[jcifs] jcifs failing randomly in Win2003 environment

Michael B Allen mba2000 at ioplex.com
Wed May 17 17:02:31 GMT 2006 

On Wed, 17 May 2006 06:47:26 +0000 (UTC)
Paul <paul.pree at bmssolutions.com> wrote:

> Hi Mike
> 
> I'm having a problem with consistency of access in a Windows 2003 environment 
> (SDK 1.4.2_10, Tomcat 5.5.15 with Compatibility, JCIFS 1.2.9). Initially I had 
> the problem where only the first user could connect and subsequent users got 
> dialog boxes headed "Connect to JCIFS... in DomainX". Regardless of detail 
> input, access was never granted.
> 
> We implemented (based on these archives):
> Upgrading to JCIFS 1.2.9 (from 1.2.7)
> Adding the machine to the Local Intranet Zone
> Ensuring it was not in Trusted Sites
> Preauthentication (Which I don't think I ever got working correctly)

You must get preauth working if signatures are required. If you cannot get
it working, then you must turn off signatures on the "domainController" [1].

> Setting Hostname
> Setting LM Compatibility=3 (Currently removed from web.xml)
> Setting ssnLimit=1 (Currently removed from web.xml)
> 
> None of the above resolved the problem, but when we set soTimeout to 5000 we 
> were able to get many users connecting.

This probably means that the second authentication if failing which
indicates that it's an SMB signatures problem.

> Testing under load showed this to be 
> unreliable and resetting soTimeout to 500 helped - but now under further load 
> it is failing randomly. The same user may be able to move around pages and get 

500 means 1/2 of a second. That's so low that it's probable that the
socket will close before the authentication has completed.

> a failure on the 10th (or some random number) access.
> 
> Current web.xml is
>        <init-param>
>              <param-name>jcifs.http.domainController</param-name>
>             <param-value>xx.xx.xx.xxx</param-value>
>         </init-param>
> 
>         <init-param>
>             <param-name>jcifs.smb.client.domain</param-name>
>             <param-value>domainxxx</param-value>
>         </init-param>
>         <init-param>
>              <param-name>jcifs.util.loglevel</param-name>
>             <param-value>9</param-value>
>         </init-param>
>         <init-param>
>              <param-name>jcifs.smb.client.soTimeout</param-name>
>             <param-value>500</param-value>
>         </init-param>
> 
>         <init-param>
>              <param-name>jcifs.smb.client.username</param-name>
>             <param-value>service_account</param-value>
>         </init-param>
>         <init-param>
>              <param-name>jcifs.smb.client.password</param-name>
>             <param-value>xxxxxxxxxxx</param-value>
>         </init-param>
>         <init-param>
>              <param-name>jcifs.netbios.hostname</param-name>
>             <param-value>servername</param-value>
>         </init-param>
> 
> Current log entries show items like:
> NtlmHttpFilter: domainxxx\UsernameX: 0xC000006D: jcifs.smb.SmbAuthException: 
> Logon failure: unknown user name or bad password.

Probably SMB signature failure b/c it was the second authentication.

> java.net.SocketTimeoutException: Read timed out
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(SocketInputStream.java:129)
> 	at jcifs.util.transport.Transport.readn(Transport.java:29)
> 	at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:351)
> 	at jcifs.util.transport.Transport.loop(Transport.java:100)
> 	at jcifs.util.transport.Transport.run(Transport.java:248)
> 	at java.lang.Thread.run(Thread.java:534)

This is normal. Especially with an soTimeout of 500ms.

> I've tried setting LM_COMPATIBILITY=3 (and other values) to no avail. I've 
> also tried setting the ssnlimit to 1 and set up a valid logonshare and 
> attempted to use that.

If you have every seen a successful authentication ever then changing
lmCompatibility will have no effect.

> If my reading of the documentation is correct, my config above should work and 
> should be preauthenticating. I get the same error (the network login popup) 
> regardless of what values I put in for preauth (e.g. I tried invalid 
> username/password and still get the same errors)

First, move the jcifs-1.2.9.jar file out of the library path, restart to
web server, and verify that it fails because it cannot locate the JCIFS
classes. I believe SMB signatures were broken prior to 1.2.8 so if you
have an old jar file laying around you'll want to get rid of it.

If that's not the problem, take out soTimeout parameter, stop the
web server, start a packet capture [2], start the web server, and
have two different users try to logon to the site one right after the
other. Presumably the first work and the second will fail. Then send
me the capture and the log (make sure to include the properties dump at
the top). The objective is to see if preauthentication is working.

Preauth is the key (literrally since failure to generate the MAC key is
the problem).

Mike

[1] Note you can designate the "domainController" to be a
    server or even a workstation so turning off signatures on
    that machine may not be terribly important from a security
    prespective. http://www.google.com/search?q=regedit+SMB+signatures
[2] http://jcifs.samba.org/capture.html (must run this on the web server
    or on a hub connected to it).

More information about the jcifs mailing list