[jcifs] Occasionally NTLM Filter fails...Please Help.

shivsn shivsn2008 at yahoo.com
Thu May 21 11:27:27 GMT 2009 

Hi John,

Thanks for your inputs. 

My questions are more concerned with issues/risks with JUST using
jcifs.smb.client.domain property (and not having WINS or DC properties in
the settings to connect). If you have any comments please let me know.

I am fine with jcifs errors thrown in logs for username/password property as
long as it work (which it does).

Thanks,
Shiv.




John Baker-4 wrote:
> 
> Shiv,
> 
> The NtlmFilter doesn't do an awful lot - it's mostly jcifs core code and
> in 
> answer to your question:
> 
> grep -r \"jcifs.smb.client.domain\" *
> 
> jcifs/ntlmssp/Type1Message.java:        DEFAULT_DOMAIN = 
> Config.getProperty("jcifs.smb.client.domain", null);
> jcifs/ntlmssp/Type2Message.java:        DEFAULT_DOMAIN = 
> Config.getProperty("jcifs.smb.client.domain", null);
> jcifs/ntlmssp/Type3Message.java:        DEFAULT_DOMAIN = 
> Config.getProperty("jcifs.smb.client.domain", null);
> jcifs/http/NtlmHttpFilter.java:        defaultDomain = 
> Config.getProperty("jcifs.smb.client.domain");
> jcifs/http/NetworkExplorer.java:        defaultDomain = 
> Config.getProperty("jcifs.smb.client.domain");
> jcifs/http/NtlmServlet.java:        defaultDomain = 
> Config.getProperty("jcifs.smb.client.domain");
> jcifs/smb/NtlmPasswordAuthentication.java:        DEFAULT_DOMAIN = 
> Config.getProperty("jcifs.smb.client.domain", "?");
> jcifs/smb/SmbSession.java:                
> Config.getProperty("jcifs.smb.client.domain", null);
> 
> So, I can count three classes that are HTTP/NtlmFilter (?) speciifc, and
> five 
> that are not.  Or perhaps they are all NtlmFilter specific?
> 
> In answer to your question, I set the jcifs.smb.client.domain to the
> domain 
> name, and I set the jcifs.netbios.wins and jcifs.http.domainController to
> the 
> hostname/IP of the domain controller.  I also set the username/password
> for 
> pre-auth, and the filter mostly works.
> 
> I could figure out a percentage of core jcifs code in the NtlmFilter if I
> had 
> a little more time, but a little bit of work with Eclipse and "show 
> references to" will answer the question for you.
> 
> However, the error you report (user/pass failure) is something I've
> already 
> posted about, and I'm still not convinced it's the fault of the filter,
> but a 
> bug in the jcifs core code.  See previous post (Sunday) for my odd
> findings.
> 
> 
> john
> 
> 
> On Wednesday 20 May 2009 22:10:05 you wrote:
>> Thanks. no problem. I will try to take a look at the code as well to get
>> some understanding.
>>
>> However, has anybody else in this forum tried out working only with
>> jcifs.smb.client.domain property and see any issues/risks please?
>>
>> Thanks,
>> Shiv.
>>
>> Michael B Allen wrote:
>> > Again, it's literally been like 7 years since I've even looked at the
>> > HTTP Filter code so I'm really not qualified to answer questions about
>> > it. I know how it interacts with the CIFS code and it's security
>> > limitations but otherwise I try to ignore all JCIFS filter questions.
>> >
>> > Good luck,
>> > Mike
>> >
>> > On Wed, May 20, 2009 at 6:14 AM, shivsn <shivsn2008 at yahoo.com> wrote:
>> >> Thanks for the repsonse. In that case is it advisable that I use ONLY
>> >> jcifs.smb.client.domain property (i.e. (i.e. I use neither
>> >> jcifs.smb.client.domainController or jcifs.netbios.wins). Which domain
>> >> controller will this set up use to authenticate against and are their
>> >> any risk with this?
>> >>
>> >> This URL
>> >> (http://eckhart.stderr.org/doc/libjcifs-java-doc/ntlmhttpauth.html)
>> >> says "Either a jcifs.smb.client.domain or
>> >> jcifs.smb.client.domainController
>> >> property is required". 90% of my users belong to one specific domain
>> >> while
>> >> others are third party users and need not require SSO.
>> >>
>> >> Thanks,
>> >> Shiv.
>> >>
>> >> Michael B Allen wrote:
>> >>> On Tue, May 19, 2009 at 11:42 AM, shivsn <shivsn2008 at yahoo.com>
>> wrote:
>> >>>> Thanks Mike.
>> >>>>
>> >>>> I have another small question if you could please answer.
>> >>>>
>> >>>> Currently we are using jcifs.netbios.wins as jcifs param and seeing
>> >>>> this
>> >>>> issue. We noticed that when we use the DC (not WINS) the problem
>> goes
>> >>>> away.
>> >>>> We tried jcifs.http.domainController and it works. Not sure why??
>> >>>
>> >>> Honestly I don't even remember how to use the filter. I haven't tried
>> >>> it in many many years.
>> >>>
>> >>>> My quesiton is regarding jcifs.http.domainController - can you
>> please
>> >>>> let
>> >>>> me
>> >>>> know if I can provide 2 (or more) DC seperated by commas i.e. if one
>> >>>> of the
>> >>>> DC is down will it take the second one (similar to
>> jcifs.netbios.wins
>> >>>> parameter where we have provision to provide more than one WINS)?
>> >>>
>> >>> No but there is a patch for that in the patches directory. Not sure
>> if
>> >>> it actually works though.
>> >>>
>> >>>> If not,
>> >>>> then what happens if the DC entered for this jcifs parameter is
>> down?
>> >>>
>> >>> You'll get a big exception and it will fail miserably.
>> >>>
>> >>> Mike
>> >>>
>> >>> --
>> >>> Michael B Allen
>> >>> Java Active Directory Integration
>> >>> http://www.ioplex.com/
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://www.nabble.com/Occasionally-NTLM-Filter-fails...Please-Help.-tp17
>> >>262705p23632650.html Sent from the Samba - jcifs mailing list archive
>> at
>> >> Nabble.com.
>> >
>> > --
>> > Michael B Allen
>> > Java Active Directory Integration
>> > http://www.ioplex.com/
> 
> 

-- 
View this message in context: http://www.nabble.com/Occasionally-NTLM-Filter-fails...Please-Help.-tp17262705p23651609.html
Sent from the Samba - jcifs mailing list archive at Nabble.com.

More information about the jcifs mailing list