[jcifs] Meaning / usage of "ssnLimit"

Michael B Allen ioplex at gmail.com
Wed Dec 10 17:10:29 GMT 2008 

Looks like pre-authentication is simply failing. If you're certain
that it's the right password my suspicion would be that the DC
requires NTLMv2.  But the JCIFS NTLM HTTP Authentication Filter does
not and will never support NTLMv2 (technically the preauth step could
work with NTLMv2 since you have the password but that wouldn't do you
much good since the Filter still wouldn't work).

If course I don't know what the problem is. This is just a guess.

Also, as I've said many times, setting ssnLimit=1 is not a good idea.
It's unfortunate that it's been flagged as a solution by people
googling around and then reposting it.

Mike

On Wed, Dec 10, 2008 at 8:24 AM,  <Sascha_Klamm at tonbeller.com> wrote:
> Hi everyone,
>
> we're using jcifs 1.3.1 in our webapps... in our own domain (win 2003
> server) this always used to work pretty well. At a customers installation
> we had the problem: "first user can login, second cannot" with the second
> (and following) users getting "access denied" messages - the problem was
> solved by using pre-authentication like it was recommended
> (http://jcifs.samba.org/src/docs/ntlmhttpauth.html, "SMB Signatures and
> Windows 2003"). This worked for the customers test environment. In
> production (other server, same DC - we're trying to find the exact
> differences in the environment at the moment), the problem is back again,
> even with pre-auth. On our way looking for solutions we found the
> parameter "jcifs.smb.client.ssnLimit" described as an alternative to
> pre-auth. However - using this parameter always leads to errors, even in
> our own domain (which until now worked well with several different
> configurations).
>
> So we'd like to know what this parameter really does, why it doesn't work
> for us (which is why we don't even try it in the customers production
> environment), and if it can be a solution to the problem at all.
>
>
> Configuration:
> - tomcat 4.1.36
> - jcifs 1.3.1
> - web.xml (without pre-auth here, since it makes no difference - it works
> if we disable the ssnLimit):
>  <filter>
>    <filter-name>NtlmHttpFilter</filter-name>
>    <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>    <init-param>
>      <param-name>jcifs.http.domainController</param-name>
>      <param-value>tbntsrv.tonbeller.com</param-value>
>    </init-param>
>    <init-param>
>        <param-name>jcifs.util.loglevel</param-name>
>        <param-value>6</param-value>
>    </init-param>
>    <init-param>
>        <param-name>jcifs.smb.client.ssnLimit</param-name>
>        <param-value>1</param-value>
>    </init-param>
>  </filter>
>
>
> Error:
> For every login try the user gets a dialog to enter his credentials. If he
> does, the dialog reappears. This creates the following trace:
>
> SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=1,wordCount=0,byteCount=12,wordCount=0,dialects=NT
> LM 0.12]
> 00000: FF 53 4D 42 72 00 00 00 00 18 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
> 00020: 00 0C 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00     |....NT LM 0.12. |
>
> New data read: Transport1[tbntsrv.tonbeller.com/193.203.163.80:0]
> 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
>
> byteCount=34 but readBytesWireFormat returned 16
> SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=1,wordCount=17,byteCount=34,wordCount=17,dialectIndex=0,securityMode=0x7,security=user,encryptedPasswords=true,maxMpxCount=50,maxNumberVcs=1,maxBufferSize=16644,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0001F3FD,serverTime=Wed
> Dec 10 11:58:51 CET
> 2008,serverTimeZone=65476,encryptionKeyLength=8,byteCount=34,oemDomainName=TBNT]
> 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
> 00020: 11 00 00 07 32 00 01 00 04 41 00 00 00 00 01     |....2....A..... |
>
> SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=1,wordCount=0,byteCount=12,wordCount=0,dialects=NT
> LM 0.12]
> 00000: FF 53 4D 42 72 00 00 00 00 18 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
> 00020: 00 0C 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00     |....NT LM 0.12. |
>
> New data read: Transport2[tbntsrv.tonbeller.com/193.203.163.80:0]
> 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
>
> byteCount=34 but readBytesWireFormat returned 16
> SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=1,wordCount=17,byteCount=34,wordCount=17,dialectIndex=0,securityMode=0x7,security=user,encryptedPasswords=true,maxMpxCount=50,maxNumberVcs=1,maxBufferSize=16644,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0001F3FD,serverTime=Wed
> Dec 10 11:58:51 CET
> 2008,serverTimeZone=65476,encryptionKeyLength=8,byteCount=34,oemDomainName=TBNT]
> 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
> 00020: 11 00 00 07 32 00 01 00 04 41 00 00 00 00 01     |....2....A..... |
>
> SmbComNegotiate[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=1,wordCount=0,byteCount=12,wordCount=0,dialects=NT
> LM 0.12]
> 00000: FF 53 4D 42 72 00 00 00 00 18 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
> 00020: 00 0C 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00     |....NT LM 0.12. |
>
> New data read: Transport3[tbntsrv.tonbeller.com/193.203.163.80:0]
> 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
>
> byteCount=34 but readBytesWireFormat returned 16
> SmbComNegotiateResponse[command=SMB_COM_NEGOTIATE,received=false,errorCode=0,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=1,wordCount=17,byteCount=34,wordCount=17,dialectIndex=0,securityMode=0x7,security=user,encryptedPasswords=true,maxMpxCount=50,maxNumberVcs=1,maxBufferSize=16644,maxRawSize=65536,sessionKey=0x00000000,capabilities=0x0001F3FD,serverTime=Wed
> Dec 10 11:58:51 CET
> 2008,serverTimeZone=65476,encryptionKeyLength=8,byteCount=34,oemDomainName=TBNT]
> 00000: FF 53 4D 42 72 00 00 00 00 98 03 C0 00 00 00 00  | SMBr......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 01 00  |..........·x....|
> 00020: 11 00 00 07 32 00 01 00 04 41 00 00 00 00 01     |....2....A..... |
>
> treeConnect: unc=\\tbntsrv.tonbeller.com\IPC$,service=?????
> sessionSetup: accountName=skl,primaryDomain=TBNT
> SmbComSessionSetupAndX[command=SMB_COM_SESSION_SETUP_ANDX,received=false,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=2,wordCount=13,byteCount=101,andxCommand=0x75,andxOffset=162,snd_buf_size=16644,maxMpxCount=10,VC_NUMBER=1,sessionKey=0,lmHash.length=24,ntHash.length=24,capabilities=4180,accountName=skl,primaryDomain=TBNT,NATIVE_OS=Windows
> XP,NATIVE_LANMAN=jCIFS]
> SmbComTreeConnectAndX[command=SMB_COM_TREE_CONNECT_ANDX,received=false,errorCode=0,flags=0x0018,flags2=0x0000,signSeq=0,tid=0,pid=30970,uid=0,mid=0,wordCount=4,byteCount=65,andxCommand=0xFF,andxOffset=0,disconnectTid=false,passwordLength=1,password=,path=\\tbntsrv.tonbeller.com\IPC$,service=?????]
> 00000: FF 53 4D 42 73 00 00 00 00 18 03 C0 00 00 00 00  | SMBs......+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 02 00  |..........·x....|
> 00020: 0D 75 00 A2 00 04 41 0A 00 01 00 00 00 00 00 18  |.u.ó..A.........|
> 00030: 00 18 00 00 00 00 00 54 10 00 00 65 00 62 94 A2  |.......T...e.b.ó|
> 00040: E8 3A C3 E1 95 4F A0 77 25 E9 5D 24 75 F7 BB E9  |Þ:+ß.Oáw%Ú]$u¸+Ú|
> 00050: 1E D4 D9 97 B8 D1 43 2D 67 0C 5D B2 C3 4F 1E DF  |.È+.(c)ÐC-g.]¦+O.¯|
> 00060: 3C 90 69 BD 95 B7 F8 FE 64 36 30 59 BF 00 73 00  |<.i¢.À°¦d60Y+.s.|
> 00070: 6B 00 6C 00 00 00 54 00 42 00 4E 00 54 00 00 00  |k.l...T.B.N.T...|
> 00080: 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00  |W.i.n.d.o.w.s. .|
> 00090: 58 00 50 00 00 00 6A 00 43 00 49 00 46 00 53 00  |X.P...j.C.I.F.S.|
> 000A0: 00 00 04 FF 00 DE DE 00 00 01 00 41 00 00 5C 00  |... .ÌÌ....A..\.|
> 000B0: 5C 00 74 00 62 00 6E 00 74 00 73 00 72 00 76 00  |\.t.b.n.t.s.r.v.|
> 000C0: 2E 00 74 00 6F 00 6E 00 62 00 65 00 6C 00 6C 00  |..t.o.n.b.e.l.l.|
> 000D0: 65 00 72 00 2E 00 63 00 6F 00 6D 00 5C 00 49 00  |e.r...c.o.m.\.I.|
> 000E0: 50 00 43 00 24 00 00 00 3F 3F 3F 3F 3F 00        |P.C.$...?????.  |
>
> New data read: Transport3[tbntsrv.tonbeller.com/193.203.163.80:0]
> 00000: FF 53 4D 42 73 6D 00 00 C0 98 03 C0 00 00 00 00  | SMBsm..+..+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 02 00  |..........·x....|
>
> SmbComSessionSetupAndXResponse[command=SMB_COM_SESSION_SETUP_ANDX,received=false,errorCode=Logon
> failure: unknown user name or bad
> password.,flags=0x0098,flags2=0xC003,signSeq=0,tid=0,pid=30970,uid=0,mid=2,wordCount=0,byteCount=0,andxCommand=0xFF,andxOffset=0,isLoggedInAsGuest=false,nativeOs=,nativeLanMan=,primaryDomain=]
> 00000: FF 53 4D 42 73 6D 00 00 C0 98 03 C0 00 00 00 00  | SMBsm..+..+....|
> 00010: 00 00 00 00 00 00 00 00 00 00 FA 78 00 00 02 00  |..........·x....|
> 00020: 00 00 00                                         |...             |
>
> NtlmHttpFilter: TBNT\skl: 0xC000006D: jcifs.smb.SmbAuthException: Logon
> failure: unknown user name or bad password.
>
>
> Thanks in advance for any hints :)
>
>
> Greetings
> Sascha
>
> <div style"font-family:sans-serif;font-size:10pt;">
> <p><b>TONBELLER AG</b><br>
> Werner-von-Siemens-Str. 2<br>
> D-64625 Bensheim <br>
> Germany</p>
>
> <a href"http://www.tonbeller.com" target"_blank">www.tonbeller.com</a>
>
> <p>Register Court: District Court Darmstadt<br>
> Registration: HRB 21474<br>
> Managing Board: Rutger Hetzler (CEO), Sebastian Hetzler, Torsten Mayer<br>
> Chairman of the Supervisory Board: R&uuml;diger Brand</p>
>
> <hr noshade"noshade" size"1" style"margin:20px 0px;">
>
> <p>This message is for the designated recipient only and may contain
> privileged,
> proprietary, or otherwise private information. If you have received it
> in error,
> please notify the sender immediately and delete the original. Any
> unauthorised copying or
> dissemination of this message is strictly prohibited.</p>
>
> <p>Diese E-Mail enth&auml;lt vertrauliche und/oder rechtlich
> gesch&uuml;tzte Informationen.
> Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrt&uuml;mlich erhalten
> haben, informieren Sie bitte sofort den Absender und vernichten Sie
> diese E-Mail.
> Das unerlaubte Kopieren sowie die Weitergabe dieser E-Mail ist nicht
> gestattet.</p>
>
> </div>
>



-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the jcifs mailing list