[jcifs] authentication

[Michael B Allen]

On Wed, 12 Jul 2006 18:39:20 +0200
"Torsten Curdt" <tcurdt at vafer.org> wrote:

> So what I am now looking for is the definite answer whether this is
> possible or not.

No. It's not. Like I said, if you leave out the domain the server uses the domain for which it is a member. This works fine with smbclient and cifsfs because that's usually the domain you want. But the NTLM HTTP Filter is only a member of 1 domain. That domain has a 1 in 25 chance of being the domain you want.

The only way to authenticate users from multiple domains is to establish trust relationships between all domains AND supply the correct domain with the user's credentials.

> The smbclient might use the domain from smb.conf and pass that on. Not

Like I said before, I don't think this is what it does. I think smbclient uses what it was provided. The server sorts it out (uses the domain for which it is a member).

> to work from windows to windows like that. But the question is: can
> you leave out the domain on the protocol level and then the server
> will assume its domain?

Yes. But I'm not positive. I would have to take a capture.

> > When
> > you don't specify the domain with smbclient I believe the remote server
> > simply assumes the user is to be authenticated against the domain
> > with which the server is joined.
> 
> Which would be what I am after. Would I have that by leaving the
> domain set to null?

Yes.

> > The domain in the NTLM HTTP Filter
> > is effectively the domain with which the Filter is joined. Therefore
> > not specifying a domain with the Filter should have no visible effect
> > on clients.
> 
> Personally I am not talking about the NTLM HTTP Filter ...I am trying
> to see where I can connect (to the IPC$ share)

Oh. I thought you were trying to use the Filter.

Just do:

SmbFile f = new SmbFile("smb://server/ipc$", new NtlmPasswordAuthentication(null, "user", "pass"));

-- 
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/