[jcifs] Fail-over capability with WINS

Michael B Allen mba2000 at ioplex.com
Fri Dec 1 16:05:10 GMT 2006

Mmm, nice job. This looks clean enough that I might drop this into the
next release (not 1.2.11 final though).

Two minor things though.

1) There is one reason not to use dc._msdcs. If the local DNS server is
actually a slave for a MS DNS server, those records will not be propogated
in an AXFR zone transfer.

2) Using jcifs.smb.client.domain isn't conceptually correct
since that property has always meant the nETBIOSName of the
domain and not the dnsRoot. A more correct method would be to do
InetAddress.getLocalHost().getCanonicalHostName() and then repeatedly try
to resolve successively shorter domain names (e.g. a.b.c.d.example.com,
b.c.d.example.com, c.d.example.com, ...). However, since Sun's
Krb5LoginModule does not do this (which is one of a number of
flaws in Sun's Kerberos code) it would not be unreasonable to use
java.security.krb5.realm. Or, you could use a new property to specify the
full SRV lookup name which would also provide recourse for any possible
issue related to 1.

But these issues are very minor and based on user experiences, there
might be other adjustments so I'll won't change anything for now. I put
it in the patches directory.


On Fri, 1 Dec 2006 07:27:12 -0500
"Eric Glass" <eric.glass at gmail.com> wrote:

> > Go for it. I recommend using JNDI to do an SRV lookup for
> > _ldap._tcp.example.com to get the list of DCs. Then post a patch and
> > we'll drop it in the patches directory. I'm sure it would be appreciated.
> >
> Here it is (patch against 1.2.11b).  This actually does a SRV lookup
> against "_ldap._tcp.dc._msdcs.example.com" (to further qualify the
> results as domain controllers rather than just LDAP servers, although
> in practice it probably wouldn't make a difference).
> This kicks in when SmbSession.getChallengeForDomain() is called; if no
> WINS server is configured (NbtAddress.getWINSAddress() returns null),
> then the DNS SRV lookup is performed against the domain specified in
> "jcifs.smb.client.domain", and the DC list is populated from the
> result.  Obviously in this case jcifs.smb.client.domain would need to
> specify a DNS-style domain (e.g. "example.com") rather than
> NetBIOS-style ("EXAMPLE").  You would also need to specify
> jcifs.http.loadBalance=true for the NtlmFilter configuration (which
> makes sense, since if you weren't load balancing the domain
> controllers you wouldn't really need this functionality for the filter
> anyway).
> This has a slight side effect on preauthentication/signing, as that
> also uses the jcifs.smb.client.domain property; the preauthentication
> would be done against the DNS-style domain name rather than NetBIOS
> style (i.e. authenticating as "example.com\username" rather than
> "EXAMPLE\username").  This should work fine though (it does for me);
> any domain controller listed in the SRV results is going to be Win2K+,
> and should support the DNS-style domain name for NTLM authentication.
> Eric

Michael B Allen
PHP Active Directory SSO

More information about the jcifs mailing list