[jcifs] Re: ACLs - SmbException: Incorrect function / DFS and signing

Thomas Bley thomas.bley at simple-groupware.de
Wed Jun 27 03:29:46 GMT 2007 

Hello Mike,

Great!

I am making progress with the problem of "Access denied" with DFS and 
signing.
When a dfs server requires signing (e.g. Win2k3 R2), all connections end 
in "access denied" after connecting to a second server and coming back 
to the dfs server.
Using a disconnect before opening a new connection seems to fix the 
problem, what do you think about it ?

smbfile.java:
// perform a disconnect before connecting to another server

UniAddress currAddr;

try {
    addr = UniAddress.getByName( dr.server );
    currAddr = getAddress();
} catch( UnknownHostException uhe ) {
    throw new SmbException( dr.server, uhe );
}

if (!addr.equals(currAddr)) {
    try {
        tree.session.transport.disconnect(true);
    } catch (IOException e) {
        throw new SmbException( "Failed to disconnect !!", e);
    }
}

trans = SmbTransport.getSmbTransport( addr, url.getPort() );
tree = trans.getSmbSession( auth ).getSmbTree( dr.share, null );


SmbTransport.java:
// set address to null to avoid reusing a closed connection
protected void doDisconnect( boolean hard ) throws IOException {
    ListIterator iter = sessions.listIterator();
    while (iter.hasNext()) {
        SmbSession ssn = (SmbSession)iter.next();
        ssn.logoff( hard );
    }
    socket.shutdownOutput();
    out.close();
    in.close();
    socket.close();
    // connection may not be reused
    this.address = null;
    digest = null;
}

Best regards,
Thomas


Michael B Allen wrote:
> Yup. I have the code using WriteAndX/ReadAndX for the Bind now. Jake is
> going to try it.
>
> Keep you posted,
> Mike
>
> On Wed, 27 Jun 2007 03:31:29 +0200
> Thomas Bley <thomas.bley at simple-groupware.de> wrote:
>
>   
>> Hello,
>>
>> I have the same problem. Here is what I found out so far:
>> When Windows explorer is the client, it starts the DCERPC with the 
>> command "Write AndX" (0x2f).
>> When JCIFS is the client, it starts DCERPC with "TransactNmPipe" (0x0026).
>> Windows servers and Samba understand the TransactNmPipe very well, but 
>> for some reason NetApp doesn't.
>> My tests were made with a NetApp FAS3050; OS-Version Ontap 7.1.1.
>>
>> If the error is happening, jCIFS falls back to NetShareEnum methods 
>> which resolve share names, but without unicode characters and only up to 
>> 12 characters in length.
>> Maybe it is an older method which requires some compatibility setting 
>> enabled in the NetApp machine (maybe sth. like enable WindowsNT 
>> compatibility, enable namedpipe rpcs, etc.). Do you have any idea or 
>> maybe you can even ask the NetApp support for this ?
>> (if required, I can provide some Ethereal traces)
>>
>> bye
>> Thomas
>>
>>
>>
>> Jake Goulding wrote:
>>     
>>> It is a NetApp SAN, and it is configured with local groups, which 
>>> would lead me to think that this type of function would be 
>>> implemented. For what it's worth, a user from the Windows Explorer can 
>>> right-click and see resolved local groups.
>>>
>>> Michael B Allen wrote:
>>>       
>>>> Hey Jake,
>>>>
>>>> That looks like the server doesn't understand DCERPC. Like Novell
>>>> maybe. But I would have to see a trace to confirm.
>>>>
>>>> Mike
>>>>
>>>> On Mon, 25 Jun 2007 09:43:17 -0400
>>>> Jake Goulding <goulding at vivisimo.com> wrote:
>>>>
>>>>  
>>>>         
>>>>> Trying to retrieve some ACLs for a file, I get the following 
>>>>> Exception. Does this ring a bell for anyone? I'm working on getting 
>>>>> more information about the particular setup being used, but I 
>>>>> figured I could check here first.
>>>>>
>>>>> com.vivisimo.connector.SMBConnector$SMBException: Could not get the ACL
>>>>>     at 
>>>>> com.vivisimo.connector.SMBConnector.setACL(SMBConnector.java:315)
>>>>>     at 
>>>>> com.vivisimo.connector.SMBConnector.processFile(SMBConnector.java:293)
>>>>>     at 
>>>>> com.vivisimo.connector.SMBConnector.processNode(SMBConnector.java:102)
>>>>>     at 
>>>>> com.vivisimo.connector.ConnectorWorker.run(ConnectorWorker.java:502)
>>>>> Caused by: jcifs.smb.SmbException: Incorrect function.
>>>>>     at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:514)
>>>>>     at jcifs.smb.SmbTransport.send(SmbTransport.java:591)
>>>>>     at jcifs.smb.SmbSession.send(SmbSession.java:239)
>>>>>     at jcifs.smb.SmbTree.send(SmbTree.java:109)
>>>>>     at jcifs.smb.SmbFile.send(SmbFile.java:693)
>>>>>     at
>>>>> jcifs.smb.TransactNamedPipeOutputStream.write(TransactNamedPipeOutputStream.java:67) 
>>>>>
>>>>>     at 
>>>>> jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:50)
>>>>>     at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:162)
>>>>>     at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:129)
>>>>>     at 
>>>>> jcifs.dcerpc.msrpc.LsaPolicyHandle.<init>(LsaPolicyHandle.java:32)
>>>>>     at jcifs.smb.SID.resolveSids0(SID.java:119)
>>>>>     at jcifs.smb.SID.resolveSids(SID.java:162)
>>>>>     at jcifs.smb.SmbFile.processAces(SmbFile.java:2626)
>>>>>     at jcifs.smb.SmbFile.getSecurity(SmbFile.java:2660)
>>>>>     at 
>>>>> com.vivisimo.connector.SMBConnector.setACL(SMBConnector.java:313)
>>>>>     ... 3 more
>>>>>
>>>>>     
>>>>>           
>>>>   
>>>>         
>
>
>

More information about the jcifs mailing list