[jcifs] NTLM Authentication issue

Dawie Human Dawie at inobits.com
Tue Aug 26 17:20:57 GMT 2008


Will read again and again and again.  That is exactly the one I am trying to follow.

Especially the part on: SMB Signatures and Windows 2003, further down the bottom.



-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com]
Sent: 26 August 2008 08:19 PM
To: Dawie Human
Cc: jcifs at lists.samba.org
Subject: Re: [jcifs] NTLM Authentication issue

This config is invalid in a number of ways. Please read this:

  http://jcifs.samba.org/src/docs/ntlmhttpauth.html

Mike


On Tue, Aug 26, 2008 at 1:04 PM, Dawie Human <Dawie at inobits.com> wrote:
> I agree with your statement. No one should and I will increase it right now
> if I can solve the riddle.  I am going to try the following setup:
>
> The only real change is the ssnLimit of 1, except from that we set everything we can.
>
>
> <filter>
> <filter-name>ntlm</filter-name>
> <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> <init-param>
>  <param-name>jcifs.smb.client.domainController</param-name>
>  <param-value>DCname</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.smb.client.domain</param-name>
>  <param-value>DOMAIN</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.netbios.wins</param-name>
>  <param-value>wins_ip_address</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.netbios.hostname</param-name>
>  <param-value>localhostname</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.smb.lmCompatibility</param-name>
>  <param-value>2</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.smb.client.name</param-name>
>  <param-value>username</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.smb.client.password</param-name>
>  <param-value>password</param-value>
> </init-param>
> <init-param>
>  <param-name>jcifs.smb.client.ssnLimit</param-name>
>  <param-value>1</param-value>
> </init-param>
> <init-param>
> <!--
>  <param-name>jcifs.smb.client.soTimeout</param-name>
>  <param-value>15000</param-value>
> </init-param>
> -->
> <init-param>
>  <param-name>jcifs.util.loglevel</param-name>
>  <param-value>2</param-value>
> </init-param>
> </filter>
>
>
>
>
> -----Original Message-----
> From: Michael B Allen [mailto:ioplex at gmail.com]
> Sent: 26 August 2008 06:26 PM
> To: Dawie Human
> Cc: jcifs at lists.samba.org
> Subject: Re: [jcifs] NTLM Authentication issue
>
> No one should ever reduce the jcifs.smb.client.soTimeout value when
> using the NTLM HTTP Filter.
>
> I don't know where people got the idea of reducing soTimeout but just
> in case someone reads this thread and thinks it's something they
> should try I think it's important that I speak up and say clearly that
> it's not something anyone should ever do. The soTimeout says "close
> the transport after soTimeout milliseconds". So even though you think
> you're making your SMB signing problem better (because it
> reinitializes the transport for each authentication) you're not fixing
> anything and in fact you're making things worse because you're greatly
> increasing the chance that the transport will close in the middle of
> an authentication (aka the "hiccup" bug).
>
> Mike
>
> On Tue, Aug 26, 2008 at 6:58 AM, David Human <Dawie at inobits.com> wrote:
>>
>> We have the same kind of issue here.  Changing the soTimeout to very low
>> values solves the problem, but I am afraid it is only masking the issue and
>> not solving it.  Under high loads on the server, the 500 is too much and we
>> have found a stable value at soTimeout = 200.  The problem with this logic
>> is that soTimeout is supposed to support multiple sesstions over the same
>> channel.  Now you have a small value and I suspect, this will increase the
>> load somewhere and when you run into high latency networking, it will cause
>> logon problems.
>>
>> David Human
>>
>>
>> Michael B Allen-4 wrote:
>>>
>>> That won't work since either the socket will close before a response
>>> is recieved or under load you'll get two authentication requests within
>>> 500ms.
>>>
>>> You must use preauthentication.
>>>
>>> Mike
>>>
>>> On Wed, 29 Nov 2006 08:55:48 -0500
>>> "Anoop Prakash" <anoopatul at gmail.com> wrote:
>>>
>>>> Thanks Jonathan,
>>>>
>>>> I tried out changing the soTimeOut to 500 milliseconds abd it seems to be
>>>> running fine now.
>>>>
>>>>
>>>> On 11/28/06, Jonathan Trumbull <jonathan.trumbull at gmail.com> wrote:
>>>> >
>>>> > Anoop,
>>>> >
>>>> > You probably need to specify a set of domain credentials explicitly
>>>> > for preauthentication. We usually just setup a service account just
>>>> > for this.
>>>> >
>>>> > see http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing
>>>> >
>>>> > <init-param>
>>>> >   <param-name>jcifs.smb.client.username</param-name>
>>>> >   <param-value>SomeServiceAccount</param-value>
>>>> > </init-param>
>>>> >
>>>> > <init-param>
>>>> >   <param-name>jcifs.smb.client.password</param-name>
>>>> >   <param-value>SomeServiceAccountPassword</param-value>
>>>> > </init-param>
>>>> >
>>>> > --Jonathan
>>>> >
>>>> > On 11/28/06, Anoop Prakash <anoopatul at gmail.com> wrote:
>>>> > >
>>>> > >
>>>> > > Hello  Mike,
>>>> > >
>>>> > >
>>>> > > We got your reference from the jcifs  mailing list. We found  out an
>>>> > issue in the mailing list that is similar to the problem we are
>>>> > facing  while accessing our application using the JCIFS NTLM
>>>> authentication.
>>>> > When  multiple users try accessing our application concurrently, only
>>>> one of
>>>> > the users  will be allowed to log in. The others are shown the NTLM
>>>> > authentication box  again and again, even though they enter the right
>>>> > credentials. The  application is a struts based J2EE application and we
>>>> are
>>>> > using   JCIFS version 1.2.8. We tried doing the instructions given in
>>>> the
>>>> > link -  http://lists.samba.org/archive/jcifs/2006-June/006304.html .
>>>> We
>>>> > are using a domain controller also in this. I am pasting below a part
>>>> of
>>>> > the  web.xml for the application.
>>>> > >
>>>> > >
>>>> > >
>>>> > >  <filter>
>>>> > >
>>>> > >               <filter-name>NtlmHttpFilter</filter-name>
>>>> > >
>>>> > >               <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>>>> > >
>>>> > >
>>>> > >
>>>> > >               <init-param>
>>>> > >
>>>> > >
>>>> <param-name>jcifs.http.domainController</param-name>
>>>> > >
>>>> > >                     <param-value>CORPDC3</param-value>
>>>> > >
>>>> > >               </init-param>
>>>> > >
>>>> > >
>>>> > >
>>>> > >               <init-param>
>>>> > >
>>>> > >
>>>> <param-name>jcifs.smb.lmCompatibility</param-name>
>>>> > >
>>>> > >               <param-value>3</param-value>
>>>> > >
>>>> > >               </init-param>
>>>> > >
>>>> > >  </filter>
>>>> > >
>>>> > >
>>>> > >
>>>> > > It would be great if you could let us know what could be the
>>>> > issue.Please let us knowif you need any more details on this.
>>>> > >
>>>> > >
>>>> > >
>>>> > > Thanks,
>>>> > >
>>>> > > Anoop
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > [jcifs] NTLM Authentication problemMike Streeton mike.streeton at
>>>> > ardentia.co.uk
>>>> > > Thu Jun 22 06:51:43 GMT  2006
>>>> > >
>>>> > >
>>>> > >
>>>> > > Previous message: [jcifs] NTLM Authentication  problem
>>>> > > Next message: [jcifs] Authenticating Against  Multiple Domain
>>>> > Controllers
>>>> > > Messages sorted by: [ date ] [ thread ] [ subject ]  [ author ]
>>>> > ________________________________
>>>> > We had problems with some people being able to connect but not other,
>>>> > > even though they have exactly the same config (XP pro), we got round
>>>> > > them by setting the following:
>>>> > >
>>>> > >
>>>> > > Configure the JCIFS parameter jcifs.smb.lmCompatibility try setting
>>>> it
>>>> > > to 3, 4 or 5
>>>> > >
>>>> > > Configure the JCIFS parameter jcifs.netbios.hostname to be the local
>>>> > > machine
>>>> > >
>>>> > >
>>>> > >
>>>> > > Set the API documentation on how to do this:
>>>> > >
>>>> > > http://jcifs.samba.org/src/docs/api/
>>>> > >
>>>> > >
>>>> > >
>>>> > > If this does not work post the config/error logs etc and Michael is
>>>> very
>>>> > >
>>>> > > helpful and can usually put you right.
>>>> > >
>>>> > >
>>>> > >
>>>> > > Thanks
>>>> > >
>>>> > >
>>>> > >
>>>> > > Mike
>>>> > >
>>>> > >
>>>> > >
>>>> > > www.ardentia.com the home of NetSearch
>>>> > >
>>>> > > ________________________________
>>>> > >
>>>> > >
>>>> > > From: jcifs-bounces+mike.streeton=ardentia.co.uk at lists.samba.org
>>>> > >
>>>> > > [mailto:jcifs-bounces+mike.streeton=
>>>> > > ardentia.co.uk at lists.samba.org] On
>>>> > > Behalf Of Publius Ismanescu
>>>> > > Sent: 21 June 2006 21:25
>>>> > > To:
>>>> > > jcifs at lists.samba.org
>>>> > > Subject: [jcifs] NTLM Authentication problem
>>>> > >
>>>> > >
>>>> > >
>>>> > > Hi everybody,
>>>> > >
>>>> > > I have a situation where the NTLM authentication fails. I will
>>>> explain
>>>> > > my configuration and the tests we did.
>>>> > >
>>>> > >
>>>> > > We have a weblogic server on AIX server and we use jcifs for NTLM
>>>> > > authentication. The users that access the website, they all have
>>>> windows
>>>> > > desktops, with IE installed.
>>>> > > All user can access the website properly . The problem start when we
>>>> > >
>>>> > > want to let user from outsite the company connect.
>>>> > >
>>>> > > The external user connect to a metaframe (Citrix) and they use the IE
>>>> > > browser on the metaframe server to connect to the internal website.
>>>> > > The user are propted with a login dialog to enter their user ID and
>>>> > >
>>>> > > password. After entering the information they get a server or DNS
>>>> error.
>>>> > >
>>>> > > After we turned the loglevel to see more info from jcifs, it looks
>>>> like
>>>> > > the 3-rd handshake does not take place.
>>>> > >
>>>> > > Installing Firefox on the metaframe server and testing the
>>>> > >
>>>> > > access,everything is working.
>>>> > > Using IE to connect to a second metaframe server it woks also. IE
>>>> > > versions on the 2 metaframes is the same.
>>>> > >
>>>> > >
>>>> > > Can anybody help with some IE settings or give me some tips on what
>>>> else
>>>> > >
>>>> > > to look for to solve this.
>>>> > >
>>>> > >
>>>> > > Thank you
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Publius Ismanescu
>>>> > > http://publius.wwdb.biz
>>>> > >
>>>> > > email: publiusi at gmail.com
>>>> > >
>>>> > > -------------- next part --------------
>>>> > >
>>>> > > HTML attachment scrubbed and removed
>>>> > >
>>>> > >  ________________________________
>>>> >
>>>> > >
>>>> > >
>>>> > >
>>>> > > Previous message: [jcifs] NTLM Authentication  problem
>>>> > > Next message: [jcifs] Authenticating Against  Multiple Domain
>>>> > Controllers
>>>> > > Messages sorted by: [ date ] [ thread ] [ subject ]  [ author ]
>>>> > ________________________________
>>>> >   More information about the jcifs mailing  list
>>>> > >
>>>> > >
>>>> > >
>>>> >
>>>>
>>>
>>>
>>> --
>>> Michael B Allen
>>> PHP Active Directory SSO
>>> http://www.ioplex.com/
>>>
>>>
>>
>> --
>> View this message in context: http://www.nabble.com/NTLM-Authentication-issue-tp7583052p19158804.html
>> Sent from the Samba - jcifs mailing list archive at Nabble.com.
>>
>>
>
>
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>



--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/


More information about the jcifs mailing list