[jcifs] Domain based DFS support in Kerberos code, or NTLMv2 support in Java 1.4?

Thu Mar 26 00:02:02 GMT 2009

Please send all replies through the JCIFS mailing list.

On Wed, Mar 25, 2009 at 6:05 PM, Darren Taft <daztop at rocketmail.com> wrote:
>
>> > I'm restricted to using Java 1.4, so no RC4 cipher available.
>
>> >
>> > With NTLMv2 enabled, the test code works fine - but it must be connecting with
>> NTLMv1 as we know that NTLMv2 would trigger the RC4 cipher error.  I can't leave
>> NTLMv2 enabled though, as none of the other servers (that do support NTLMv2)
>> work.
>> >
>> > With NTLMv2 disabled, the test code works to all other servers except this one
>> causing problems.
>>
>> Ah, ok. Right. So the W2K3 server requires NTLMv2 but there's some
>> other test server like Samba or NetApp that requires NTLMv1.
>>
>> Well, tough. You can't have it both ways. But then again, neither can
>> anyone else so I don't think you should care. The LmCompatibilityLevel
>> is a registry value so all clients either do NTLMv1 or NTLMv2. JCIFS
>> is no different.
>>
>> I would say find the server that requires NTLMv1, run a big magnet
>> over the disk and plead ignorance.
>>
>> >> >> Meanwhile I'll recompile with 1.4 and run the usual tests with
>> >> >> jcifs.smb.client.useExtendedSecurity=false and
>> >> >> jcifs.smb.lmCompatibility=0 against NetApp and an old version of
>> >> >> Samba.
>> >> >>
>> >> >> But I'm a little busy with other things right now so this might take a
>> >> >> week or so.
>> >> >
>> >> > Have you had a chance to look at this at all?  Have you had any thoughts on
>> >> > what it might be?
>> >>
>> >> All versions of JCIFS released after replying to this the last time
>> >> have been recompiled with Java 1.4. I think the last two versions at
>> >> least were compiled with Java 1.4. And I tested and confirmed NTLMv1
>> >> behavior with Java 1.4 w/o RC4 and confirmed that it works.
>> >
>> > Was there anything specific about Windows 2003 with no service pack that
>> caused NTLMv2 issues?  Do you have a server you can test to?
>>
>> That server probably just requires NTLMv2. And FYI Windows Server 2008
>> requires NTLMv2 by default. And many people using Windows 2003 are
>> starting to require NTLMv2.
>>
>> There's nothing wrong. You can't have a server that requires NTLMv2
>> and another that requires NTLMv1 and expect everyone to work. This is
>> not just a problem with JCIFS. Any Windows client will have the same
>> problem.
>
> Sorry, but no.  I *can* connect to the server when I *enable* NTLMv2, but it isn't using NTLMv2 (which I know definitely doesn't work in my Java 1.4 environment).

That is contradictory. If you enable NTLMv2 and use Java 1.4 you
should get an RC4 error. If you're saying it works if you use 1.5u7+,
then it should use NTLMv2 and just work. If that is not the case, then
do an analysis, post a log, get a capture, etc.

>  The trouble is that other servers that can talk NTLMv2 won't work in this configuration.  When I *disable* NTLMv2, I can't talk to this server but I can talk to all other servers - we don't (currently) have any servers that require NTLMv2.

So you claim the one server won't work with NTLMv2 disabled but it
doesn't required NTLMv2. In that case I would need a packet capture to
verify your claim.

> It isn't using NTLMv2, but there is something about the NTLMv2 code stream that works when talking NTLMv1.

I don't see how you could have deduced something that but there is
something called "NTLM2 Session Security" that augments the password
hash calculation when NTLMv1 is used. What is the NtlmMinServerSec
registry value on the server? Is it different from the others?

Try setting but jcifs.smb.lmCompatibility=0 but do NOT set
useExtendedSecrurity. If NtlmMinServerSec is not 0 you will need to
use extended security (in theory this should not break other things
but be on the lookout as I don't know if I've tested this completely -
at least not with JCIFS).

Also, what exactly is the error or errant behavior that you see with
this one W2K3 server when you try to use NTLMv1?

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/