[jcifs] Occasionally NTLM Filter fails...Please Help.

John Baker jbaker at javasystemsolutions.com
Wed May 20 21:32:49 GMT 2009 

Shiv,

The NtlmFilter doesn't do an awful lot - it's mostly jcifs core code and in 
answer to your question:

grep -r \"jcifs.smb.client.domain\" *

jcifs/ntlmssp/Type1Message.java:        DEFAULT_DOMAIN = 
Config.getProperty("jcifs.smb.client.domain", null);
jcifs/ntlmssp/Type2Message.java:        DEFAULT_DOMAIN = 
Config.getProperty("jcifs.smb.client.domain", null);
jcifs/ntlmssp/Type3Message.java:        DEFAULT_DOMAIN = 
Config.getProperty("jcifs.smb.client.domain", null);
jcifs/http/NtlmHttpFilter.java:        defaultDomain = 
Config.getProperty("jcifs.smb.client.domain");
jcifs/http/NetworkExplorer.java:        defaultDomain = 
Config.getProperty("jcifs.smb.client.domain");
jcifs/http/NtlmServlet.java:        defaultDomain = 
Config.getProperty("jcifs.smb.client.domain");
jcifs/smb/NtlmPasswordAuthentication.java:        DEFAULT_DOMAIN = 
Config.getProperty("jcifs.smb.client.domain", "?");
jcifs/smb/SmbSession.java:                
Config.getProperty("jcifs.smb.client.domain", null);

So, I can count three classes that are HTTP/NtlmFilter (?) speciifc, and five 
that are not.  Or perhaps they are all NtlmFilter specific?

In answer to your question, I set the jcifs.smb.client.domain to the domain 
name, and I set the jcifs.netbios.wins and jcifs.http.domainController to the 
hostname/IP of the domain controller.  I also set the username/password for 
pre-auth, and the filter mostly works.

I could figure out a percentage of core jcifs code in the NtlmFilter if I had 
a little more time, but a little bit of work with Eclipse and "show 
references to" will answer the question for you.

However, the error you report (user/pass failure) is something I've already 
posted about, and I'm still not convinced it's the fault of the filter, but a 
bug in the jcifs core code.  See previous post (Sunday) for my odd findings.


john


On Wednesday 20 May 2009 22:10:05 you wrote:
> Thanks. no problem. I will try to take a look at the code as well to get
> some understanding.
>
> However, has anybody else in this forum tried out working only with
> jcifs.smb.client.domain property and see any issues/risks please?
>
> Thanks,
> Shiv.
>
> Michael B Allen wrote:
> > Again, it's literally been like 7 years since I've even looked at the
> > HTTP Filter code so I'm really not qualified to answer questions about
> > it. I know how it interacts with the CIFS code and it's security
> > limitations but otherwise I try to ignore all JCIFS filter questions.
> >
> > Good luck,
> > Mike
> >
> > On Wed, May 20, 2009 at 6:14 AM, shivsn <shivsn2008 at yahoo.com> wrote:
> >> Thanks for the repsonse. In that case is it advisable that I use ONLY
> >> jcifs.smb.client.domain property (i.e. (i.e. I use neither
> >> jcifs.smb.client.domainController or jcifs.netbios.wins). Which domain
> >> controller will this set up use to authenticate against and are their
> >> any risk with this?
> >>
> >> This URL
> >> (http://eckhart.stderr.org/doc/libjcifs-java-doc/ntlmhttpauth.html)
> >> says "Either a jcifs.smb.client.domain or
> >> jcifs.smb.client.domainController
> >> property is required". 90% of my users belong to one specific domain
> >> while
> >> others are third party users and need not require SSO.
> >>
> >> Thanks,
> >> Shiv.
> >>
> >> Michael B Allen wrote:
> >>> On Tue, May 19, 2009 at 11:42 AM, shivsn <shivsn2008 at yahoo.com> wrote:
> >>>> Thanks Mike.
> >>>>
> >>>> I have another small question if you could please answer.
> >>>>
> >>>> Currently we are using jcifs.netbios.wins as jcifs param and seeing
> >>>> this
> >>>> issue. We noticed that when we use the DC (not WINS) the problem goes
> >>>> away.
> >>>> We tried jcifs.http.domainController and it works. Not sure why??
> >>>
> >>> Honestly I don't even remember how to use the filter. I haven't tried
> >>> it in many many years.
> >>>
> >>>> My quesiton is regarding jcifs.http.domainController - can you please
> >>>> let
> >>>> me
> >>>> know if I can provide 2 (or more) DC seperated by commas i.e. if one
> >>>> of the
> >>>> DC is down will it take the second one (similar to jcifs.netbios.wins
> >>>> parameter where we have provision to provide more than one WINS)?
> >>>
> >>> No but there is a patch for that in the patches directory. Not sure if
> >>> it actually works though.
> >>>
> >>>> If not,
> >>>> then what happens if the DC entered for this jcifs parameter is down?
> >>>
> >>> You'll get a big exception and it will fail miserably.
> >>>
> >>> Mike
> >>>
> >>> --
> >>> Michael B Allen
> >>> Java Active Directory Integration
> >>> http://www.ioplex.com/
> >>
> >> --
> >> View this message in context:
> >> http://www.nabble.com/Occasionally-NTLM-Filter-fails...Please-Help.-tp17
> >>262705p23632650.html Sent from the Samba - jcifs mailing list archive at
> >> Nabble.com.
> >
> > --
> > Michael B Allen
> > Java Active Directory Integration
> > http://www.ioplex.com/

More information about the jcifs mailing list