[jcifs] Fail-over capability with WINS

Fri Dec 1 17:33:22 GMT 2006

Apparently, I asked just the right question. This is fantastic. Appreciate the patch, Eric.

Stephen

----- Original Message -----
From: Michael B Allen <mba2000 at ioplex.com>
Date: Friday, December 1, 2006 8:05 am
Subject: Re: [jcifs] Fail-over capability with WINS

> Mmm, nice job. This looks clean enough that I might drop this into the
> next release (not 1.2.11 final though).
> 
> Two minor things though.
> 
> 1) There is one reason not to use dc._msdcs. If the local DNS 
> server is
> actually a slave for a MS DNS server, those records will not be 
> propogatedin an AXFR zone transfer.
> 
> 2) Using jcifs.smb.client.domain isn't conceptually correct
> since that property has always meant the nETBIOSName of the
> domain and not the dnsRoot. A more correct method would be to do
> InetAddress.getLocalHost().getCanonicalHostName() and then 
> repeatedly try
> to resolve successively shorter domain names (e.g. 
> a.b.c.d.example.com,b.c.d.example.com, c.d.example.com, ...). 
> However, since Sun's
> Krb5LoginModule does not do this (which is one of a number of
> flaws in Sun's Kerberos code) it would not be unreasonable to use
> java.security.krb5.realm. Or, you could use a new property to 
> specify the
> full SRV lookup name which would also provide recourse for any 
> possibleissue related to 1.
> 
> But these issues are very minor and based on user experiences, there
> might be other adjustments so I'll won't change anything for now. I 
> putit in the patches directory.
> 
> Thanks,
> Mike
> 
> On Fri, 1 Dec 2006 07:27:12 -0500
> "Eric Glass" <eric.glass at gmail.com> wrote:
> 
> > > Go for it. I recommend using JNDI to do an SRV lookup for
> > > _ldap._tcp.example.com to get the list of DCs. Then post a 
> patch and
> > > we'll drop it in the patches directory. I'm sure it would be 
> appreciated.> >
> > 
> > Here it is (patch against 1.2.11b).  This actually does a SRV lookup
> > against "_ldap._tcp.dc._msdcs.example.com" (to further qualify the
> > results as domain controllers rather than just LDAP servers, 
> although> in practice it probably wouldn't make a difference).
> > 
> > This kicks in when SmbSession.getChallengeForDomain() is called; 
> if no
> > WINS server is configured (NbtAddress.getWINSAddress() returns 
> null),> then the DNS SRV lookup is performed against the domain 
> specified in
> > "jcifs.smb.client.domain", and the DC list is populated from the
> > result.  Obviously in this case jcifs.smb.client.domain would 
> need to
> > specify a DNS-style domain (e.g. "example.com") rather than
> > NetBIOS-style ("EXAMPLE").  You would also need to specify
> > jcifs.http.loadBalance=true for the NtlmFilter configuration (which
> > makes sense, since if you weren't load balancing the domain
> > controllers you wouldn't really need this functionality for the 
> filter> anyway).
> > 
> > This has a slight side effect on preauthentication/signing, as that
> > also uses the jcifs.smb.client.domain property; the 
> preauthentication> would be done against the DNS-style domain name 
> rather than NetBIOS
> > style (i.e. authenticating as "example.com\username" rather than
> > "EXAMPLE\username").  This should work fine though (it does for me);
> > any domain controller listed in the SRV results is going to be 
> Win2K+,> and should support the DNS-style domain name for NTLM 
> authentication.> 
> > 
> > Eric
> > 
> 
> 
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> 