[jcifs] KerberosAuthExample

Eric Glass eric.glass at gmail.com
Mon Oct 2 23:39:37 GMT 2006

It's been a looooong time since I looked at any of the extended
security signing stuff, but I believe the initial client session setup
stuff has the dummy "BSRSPYL" signature (and is not validated by the
server); the server response is the first actual signed packet.

On 10/2/06, Michael B Allen <mba2000 at ioplex.com> wrote:
> On Mon, 2 Oct 2006 11:30:06 +0100
> "Mike Streeton" <mike.streeton at ardentia.co.uk> wrote:
> >             [Krb5LoginModule] authentication succeeded
> > Commit Succeeded
> >
> > jcifs.smb.SmbException: Signature verification failed.
> >       at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:565)
> >       at jcifs.smb.SmbTransport.send(SmbTransport.java:662)
> >       at jcifs.smb.SmbSession.send(SmbSession.java:252)
> >       at jcifs.smb.SmbTree.treeConnect(SmbTree.java:147)
> Mmmm. SMB singing with Kerberos is a little different from NTLM. I
> guess the jcifs-krb5 package doesn't have the necessary SMB signing
> changes.  That's a pretty serious limitation. The signing code will
> need updating. It's not terribly difficult work assuming we can get
> the session key from JGSS but it's not something that I can do anytime
> soon. I suprised the Kerberos Filter works at all considering the
> SMB_COM_SESSION_SETUP_ANDX should be signed I think.
> Mike
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/

More information about the jcifs mailing list