[jcifs] NTLM usrname/password failure after each 5 mins

Tapperson Kevin Kevin.Tapperson at hcahealthcare.com
Tue Jul 18 21:35:07 GMT 2006 

We have experienced issues with transports being closed in the middle of
the multi-step handshake process.  We implemented some basic reference
counting in the SmbSession and SmbTransport classes to alleviate this.
Following is the diff of the changes we made to support this.  Sorry I
don't have a more up-to-date diff; we are still using 1.1.11.  I'm not
sure how applicable this diff is to the current version of jcifs, but
the implementation should be similar.

C:\jcifs>diff jcifs_1.1.11_modified\src\jcifs\smb\SmbSession.java
jcifs_1.1.11\src\jcifs\smb\SmbSession.java
84d83
<         trans.incrementReferenceCount();
138d136
<         trans.incrementReferenceCount();
160,169c158,163
<         try {
<             if( LOGON_SHARE == null ) {
<                 tree.treeConnect( null, null );
<             } else {
<                 Trans2FindFirst2 req = new Trans2FindFirst2( "\\",
"*", SmbFile.ATTR_DIRECTORY );
<                 Trans2FindFirst2Response resp = new
Trans2FindFirst2Response();
<                 tree.sendTransaction( req, resp );
<             }
<         } finally {
<             tree.session.transport.decrementReferenceCount();
---
>         if( LOGON_SHARE == null ) {
>             tree.treeConnect( null, null );
>         } else {
>             Trans2FindFirst2 req = new Trans2FindFirst2( "\\", "*",
SmbFile.ATTR_DIRECTORY );
>             Trans2FindFirst2Response resp = new
Trans2FindFirst2Response();
>             tree.sendTransaction( req, resp );

C:\jcifs>diff jcifs_1.1.11_modified\src\jcifs\smb\SmbTransport.java
jcifs_1.1.11\src\jcifs\smb\SmbTransport.java
125,126d124
<     private int refCount = 0;
<
508,513c506
<                     if( refCount == 0 ) {
<                         tryClose( false );
<                     } else if( log.level > 1 ) {
<                         log.println( "soTimeout has occured but there
are " +
<                                 refCount + " references to this
transport socket" );
<                     }
---
>                     tryClose( false );
531,538d523
<     synchronized void incrementReferenceCount() {
<         refCount++;
<     }
<
<     synchronized void decrementReferenceCount() {
<         refCount--;
<     }
<

-----Original Message-----
From: jcifs-bounces+kevin.tapperson=hcahealthcare.com at lists.samba.org
[mailto:jcifs-bounces+kevin.tapperson=hcahealthcare.com at lists.samba.org]
On Behalf Of Michael B Allen
Sent: Tuesday, July 18, 2006 1:56 PM
To: Alexandr Podoplelov
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLM usrname/password failure after each 5 mins

Is there an exception in the log?

It could be that the connection to the DC is getting closed in the
middle of a negotiation. I don't know why it would get closed but
because NTLM is a multistep handshake, if client is provided with the
server challenge and then the connection closes the challenge will
become invalid. When IE submits the password hashes the DC on the new
connection will reject them. We could detect when the challenge no
longer matches the transport (actually I think we do that already) and
resend the WWW-Authenticate:
NTLM but that will cause the network password dialog to come up so same
difference.

So if that's really what's happening theres no way to fix the problem.
You might try to investigate *why* the connection is being closed and
try to stop it.

Mike

On Tue, 18 Jul 2006 20:31:02 +0400
"Alexandr Podoplelov" <alepod at gmail.com> wrote:

> Dear JCIFS experts!
> 
> Maybe somebody met already the problem which I face now. Please, share

> any ideas you may have!
> 
> I configured JCIFS with Tomcat 5.5 and it works perfectly except one
thing.
> After each 5 minutes while stress test (10 logins/sec) I get an error 
> about bad username/password (AD authorization failure) . It is strange

> since names and passwords are transferred by Internet Explorer while 
> handshaking with JCIFS. I cannot imagine that after every approx. 5 
> minutes IE sends wrong passwords.
> The filter configuration is this one:
> 
> <filter>
>     <filter-name>ntlm</filter-name>
>     <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> 
>     <init-param>
>         <param-name>jcifs.http.domainController</param-name>
>         <param-value>bee.vimpelcom.ru</param-value>
>     </init-param>
> 
>     <init-param>
>         <param-name>jcifs.smb.client.domain</param-name>
>         <param-value>Domain</param-value>
>     </init-param>
> 
>     <init-param>
>         <param-name>jcifs.smb.client.username</param-name>
>         <param-value>UserOne</param-value>
>     </init-param>
> 
>     <init-param>
>         <param-name>jcifs.smb.client.password</param-name>
>         <param-value>ThePassword</param-value>
>     </init-param>
> 
>     <init-param>
>         <param-name>jcifs.smb.lmCompatibility</param-name>
>         <param-value>3</param-value>
>     </init-param>
> 
>     <init-param>
>         <param-name>jcifs.util.loglevel</param-name>
>         <param-value>3</param-value>
>     </init-param>
> </filter>
> 
> <filter-mapping>
>    <url-pattern>/*</url-pattern>
>    <filter-name>ntlm</filter-name>
> </filter-mapping>
> 
> 
> Please, share any adeas how to fix this problem? Or which way to 
> investigate it. Thank you.
> //Alexander
> 


--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/

More information about the jcifs mailing list