[jcifs] Domain based DFS support in Kerberos code,
or NTLMv2 support in Java 1.4?
daztop at rocketmail.com
Wed Feb 25 22:36:16 GMT 2009
> The Kerberos package *has* domain based DFS support.
That's odd. In the Kerberos package the domain based DFS doesn't work, but the dodgy server does. In the non-Kerberos package (jcifs-1.2.25.jar) the domain based DFS works fine, but the dodgy server does not. I'm unable to use the regular 1.3.* package as it complains of a missing java.lang.StringBuilder (Java 1.5 or later required).
> But I seriously
> doubt the success of the Kerberos package has anything to do with
> Kerberos. The Kerberos package requires special usage to actually get
> it to do Kerberos. Meaning you would get precisely the same result
> with the equivalent non-Kerberos version of JCIFS.
I did think that maybe it wasn't the Kerberos that was fixing it, but the Kerberos package is the only one at the 1.3.* code base that works in Java 1.4. I'd wondered if maybe it was the NTLMv2 support that was doing it instead (especially, as like I say, when I disable the NTLMv2 support as per the docs it fails to connect to the dodgy server again). Is there an easy way of telling whether the server is requiring NTLMv2? I've used WireShark to analyse the traffic but don't know what I'm looking for (there's certainly no sign of a "NTLMSSP_NEGOTIATE_NTLM2" message, but I do see "NTLMSSP_NEGOTIATE").
> Your analysis of the problem isn't optimal. Test a standard JCIFS
> example with a standard JVM with a standard server so that you see it
> work. Then change one thing at a time systematically until it breaks.
I can test a standard JVM with a standard server - that's easy. To change one thing at a time from there is very difficult though, as WebLogic 8 only has 2 choices of JVM - Sun or JRockit at version 1.4.2 only (it cannot be upgraded).
> Just saying "that fails too" is going to get you nowhere. You need to
> provide error messages, thread dumps, log fragments, captures or
> whatever you can get that shows what is happing at the failure
I'll give it a go, but ultimately if the result is that it won't work in my environment then the only solution I'll have is to go for the dirty workaround - there is absolutely zero chance of my environment being changed as it is totally out of my control.
More information about the jcifs