[jcifs] LsaLookupNames

Michael B Allen miallen at ioplex.com
Thu Jan 31 16:11:48 GMT 2008 

On Thu, 31 Jan 2008 14:37:59 +0100
"Giampaolo Tomassoni" <Giampaolo at Tomassoni.biz> wrote:

> Dears,
> 
> I patched the jcifs package in order to implement an
> LsaLookupNames-equivalent functionality.
> 
> It seems to work and I'm about to send a patch to the jcifs project.
> However, I'm facing a problem which I don't know how to circumvent.
> 
> I began implementing the LsaLookupNames due to the fact that I need to map
> domain group names to web roles. Thereby, I first use the well-known
> NtlmHttpFilter in order to log on, then I would like to issue my
> LsaLookupNames by using an LsaPolicyHandle based on the very same
> NtlmPasswordAuthentication that NtlmHttpFilter saves as a session
> attributes.
> 
> In facts, I would like to do something like this:
> 
> 	HttpServletRequest req = ...
> 	HttpSession ssn = req.getSession(false);
> 	NtlmPasswordAuthentication ntlm =
> (NtlmPasswordAuthentication)ssn.getAttribute("NtlmHttpAuth");
> 	try {
> 	    DcerpcHandle dceHandle = DcerpcHandle.getHandle(
> 		"ncacn_np:testbed.local[\\PIPE\\lsarpc]",
> 		ntlm
> 	    );
> 	    LsaPolicyHandle lsaHandle = new LsaPolicyHandle(
> 		dceHandle,
> 		"\\\\testbed",
> 		0x00000800
> 	    );
> 	    SID sids[] = SID.getFromNames(
> 		dceHandle,
> 		lsaHandle,
> 		new String[] { "MyWebAllowedUserGroup" }
> 	    );
> 	} catch(IOException ex) {
> 	    throw new RuntimeException("Can't map domain names to SIDs",
> ex);
> 	}
> 
> The problem is that this doesn't work and the above code throws a
> "jcifs.smb.SmbAuthException: Invalid access to memory location" at
> jcifs.smb.SmbComSessionSetupAndX.<init> (SmbComSessionSetupAndX.java:44).

Hi Giampaolo,

The NPA is specific to the server server challenge with which it was created and thus specific to a particular server.

However, since the particular server happens to be a domain controller, in theory, it should work. You just need to build the DcerpcHandle with the SmbTransport object that the challenge is bound to. Maybe you can create a new DcerpcHandle.getHandle() that takes the SmbTree or SmbSession or SmbTransport?

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the jcifs mailing list