[jcifs] Domain Controller and PreAuth

Michael B Allen miallen at ioplex.com
Wed Sep 26 21:00:09 GMT 2007 

On Wed, 26 Sep 2007 14:33:46 -0400
"Brown, Melonie" <mbrown at microstrategy.com> wrote:

> There's an older post to the list (copied below) that says preauth and domaincontroller do not work.  
>  
> Has this been resolved?

I don't recall changing anything wrt that.

Mike

> [I wasn't sure from the descriptions of the changes from the various releases. ]
> -------------------------------------------------------------
> >On Thu, 19 Jan 2006 16:20:41 +0000
> >João Mota <jmota at criticalsoftware.com <https://lists.samba.org/mailman/listinfo/jcifs> > wrote:
> >
> >  
> >
> >>Hello,
> >>
> >>I am having some problems getting transparent authentication to work 
> >>with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the 
> >>negotiation.
> >>The domain Controller is a windows 2003 server.
> >>
> >>The error that shows in the log at the same time that the dialog box to 
> >>enter username/password shows up is (i replaced the sensitive data for a 
> >>meaningfull word in caps):
> >>     NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022: 
> >>jcifs.smb.SmbAuthException: Access is denied.
> >>    
> >>
> >
> >No doubt this is an SMB signing issue. You need "preauthentication".
> >
> >  
> >
> >>Filling in the user and password in the dialog box, the authentication 
> >>works ok.
> >>
> >>My questions are:
> >>1) Is it possible to have transparent authentication with the 
> >>jcifs.http.domainController specified ?
> >>    
> >>
> >
> >No, it was recently discoverd that preauthentication only works if
> >jcifs.http.domainController is NOT used. I would use:
> >
> >  
> >
> >>   <filter>
> >>        <filter-name>NtlmHttpFilter</filter-name>
> >>        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >>    <init-param>
> >>        <param-name>jcifs.netbios.wins</param-name>
> >>        <param-value>IP</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.smb.client.domain</param-name>
> >>        <param-value>DOMAIN</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.smb.client.username</param-name>
> >>        <param-value>USER</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.smb.client.password</param-name>
> >>        <param-value>PASSWORD</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.util.loglevel</param-name>
> >>        <param-value>2</param-value>
> >>        </init-param>
> >>    
> >>
> >
> >If you don't have wins then you could try setting jcifs.netbios.lmhosts
> >[1] to a file that maps the IP you had for domainController to DOMAIN.
> >
> >Otherwise, we need to fix the code so that preauth works with
> >domainController. It's on The List.
> >
> >Mike
> >
> >http://jcifs.samba.org/src/docs/resolver.html
> >
> >
> >
> >  
> >
> 


-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the jcifs mailing list