[jcifs] NTLMv2 and DFS referrals
Michael B Allen
ioplex at gmail.com
Wed Jul 29 14:12:49 MDT 2009
On Wed, Jul 29, 2009 at 2:59 PM, Darren Taft<daztop at rocketmail.com> wrote:
> I use jCIFS to browse network shares from a web application, but I've
> spent the last couple of days trying to work out why my code sometimes
> fails on our domain.
>
> I've so far narrowed it down to the fact
> that it only fails when it attempts to connect to one of our new Active
> Directory 2008 domain controllers to resolve a DFS referral (our domain
> currently has a mixture of 2003 and 2008 servers).
>
> The error
> message that is returned is always NT_STATUS_NOT_FOUND, and I've been
> adding debug statements deeper and deeper into the code to find out
> exactly where it comes from.
>
> I've just reached the SmbSession
> class - the call to session.send(). When opening this class, I've
> spotted this message at the top:
>
> /**
> * Update June 2009: This logon method of this class does not and never will
> * support NTLMv2. JCIFS does not implement the acceptor side of NTLM
> * authentication. It can only initiate NTLM authentication as a client.
> */
>
> Before
> I continue digging deeper, can I please confirm - am I going to hit a
> brick wall here? Does jCIFS support DFS referrals in a Windows 2008 AD
> where NTLMv2 is required? I think this message is just referring to
> the use of SmbSession from a server so wouldn't apply in this scenario,
> but I just want to check.
Hi Darren,
You're off track. That code comment has nothing to do with the problem
you're seeing. As a client browsing DFS volumes it will never need the
"acceptor side" of NTLM. A client is always only an "initiator" and
JCIFS fully supports NTLMv2 as an initiator.
The problem is probably a simple name service configuration issue or
some corner of DFS we haven't run into. DFS is by far the most
complicated part of CIFS because the semantics of the protocol are a
little vague and it's hard to test every configuration combination
because you need multiple servers. So we rely on the community (you)
to identify these problems.
First, make sure you're using the latest JCIFS. There have been a
number of DFS fixes recently.
Then, try to reproduce the issue using examples/ListFiles.java. If
ListFiles does not work, send me a detailed JCIFS log file and a
corresponding packet capture along with the exact commandline you used
to run ListFiles and properties file if any and I'll look into it.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
More information about the jcifs
mailing list