[jcifs] Domain Controller and PreAuth

Brown, Melonie mbrown at microstrategy.com
Thu Sep 27 02:25:47 GMT 2007 

Mike,
 
(Thanks for the speedy response).
 
I have a custom web application that uses JCIFS to retrieve the logged in user.   In one particular environment (Windows 2003 domain controller or just a Windows 2000 box on the network, Tomcat on AIX), the second user accessing the web application intermittently gets the dreaded windows login popup.  I've tried multiple combinations of property settings, but haven't been able to find the right one.
 
pre-auth was definitely tried, but I'm pretty sure it was tried in conjunction with the domain controller setting.   The notes in the original post said that jcifs.netbios.lmhosts could be used to refer to a file.   The wins parameter allows for multiple addresses to be specified.    If the lmhosts option is used, can you have more than one domain controller in the lmhosts file? 
________________________________


On Wed, 26 Sep 2007 14:33:46 -0400
"Brown, Melonie"  wrote:

> There's an older post to the list (copied below) that says preauth and domaincontroller do not work. 
> 
> Has this been resolved?

I don't recall changing anything wrt that.

Mike

> [I wasn't sure from the descriptions of the changes from the various releases. ]
> -------------------------------------------------------------
> >On Thu, 19 Jan 2006 16:20:41 +0000
> >João Mota <jmota at criticalsoftware.com <https://lists.samba.org/mailman/listinfo/jcifs> > wrote:
> >
> > 
> >
> >>Hello,
> >>
> >>I am having some problems getting transparent authentication to work
> >>with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the
> >>negotiation.
> >>The domain Controller is a windows 2003 server.
> >>
> >>The error that shows in the log at the same time that the dialog box to
> >>enter username/password shows up is (i replaced the sensitive data for a
> >>meaningfull word in caps):
> >>     NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022:
> >>jcifs.smb.SmbAuthException: Access is denied.
> >>   
> >>
> >
> >No doubt this is an SMB signing issue. You need "preauthentication".
> >
> > 
> >
> >>Filling in the user and password in the dialog box, the authentication
> >>works ok.
> >>
> >>My questions are:
> >>1) Is it possible to have transparent authentication with the
> >>jcifs.http.domainController specified ?
> >>   
> >>
> >
> >No, it was recently discoverd that preauthentication only works if
> >jcifs.http.domainController is NOT used. I would use:
> >
> > 
> >
> >>   <filter>
> >>        <filter-name>NtlmHttpFilter</filter-name>
> >>        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >>    <init-param>
> >>        <param-name>jcifs.netbios.wins</param-name>
> >>        <param-value>IP</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.smb.client.domain</param-name>
> >>        <param-value>DOMAIN</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.smb.client.username</param-name>
> >>        <param-value>USER</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.smb.client.password</param-name>
> >>        <param-value>PASSWORD</param-value>
> >>        </init-param>
> >>    <init-param>
> >>        <param-name>jcifs.util.loglevel</param-name>
> >>        <param-value>2</param-value>
> >>        </init-param>
> >>   
> >>
> >
> >If you don't have wins then you could try setting jcifs.netbios.lmhosts
> >[1] to a file that maps the IP you had for domainController to DOMAIN.
> >
> >Otherwise, we need to fix the code so that preauth works with
> >domainController. It's on The List.
> >
> >Mike
> >
> >http://jcifs.samba.org/src/docs/resolver.html
> >
> >
> >
> > 
> >
>


--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list