[jcifs] Domain based DFS support in Kerberos code, or NTLMv2
support in Java 1.4?
Michael B Allen
ioplex at gmail.com
Fri Mar 27 00:09:42 GMT 2009
Re-CC-ing the JCIFS list minus captures....
On Thu, Mar 26, 2009 at 1:05 PM, Darren Taft <daztop at rocketmail.com> wrote:
>> So you claim the one server won't work with NTLMv2 disabled but it
>> doesn't required NTLMv2. In that case I would need a packet capture to
>> verify your claim.
>
> See attached.
So basically it times out if you don't useExtendedSecurity?
That sounds like NtlmMinServerSec is not 0 on the "dodgy server".
Depending on what the exact value of NtlmMinServerSec is, you might be
SOL since RC4 is needed for some NTLM2 session security stuff. In
particular "key exhange" uses RC4.
Try turning off NTLMSSP_NEGOTIATE_KEY_EXCH in
src/jcifs/smb/NtlmContext: around line 44. If it works, you're good.
If it doesn't, the NtlmMinServerSec value is requiring key exchange
which requires RC4 and you're not good.
Note that you might consider installing the Bounty Castle JCE.
Or better still, implement an LGPL RC4 and contribute it to JCIFS. RC4
is documented well and is REALLY easy to implement. It would be a fun
exercise in crypto for someone with a little time on their hands.
I would do it but I just don't have "Free" time.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
More information about the jcifs
mailing list