[jcifs] Occasionally NTLM Filter fails...Please Help.

Thu May 21 11:34:35 GMT 2009

Shiv,

I've had a lot of success with the parameters outlined - try them as I defined 
and let us know how you get on.

John

On Thursday 21 May 2009 12:27:27 you wrote:
> Hi John,
>
> Thanks for your inputs.
>
> My questions are more concerned with issues/risks with JUST using
> jcifs.smb.client.domain property (and not having WINS or DC properties in
> the settings to connect). If you have any comments please let me know.
>
> I am fine with jcifs errors thrown in logs for username/password property
> as long as it work (which it does).
>
> Thanks,
> Shiv.
>
> John Baker-4 wrote:
> > Shiv,
> >
> > The NtlmFilter doesn't do an awful lot - it's mostly jcifs core code and
> > in
> > answer to your question:
> >
> > grep -r \"jcifs.smb.client.domain\" *
> >
> > jcifs/ntlmssp/Type1Message.java:        DEFAULT_DOMAIN =
> > Config.getProperty("jcifs.smb.client.domain", null);
> > jcifs/ntlmssp/Type2Message.java:        DEFAULT_DOMAIN =
> > Config.getProperty("jcifs.smb.client.domain", null);
> > jcifs/ntlmssp/Type3Message.java:        DEFAULT_DOMAIN =
> > Config.getProperty("jcifs.smb.client.domain", null);
> > jcifs/http/NtlmHttpFilter.java:        defaultDomain =
> > Config.getProperty("jcifs.smb.client.domain");
> > jcifs/http/NetworkExplorer.java:        defaultDomain =
> > Config.getProperty("jcifs.smb.client.domain");
> > jcifs/http/NtlmServlet.java:        defaultDomain =
> > Config.getProperty("jcifs.smb.client.domain");
> > jcifs/smb/NtlmPasswordAuthentication.java:        DEFAULT_DOMAIN =
> > Config.getProperty("jcifs.smb.client.domain", "?");
> > jcifs/smb/SmbSession.java:
> > Config.getProperty("jcifs.smb.client.domain", null);
> >
> > So, I can count three classes that are HTTP/NtlmFilter (?) speciifc, and
> > five
> > that are not.  Or perhaps they are all NtlmFilter specific?
> >
> > In answer to your question, I set the jcifs.smb.client.domain to the
> > domain
> > name, and I set the jcifs.netbios.wins and jcifs.http.domainController to
> > the
> > hostname/IP of the domain controller.  I also set the username/password
> > for
> > pre-auth, and the filter mostly works.
> >
> > I could figure out a percentage of core jcifs code in the NtlmFilter if I
> > had
> > a little more time, but a little bit of work with Eclipse and "show
> > references to" will answer the question for you.
> >
> > However, the error you report (user/pass failure) is something I've
> > already
> > posted about, and I'm still not convinced it's the fault of the filter,
> > but a
> > bug in the jcifs core code.  See previous post (Sunday) for my odd
> > findings.
> >
> >
> > john
> >
> > On Wednesday 20 May 2009 22:10:05 you wrote:
> >> Thanks. no problem. I will try to take a look at the code as well to get
> >> some understanding.
> >>
> >> However, has anybody else in this forum tried out working only with
> >> jcifs.smb.client.domain property and see any issues/risks please?
> >>
> >> Thanks,
> >> Shiv.
> >>
> >> Michael B Allen wrote:
> >> > Again, it's literally been like 7 years since I've even looked at the
> >> > HTTP Filter code so I'm really not qualified to answer questions about
> >> > it. I know how it interacts with the CIFS code and it's security
> >> > limitations but otherwise I try to ignore all JCIFS filter questions.
> >> >
> >> > Good luck,
> >> > Mike
> >> >
> >> > On Wed, May 20, 2009 at 6:14 AM, shivsn <shivsn2008 at yahoo.com> wrote:
> >> >> Thanks for the repsonse. In that case is it advisable that I use ONLY
> >> >> jcifs.smb.client.domain property (i.e. (i.e. I use neither
> >> >> jcifs.smb.client.domainController or jcifs.netbios.wins). Which
> >> >> domain controller will this set up use to authenticate against and
> >> >> are their any risk with this?
> >> >>
> >> >> This URL
> >> >> (http://eckhart.stderr.org/doc/libjcifs-java-doc/ntlmhttpauth.html)
> >> >> says "Either a jcifs.smb.client.domain or
> >> >> jcifs.smb.client.domainController
> >> >> property is required". 90% of my users belong to one specific domain
> >> >> while
> >> >> others are third party users and need not require SSO.
> >> >>
> >> >> Thanks,
> >> >> Shiv.
> >> >>
> >> >> Michael B Allen wrote:
> >> >>> On Tue, May 19, 2009 at 11:42 AM, shivsn <shivsn2008 at yahoo.com>
> >>
> >> wrote:
> >> >>>> Thanks Mike.
> >> >>>>
> >> >>>> I have another small question if you could please answer.
> >> >>>>
> >> >>>> Currently we are using jcifs.netbios.wins as jcifs param and seeing
> >> >>>> this
> >> >>>> issue. We noticed that when we use the DC (not WINS) the problem
> >>
> >> goes
> >>
> >> >>>> away.
> >> >>>> We tried jcifs.http.domainController and it works. Not sure why??
> >> >>>
> >> >>> Honestly I don't even remember how to use the filter. I haven't
> >> >>> tried it in many many years.
> >> >>>
> >> >>>> My quesiton is regarding jcifs.http.domainController - can you
> >>
> >> please
> >>
> >> >>>> let
> >> >>>> me
> >> >>>> know if I can provide 2 (or more) DC seperated by commas i.e. if
> >> >>>> one of the
> >> >>>> DC is down will it take the second one (similar to
> >>
> >> jcifs.netbios.wins
> >>
> >> >>>> parameter where we have provision to provide more than one WINS)?
> >> >>>
> >> >>> No but there is a patch for that in the patches directory. Not sure
> >>
> >> if
> >>
> >> >>> it actually works though.
> >> >>>
> >> >>>> If not,
> >> >>>> then what happens if the DC entered for this jcifs parameter is
> >>
> >> down?
> >>
> >> >>> You'll get a big exception and it will fail miserably.
> >> >>>
> >> >>> Mike
> >> >>>
> >> >>> --
> >> >>> Michael B Allen
> >> >>> Java Active Directory Integration
> >> >>> http://www.ioplex.com/
> >> >>
> >> >> --
> >> >> View this message in context:
> >>
> >> http://www.nabble.com/Occasionally-NTLM-Filter-fails...Please-Help.-tp17
> >>
> >> >>262705p23632650.html Sent from the Samba - jcifs mailing list archive
> >>
> >> at
> >>
> >> >> Nabble.com.
> >> >
> >> > --
> >> > Michael B Allen
> >> > Java Active Directory Integration
> >> > http://www.ioplex.com/