[jcifs] KerberosAuthExample (Signature verification failed)

Clive Brettingham-Moore jcifs at brettingham-moore.net
Tue Nov 21 03:13:06 GMT 2006

Found some discussion of this on this list back in October (
http://lists.samba.org/archive/jcifs/2006-October/006577.html). I've had
the same issue using the current library (jcifs-krb5-1.2.9.jar) to
connect to windows 2003 server.
In my case I have traced the issue back to the flags2 value used
(signing bit is set for SMB_COM_NEGOTIATE but is cleared for subsequent
messages SMB_COM_SESSION_SETUP_ANDX, tree connect). It seems that
SmbTransport is clearing the signature flag (due to
SmbConstants.SIGNPREF being [defaulting to] false), but is still
throwing an exception for signature verfication failure (if the client
does not request signatures the 2003 server appears to just echo the
request signature in the response - which fails verification). This
issue can be worked around by setting the
jcifs.smb.client.signingPreferred property (thus SIGNPREF) to true 
causing SmbTransport leave the singing bit of flags2 from negotiate alone:
for the cut and paste crowd add this line to you jcifs setup code:
        Config.setProperty("jcifs.smb.client.signingPreferred", "true");
or set the system property on the command line:

The code probably should be patched to only check signature validity if
it has requested signing (the simplest would be making SmbTransport.java
line 264 conditional on actually having requested signing, though it
would be better to shutdown signature verification completely if not
being used). The default false for SIGNPREF probably shouldn't override
a manually set flags2 preference either, but that may be complicated to
implement... well actually the whole static prefs system probably needs
replacing with an nice scoped system, but I know I haven't got the time,
so I'd better stop giving "advice" :P)

Clive Brettingham-Moore

More information about the jcifs mailing list