[jcifs] SMB signing without a WINS server

[Michael B Allen]

I have applied the fix for the signature failure exception. Note that
this does not solve this no-WINS problem it just eliminates the bogus
error (you'll probably get Access Denied now instead).

Mike

On Fri, 16 Sep 2005 15:13:25 -0400
Michael B Allen <mba2000 at ioplex.com> wrote:

> On Fri, 16 Sep 2005 09:51:31 +0200
> Jeroen ter Voorde <j.tervoorde at home.nl> wrote:
> 
> > Hi Mike,
> > 
> > Sorry it took me so long te create the captures. This reason is that, 
> > while creating them, at one point the setup without the wins
> > server actually worked. I've tried creating a capture of that too to no 
> > avail yet. Anyway here are the captures and debug logs
> > of the (successfull) WINS setup and (failed) no-WINS setup. I'll keep 
> > trying to capture a succesfull no-wins authentication.
> 
> Ok, now we're getting somewhere. I see what the problem is. Actually
> there are two problems.
> 
> First, I don't think there's actually any problem with SMB signing.
> It's just that the status code of the message is being checked *after*
> verifying the signature so either we're checking the signature for
> errant messages incorrectly (doubt it) or the signature is really wrong
> in errant responses and MS never noticed or cared because all MS clients
> tested bail out before even checking the signature (which is retarded
> BTW). Whatever the case I think this can be fixed by simply bypassing
> the signature verification if the message is in error (again, this is
> retarded but that seems to be the way MS wants it).
> 
> Second, the TreeConnectAndX commands in your two captures are using
> different server names in the tconn paths. With WINS the tconn path
> is \\QOLINTERN\IPC$. But without WINS, jCIFS resorts to finding the
> tconn server name using a NetBIOS node status. This results in using
> \\VM_2003_SERVER\IPC$ which produces Access Denied. Actually the initial
> tconn is successfull but the second for authenticating the NTLM HTTP
> user QOLINTERN\hans fails. This is a little odd but I suspect it has to
> do with virtual hosting or some kind of aliasing. As for the solution,
> I'm not sure. The current JCIFS does assume NetBIOS is used for name
> services. The correct solution would be to change SmbSession.java to use
> JNDI to lookup domain controllers using DNS SVR records. See this message:
> 
>   http://lists.samba.org/archive/jcifs/2005-September/005431.html
> 
> There's also another message in that thread by me that suggests how one
> might change the code. Unfortunately I really don't have the resorces
> to make this change and I would not risk incorporating it into a stable
> release right now anyway. So either make the change yourself and share
> with others to make it robust or stick to the prescribed config and
> use WINS.
> 
> Mike
>