[jcifs] KerberosAuthExample

Michael B Allen mba2000 at ioplex.com
Tue Oct 3 00:32:05 GMT 2006 

Never heard of BSRSPYL. Is that an NTLMSSP thing? From googling a little
that looks like legacy behavior. I know first hand that as soon as the
client gets a Kerberos ticket for the target server it has a session key
and can create a signature for the session setup request that Windows
2003 accepts. If we were a server we would definitely need to catch and
ignore that BSRSPYL signature. But as a client we have a choice (unless
Windows 2000 requires BSRSPYL) and therefore I would prefer that we
just create the correct signature using the session key straight away
and not bother BSRSPYL.

Mike

On Mon, 2 Oct 2006 19:39:37 -0400
"Eric Glass" <eric.glass at gmail.com> wrote:

> It's been a looooong time since I looked at any of the extended
> security signing stuff, but I believe the initial client session setup
> stuff has the dummy "BSRSPYL" signature (and is not validated by the
> server); the server response is the first actual signed packet.
> 
> On 10/2/06, Michael B Allen <mba2000 at ioplex.com> wrote:
> > On Mon, 2 Oct 2006 11:30:06 +0100
> > "Mike Streeton" <mike.streeton at ardentia.co.uk> wrote:
> >
> > >             [Krb5LoginModule] authentication succeeded
> > > Commit Succeeded
> > >
> > > jcifs.smb.SmbException: Signature verification failed.
> > >       at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:565)
> > >       at jcifs.smb.SmbTransport.send(SmbTransport.java:662)
> > >       at jcifs.smb.SmbSession.send(SmbSession.java:252)
> > >       at jcifs.smb.SmbTree.treeConnect(SmbTree.java:147)
> >
> > Mmmm. SMB singing with Kerberos is a little different from NTLM. I
> > guess the jcifs-krb5 package doesn't have the necessary SMB signing
> > changes.  That's a pretty serious limitation. The signing code will
> > need updating. It's not terribly difficult work assuming we can get
> > the session key from JGSS but it's not something that I can do anytime
> > soon. I suprised the Kerberos Filter works at all considering the
> > SMB_COM_SESSION_SETUP_ANDX should be signed I think.
> >
> > Mike
> >
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> >
> 


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

More information about the jcifs mailing list