[jcifs] new exception thrown in version 1.3.16
Christopher R. Hertel
crh at samba.org
Sat Aug 6 21:53:49 MDT 2011
The "security = server" setting is something of a kludge, and it's a bit
outdated. It allows a Samba server to act as if it were a member of a
domain even if it's not.
With "security = server", the server "fakes" a login to the password server.
Here's what happens:
* The client sends the NegProt.
* The server sends a NegProt to the password server.
* The password server sends back a NegProt response with a challenge.
* The server sends its own NegProt response to the client, with the
password server's challenge included.
* The client generates the response (or responses) and sends it along
to the server in a SessionSetupAndX.
* The server copies the responses and sends them to the password
server in its own SessionSetup&X.
* If the password server accepts the server's authentication, then
the server knows that the client has the correct password, and it
accepts the client's authentication.
* The server closes the connection to the password server.
It's a man-in-the-middle attack, but it allows the file server to use the
password server to authenticate the client.
We generally recommend "security = domain" in these situations, since Samba
servers can be Domain Member Servers (and have had that ability for a long
time now).
Chris -)-----
Michael B Allen wrote:
> On Fri, Aug 5, 2011 at 9:45 AM, <bryan.coleman at dart.biz> wrote:
>> I tried a slightly modified version of ListFiles.java (removed for loop
>> and replaced "file = SmbFile(args[a]);" with "file =
>> SmbFile("smb://server/directory/", new
>> NtlmPasswordAuthentication(<domain>, <username>, <password>));".
>>
>> It runs just fine with lmCompatibility=0 and fails without it.
>>
>> Here is the output upon failure:
>>
>> 0 files in 61ms
>> jcifs.smb.SmbException: The parameter is incorrect.
>> at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:561)
>> at jcifs.smb.SmbTransport.send(SmbTransport.java:661)
>> at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:390)
>> at jcifs.smb.SmbSession.send(SmbSession.java:218)
>> at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
>> at jcifs.smb.SmbFile.doConnect(SmbFile.java:911)
>> at jcifs.smb.SmbFile.connect(SmbFile.java:954)
>> at jcifs.smb.SmbFile.connect0(SmbFile.java:880)
>> at jcifs.smb.SmbFile.resolveDfs(SmbFile.java:669)
>> at jcifs.smb.SmbFile.send(SmbFile.java:773)
>> at jcifs.smb.SmbFile.doFindFirstNext(SmbFile.java:1986)
>> at jcifs.smb.SmbFile.doEnum(SmbFile.java:1738)
>> at jcifs.smb.SmbFile.listFiles(SmbFile.java:1715)
>> at jcifs.smb.SmbFile.listFiles(SmbFile.java:1648)
>
> I think your server is misconfigured. Ironically I'm not particularly
> good at Samba config details. Ask the samba-users mailing list if
> security=server and password server = is the proper technique or
> research deeper into how to configure Samba.
>
>> P. S. The mailing list URL is still broken. I get a "Not Found: The
>> requested URL /listinfo/jcifs was not found on this server."
>
> Indeed the link is bad. Just go to the top-level lists.samba.org and
> then click on JCIFS from there.
>
> Mike
>
>> Bryan
>>
>>
>>
>> From: Michael B Allen <ioplex at gmail.com>
>> To: bryan.coleman at dart.biz
>> Cc: jcifs at samba.org
>> Date: 08/04/2011 09:08 PM
>> Subject: Re: new exception thrown in version 1.3.16
>>
>>
>>
>> On Wed, Aug 3, 2011 at 1:06 PM, <bryan.coleman at dart.biz> wrote:
>>> I was able to remove the useExtendedSecurity parameter; however, I still
>>> needed the lmCompatibility=0 one.
>> That actually doesn't make sense because I don't think you can do
>> NTLMv1 without extended security.
>>
>> Try the examples/ListFiles.java example from the commandline without
>> setting any properties. If that does not work, post the full command
>> used and the full stack trace.
>>
>> Mike
>>
>> --
>> Michael B Allen
>> Java Active Directory Integration
>> http://www.ioplex.com/
>>
>>
>>> The stack traces are:
>>>
>>> jcifs.smb.SmbException: 0xC00000C4
>>> at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:561)
>>> at jcifs.smb.SmbTransport.send(SmbTransport.java:661)
>>> at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:316)
>>> at jcifs.smb.SmbSession.send(SmbSession.java:218)
>>> at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
>>> at jcifs.smb.SmbFile.doConnect(SmbFile.java:911)
>>> at jcifs.smb.SmbFile.connect(SmbFile.java:954)
>>> at jcifs.smb.SmbFile.connect0(SmbFile.java:880)
>>> at jcifs.smb.SmbFile.queryPath(SmbFile.java:1335)
>>> at jcifs.smb.SmbFile.exists(SmbFile.java:1417)
>>>
>>> jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad
>>> password.
>>> at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:544)
>>> at jcifs.smb.SmbTransport.send(SmbTransport.java:661)
>>> at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:316)
>>> at jcifs.smb.SmbSession.send(SmbSession.java:218)
>>> at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
>>> at jcifs.smb.SmbFile.doConnect(SmbFile.java:911)
>>> at jcifs.smb.SmbFile.connect(SmbFile.java:954)
>>> at jcifs.smb.SmbFile.connect0(SmbFile.java:880)
>>> at jcifs.smb.SmbFile.queryPath(SmbFile.java:1335)
>>> at jcifs.smb.SmbFile.exists(SmbFile.java:1417)
>>>
>>>
>>> P. S. The link to "Join the JCIFS Mailing List" appears to be broken.
>> I
>>> am getting the jcifs messages; however, my posts are being moderated
>> (and
>>> have not yet been allowed through).
>>>
>>> Thank you,
>>>
>>> Bryan Coleman
>>>
>>>
>>>
>>> From: Michael B Allen <ioplex at gmail.com>
>>> To: bryan.coleman at dart.biz
>>> Cc: jcifs at samba.org
>>> Date: 08/02/2011 09:39 PM
>>> Subject: Re: new exception thrown in version 1.3.16
>>>
>>>
>>>
>>> On Tue, Aug 2, 2011 at 4:35 PM, <bryan.coleman at dart.biz> wrote:
>>>> We have been using jcifs for quite a few years now to copy files from
>>> one
>>>> share to another. Recently, I upgraded to the latest version 1.3.16
>> and
>>>> began experiencing issues with it.
>>>>
>>>> The first attempt appears to work just fine. Simplified: We
>>> periodically
>>>> grab the list of files from the source directory; determine if each
>> file
>>>> needs to be copied to the destination; then, copy (delete, backup,
>>> etc.).
>>>> On the second attempt (with version 1.3.16) we start receiving
>>> exceptions.
>>>> The first exception we encounter is "jcifs.smb.SmbException:
>> 0xC00000C4"
>>>> and then every attempt afterwards leads to a
>>> "jcifs.smb.SmbAuthException:
>>>> Logon failure: unknown user name or password.".
>>>>
>>>> The 0xC00000C4 tracks down to a "NT_STATUS_UNEXPECTED_NETWORK_ERROR".
>>>>
>>>> I rolled back to version 1.3.15 and everything works fine again.
>>>>
>>>> Note: I am using the following jcifs parameters
>>>> "jcifs.smb.lmCompatibility=0" and
>>>> "jcifs.smb.client.useExtendedSecurity=false".
>>>>
>>>> Any ideas?
>>> Hi Bryan,
>>>
>>> You definitely do not need to set those properties. Those properties
>>> tell JCIFS to use NTLMv1 only. Unless you're using a very very old and
>>> obsolete version of Samba and all of the Windows clients are also
>>> forced to use NTLMv1 only as well (which is not particularly secure),
>>> you should not set those properties. And since you're eventually
>>> getting an SmbAuthException: Logon failure, I would not be shocked to
>>> hear that changing those properties changes the behavior of your error
>>> or fixes it entirely. If the problem is not fixed by removing those
>>> properties, then post the full stack trace of each type of exception.
>>>
>>> Mike
>>>
>>> --
>>> Michael B Allen
>>> Java Active Directory Integration
>>> http://www.ioplex.com/
>>>
>>>
>>>
>>
>>
>
>
>
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the jCIFS
mailing list