[jcifs] Domain based DFS support in Kerberos code, or NTLMv2 support in Java 1.4?

Wed Feb 25 19:06:50 GMT 2009

> >> > I'm using a Java 1.4 environment (WebLogic 8.1.4) that I cannot upgrade.
> >> > I've been having issues connecting to a specific server using JCIFS,
> >> > so I've been trying different JCIFS versions.  See the following results:
> >> >
> >> > jcifs-1.2.25.jar - works for Domain-Based DFS, but doesn't work when
> >> > connecting to the "fault" server.
> >> > jcifs-krb5-1.3.1.jar - doesn't work for Domain-Based DFS, but does work
> >> > when connecting to any server (including "fault" server).
> >> > jcifs-1.3.3.jar - doesn't work in a Java 1.4 environment (requires some
> >> > Java 1.5 classes)
> >> >
> >> > Based on the above results, I'm assuming that the "fault" server is either
> >> > using NTLMv2 or Kerberos for authentication (for which jcifs-krb5-1.3.1.jar
> >> > includes support for both) - would that be a valid assumption?  The other
> >> > possibility is that there's a bug fix somewhere in the 1.3.1 code that just
> >> > happens to be resolving the fault.
> >> >
> >> > So based on the above assumption, how can I get both domain-based DFS and
> >> > this "fault" server working?  i.e. I need a JAR that includes the
> >> > NTLMv2/Kerberos (I don't know how to tell which one it's using) and/or the
> >> > possible fix, and the Domain-Based DFS.
> >> >
> >> > Anyone have any ideas?
> >>
> >> What's the "fault"?
> >
> > I wish I knew.
> >
> > If I provide a path of: \\SERVERNAME\ it lists all the shares that are available, but if I try
> and
> > access any of them it fails with this error:
> >
> > jcifs.smb.SmbException: Transport0 timedout waiting for response to
> >
>
SmbComTreeConnectAndX[command=SMB_COM_TREE_CONNECT_ANDX,received=false,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=4736,uid=6147,mid=19,wordCount=4,byteCount
> >
>
=63,andxCommand=0xFF,andxOffset=0,disconnectTid=false,passwordLength=1,password=,path=\\SERVERNAME\SHARE
> > NAME,service=?????]
> > jcifs.util.transport.TransportException: Transport0 timedout waiting for response to
> >
>
SmbComTreeConnectAndX[command=SMB_COM_TREE_CONNECT_ANDX,received=false,errorCode=0,flags=0x0018,flags2=0xC003,signSeq=0,tid=0,pid=4736,uid=6147,mid=19,word
> >
>
Count=4,byteCount=63,andxCommand=0xFF,andxOffset=0,disconnectTid=false,passwordLength=1,password=,path=\\SERVERNAME\SHARE
> > NAME,service=?????]
> >        at jcifs.util.transport.Transport.sendrecv(Transport.java:76)
> >
> > Note - the SHARE NAME does contain a space (I don't know if that makes any difference).
> >
> > It's definitely not a timeout issue though - the server responds within a reasonable time from
> > Windows, and with jcifs-krb5-1.3.1.jar it responds within a few seconds.
> >
> >> NTLMv2 needs the RC4 cipher. That is only supported by Java 1.5 upate
> >> 7 or later or another version of Java with a different crypto package
> >> like bounty castle.
> >
> > I'm using jrockit81sp4_142_05 - I don't know if that includes RC4 support.
> 
> My guess is that is your problem. Does the issue occur without this
> JVM? Does it work with that JVM and another server?

I've just tested it with the Sun JVM (1.4.2 - the one that comes with WebLogic 8.1.4) and that
fails too. It's irrelevant anyway though, as I'm unable to change our live environment.

> I doubt that a timeout issue has anything to do with RC4 or NTLMv2.
> It's more likely a VM or environmental issue. You'll need to get a
> thread dump, try different VMs, servers and hosts machines to identify
> the pattern.

The Kerberos 1.3.1 version works fine though - if it had Domain-Based DFS support included, I
wouldn't even have needed to post to this mailing list.  Is there any purpose trying to debug a
fault in old code when it doesn't exist in the current code?  Are there any plans to add
Domain-Based DFS support to the Kerberos version?

Worst case scenario is that I re-add the code that I put together for the version of JCIFS I was
using before the DFS support was improved. It's not ideal though.

Cheers,

darren
p.s. apologies for replying directly to you - I hadn't noticed it wasn't sending to the list