[jcifs] LsaLookupNames

Thu Jan 31 13:37:59 GMT 2008

Dears,

I patched the jcifs package in order to implement an
LsaLookupNames-equivalent functionality.

It seems to work and I'm about to send a patch to the jcifs project.
However, I'm facing a problem which I don't know how to circumvent.

I began implementing the LsaLookupNames due to the fact that I need to map
domain group names to web roles. Thereby, I first use the well-known
NtlmHttpFilter in order to log on, then I would like to issue my
LsaLookupNames by using an LsaPolicyHandle based on the very same
NtlmPasswordAuthentication that NtlmHttpFilter saves as a session
attributes.

In facts, I would like to do something like this:

	HttpServletRequest req = ...
	HttpSession ssn = req.getSession(false);
	NtlmPasswordAuthentication ntlm =
(NtlmPasswordAuthentication)ssn.getAttribute("NtlmHttpAuth");
	try {
	    DcerpcHandle dceHandle = DcerpcHandle.getHandle(
		"ncacn_np:testbed.local[\\PIPE\\lsarpc]",
		ntlm
	    );
	    LsaPolicyHandle lsaHandle = new LsaPolicyHandle(
		dceHandle,
		"\\\\testbed",
		0x00000800
	    );
	    SID sids[] = SID.getFromNames(
		dceHandle,
		lsaHandle,
		new String[] { "MyWebAllowedUserGroup" }
	    );
	} catch(IOException ex) {
	    throw new RuntimeException("Can't map domain names to SIDs",
ex);
	}

The problem is that this doesn't work and the above code throws a
"jcifs.smb.SmbAuthException: Invalid access to memory location" at
jcifs.smb.SmbComSessionSetupAndX.<init> (SmbComSessionSetupAndX.java:44).

It merely seems I can't use the ntlm which NtlmHttpFilter successfully used
against SmbSession.logon(...).

I would like to avoid using a pre-defined username and password in order to
issue my name lookups, thereby I would like to know how to establish an RPC
session using the same authoritative things SmbSession.logon() uses or,
even, if there is a way to obtain some kind of authoritative tokens from SMB
such that it can be used in building a DcerpcHandle.

Regards,

Giampaolo