[jcifs] KerberosAuthExample (Signature verification failed)

Clive Brettingham-Moore jcifs at brettingham-moore.net
Wed Nov 22 06:43:58 GMT 2006

Since I'm not going to use kerberos in production right now I'm happy
anyway, I just like to keep an eye on future possibilities :)

The problem appears to be kerberos specific in that the session setup
for Kerberos sets the [transport] digest using a different logic from a
normal session setup:

SmbSession sets it only if transport.isSignatureSetupRequired() returns
true - which depends on flag settings

Kerb5Authenticator adds some extra logic that sets up a digest (if not
already done) when bits are set in transport.server.securityMode (line
195) as part of setup.

The problem arises because signing in transport is configured in a
fragile way - verification is triggered simply by having a digest, but
the request flags are determined by configuration.
I presume that the Kerberos code sets the digest because it is needed,
I'd guess for authentication of requests (although arguably setting a
package private field is living dangerously), and the transport code is
fragile as above so the solution could lie there, for instance making
verification in doRecv conditional on having actually requested signing.

Additionally/alternatively since Kerb5Authenticator is setting the
digest it should probably change flags2 to be consistent (request signing).


Michael B Allen wrote:
> On Tue, 21 Nov 2006 14:13:06 +1100
> Clive Brettingham-Moore <jcifs at brettingham-moore.net> wrote:
>> Found some discussion of this on this list back in October (
>> http://lists.samba.org/archive/jcifs/2006-October/006577.html). I've had
>> the same issue using the current library (jcifs-krb5-1.2.9.jar) to
>> connect to windows 2003 server.
> Note that the cited thread was completely incorrect about jcifs-krb5
> not supporting signatures - it DOES support signatures (but I see you
> know this becasue you see sigatures working if signingPreferred is true).
> So is this problem specific to the jcifs-krb5 package? Does the regular
> stock jcifs package have this problem? If the problem is specific to
> jcifs-krb5 then look at the logic behind both and figure out where the
> bug is.
> Note the jcifs-krb5 package is experimental and is not supported. I
> barely have enough time for the stock package.
> For now, just set signingPreferred = true and be happy.
> But thanks for the feedback. We need it if there is any hope of
> integrating the krb5 functionality.
> Mike

More information about the jcifs mailing list