[jcifs] Authenticating Against Multiple Domain Controllers

Tapperson Kevin Kevin.Tapperson at hcahealthcare.com
Fri Jun 23 15:54:08 GMT 2006 

We have implemented some custom handling in the NtlmHttpFilter class to
achieve this.  I have attached a few of the pertinent classes from our
customizations.  We made these customizations in our own code and left
the jcifs implementation untouched.  These customizations could be
included in the jcifs code and may become a little cleaner if so.

We were first prompted to make these customizations because we found
that our WINS servers have bad addresses in them.  It appears that
Microsoft products implement some type of retry logic around the WINS
lookup of a DC.  Our directory services team refused to make any effort
to keep the WINS records clean with only good DCs.  Apparently, only
jcifs suffers from having bad DCs in the WINS records?

Following this, we tried switching to using DNS in jcifs.  This too had
the same issues.  Our DNS entries for the DCs had bad addresses in them.
The bad addresses were for DCs that were down for maintenance, rogue
DCs, and 169.254.x.x addresses (DHCP auto configure).  We have had
problems with rogue DCs on our network since the Microsoft Outlook
server has some sort of requirement that it act as a DC.  As our e-mail
services team plays with their Outlook servers, they would register
themselves as DCs even though they may not actually contain any
directory information.  It turns out that some of our DCs have multiple
network adapters some of which are enabled but not plugged in to
anything.  When the DC reboots, it attempts to get a DHCP address for
those enabled but disconnected adapters and fails, but proceeds to
register the 169.254.x.x address with DNS.  Again, our directory
services team refused to make any effort to keep the DNS records clean
with only good DCs in them.  (We also had this same issue with our LDAP
access to the directory since it uses DNS.  We have since implemented a
similar solution for LDAP.)  I'll stop griping about our directory
services team now and get on with the solution.

In the attached code, the following properties control the DC lookup:

The set of allowed domains must be configured; only those domains which
are listed in the properties (and set to true) are supported.  (This
prevents users who login locally to their machine rather that to the
domain from attempting authentication.)  You should enable both the
NETBIOS name and the DNS name for the domain.  For example:
	domain.allowed.DOMAIN1=true
	domain.allowed.domain1.yourdomain.tld=true

Each enabled domain can be configured to point to a DNS entry.  Ideally,
this would be a round robin DNS entry with all of the DCs in your
domain.  For example:
	domain.dns.DOMAIN1=domain1.yourdomain.tld
	domain.dns.domain1.yourdomain.tld=domain1.yourdomain.tld

You can also specify an explicit list of DCs for each enabled domain.
The list of DCs here is converted to an internally managed round robin
list.  The entries in this list can either be DNS names, IP addresses,
NETBIOS names or a mix of them.  For example:
	domain.controllers.DOMAIN1=dc1.domain1.yourdomain.tld, 1.2.3.4,
DC1
	
domain.controllers.domain1.yourdomain.tld=dc1.domain1.yourdomain.tld,
1.2.3.4, DC1

You can specify the # of retries to use in trying to locate a good DC:
	retries=3

You can specify a timeout value for which a "bad" DC is removed from the
internally managed round robin DNS list:
	bad.host.timeout=300000

You can specify whether to use WINS or DNS for lookups:
	use.wins=false


The getDomainController(String domain) method looks up a domain
controller for the specified domain using the following logic.
	get the domain.controllers.<domain> list for the specified
domain
	if the explicit list of DCs is defined for the domain (and its
not empty), then use the defined list
		get the first entry from the list of DCs
		if the use.wins flag is true AND the entry does not
contain a '.'
			use a WINS server query to lookup the address
for the entry
		else
			use DNS to lookup the address for the entry
	else
		get the domain.dns.<domain> property for the specified
domain
		if the use.wins flag is true OR the domain.dns.<domain>
property is not set
			use a WINS 0x1C query to lookup a DC address for
the domain
		else
			use DNS to lookup a DC address for the domain

If the getDomainController method finds a "bad" DC, it flags it as bad
and removes it from the internally managed round robin DNS list for the
length of time specified by the bad.host.timeout property.  After that,
the "bad" DC is reinstated into the round robin DNS list and tried again
for subsequent requests.


-----Original Message-----
From: jcifs-bounces+kevin.tapperson=hcahealthcare.com at lists.samba.org
[mailto:jcifs-bounces+kevin.tapperson=hcahealthcare.com at lists.samba.org]
On Behalf Of Michael B Allen
Sent: Thursday, June 22, 2006 6:53 PM
To: Armen.Yampolsky at fitchratings.com
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] Authenticating Against Multiple Domain Controllers

On Thu, 22 Jun 2006 18:17:43 -0400
Armen.Yampolsky at fitchratings.com wrote:

> ___
> Hello,
>  
> We have a network with no WINS servers, and two domain controllers.
The primary occasionally goes down. What are the correct set of jcifs
parameters to use if we want to be able to cycle among the two DC's, and
automatically use the secondary if the primary goes down (and
vice-versa)? As has been noted on this list before, the following does
not seem to work:

Can't do it without WINS.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NTLMType1Agent.java
Type: application/octet-stream
Size: 3972 bytes
Desc: NTLMType1Agent.java
Url : http://lists.samba.org/archive/jcifs/attachments/20060623/68c145e0/NTLMType1Agent-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.properties
Type: application/octet-stream
Size: 824 bytes
Desc: config.properties
Url : http://lists.samba.org/archive/jcifs/attachments/20060623/68c145e0/config-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DNSRoundRobinList.java
Type: application/octet-stream
Size: 3237 bytes
Desc: DNSRoundRobinList.java
Url : http://lists.samba.org/archive/jcifs/attachments/20060623/68c145e0/DNSRoundRobinList-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NTLMConfig.java
Type: application/octet-stream
Size: 11188 bytes
Desc: NTLMConfig.java
Url : http://lists.samba.org/archive/jcifs/attachments/20060623/68c145e0/NTLMConfig-0001.obj

More information about the jcifs mailing list