[jcifs] NTLMv2 and jCIFS

AsafM asaf.mesika at gmail.com
Sun Mar 16 11:00:26 GMT 2008 

I've been experiencing some difficulties with point no. 3.

I have a JBoss with the jCIFS filter installed. (version 1.2.18).

Scenerio 1: working
  1. NtlmMinClientSec and NtlmMinServerSec are both set to 0x0.
  2. jCIFS lmCompatibility is set to 0.
  
  Everything is working out fine.

Scenrio 2: Not working (typical desktop in a customer organization)
  1. NtlmMinClientSec and NtlmMinServerSec are both set to 0x20080030.
  2. jCIFS lmCompatibility is set to 0.

  IE doens't send type-3 message.

  I've managed to bypass that, by modifying the type-2 message jCIFS is
sending (setting the NTLMSSP_NEGOTIATE_NTLM2 flag to true).

  The returned type-3 message has both LM and NTLM hash at length of 24,
indicating a NTLM v1 response.

  Still, from some reason, the authentication fails at the DC level
(jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad
password.)

  How can this be solved, since it is obvious that the client is sending a
normal NTLM response.

Thanks,

Asaf Mesika




Eric Glass wrote:
> 
> There are some specific scenarios where LMv2 will not work properly;
> from what I remember:
> 
> 1) signing will not work if authentication is done with a given
> account to a host in a different domain (i.e. user is "DOMAINA\user"
> and computer is in DOMAINB).
> 
> 2) There are issues if you are authenticating against a server that is
> configured with the "nolmhash" registry key (it apparently will not
> pass the LM response through properly, even though the LM hash is
> technically not used in the LMv2 response).
> 
> 3) There can be issues related to the
> NtlmMinClientSec/NtlmMinServerSec registry settings (not necessarily
> limited to LMv2).
> 
> I had done some related work that I keep meaning to backport in to
> jCIFS; as Vista apparently uses NTLMv2/LMv2 by default this may become
> a more common issue anyway.  In the meantime, if the server/DC
> requires LMCompatibility >= 3 and jCIFS isn't working you might need
> to give the specific error messages etc. to diagnose.
> 
> 
> Eric
> 
> On 12/6/06, Adis Katkic <d97adka at hotmail.com> wrote:
>>
>> Hi
>>
>> I have a problem with jCIFS and NTLMv2.
>> I was reading on many places on the Internet about this but I'm still not
>> sure if I should give up.
>> What I come up to is:
>>
>> 1. jCIFS can handle LMv2 which is some kind if NTLMv2 but diffirent
>> length
>> of blob or somthing like that.
>>
>> 2. This means that jCIFS  may be used with NTLMv2 if server uses Pass
>> Trough
>> Authenication?
>> Am I right here?
>>
>> 3. lmCompability for NtlmHttpFilter must be set to 3.
>>
>> However I tried to make it work but it just wouldn't work. I'm not sure
>> if
>> my AD uses Pass trough authentication but I suspect it doesn't.
>> I can log in from different domain than server domain and if I understood
>> well it does not work with Pass trough.
>>
>> Any ides how to proceed? Is there some other component out there that
>> could
>> help me?
>> I found code that Konstantin Kasatkin wrote but I don't know how to use
>> it.
>> How about JNDI, is there some components that use JNDI to login via
>> Active
>> Directory.
>> In my opinion documetation about this issue is quite little.
>>
>> I'm thankfull for any kind of help.
>> Adis Katkic
>> ________________________________
>> Express yourself instantly with MSN Messenger! MSN Messenger Download
>> today
>> it's FREE!
> 
> 

-- 
View this message in context: http://www.nabble.com/NTLMv2-and-jCIFS-tp7720803p16077711.html
Sent from the Samba - jcifs mailing list archive at Nabble.com.

More information about the jcifs mailing list