's just that the status code of the message is being checked *after*
verifying the signature so either we're checking the signature for
errant messages incorrectly (doubt it) or the signature is really wrong
in errant responses and MS never noticed or cared because all MS clients
tested bail out before even checking the signature (which is retarded
BTW). Whatever the case I think this can be fixed by simply bypassing
the signature verification if the message is in error (again, this is
retarded but that seems to be the way MS wants it).
Second, the TreeConnectAndX commands in your two captures are using
different server names in the tconn paths. With WINS the tconn path
is \\QOLINTERN\IPC$. But without WINS, jCIFS resorts to finding the
tconn server name using a NetBIOS node status. This results in using
\\VM_2003_SERVER\IPC$ which produces Access Denied. Actually the initial
tconn is successfull but the second for authenticating the NTLM HTTP
user QOLINTERN\hans fails. This is a little odd but I suspect it has to
do with virtual hosting or some kind of aliasing. As for the solution,
I'm not sure. The current JCIFS does assume NetBIOS is used for name
services. The correct solution would be to change SmbSession.java to use
JNDI to lookup domain controllers using DNS SVR records. See this message:
http://lists.samba.org/archive/jcifs/2005-September/005431.html
There's also another message in that thread by me that suggests how one
might change the code. Unfortunately I really don't have the resorces
to make this change and I would not risk incorporating it into a stable
release right now anyway. So either make the change yourself and share
with others to make it robust or stick to the prescribed config and
use WINS.
Mike
More information about the jcifs
mailing list