Smbclient/Kerberos/Alfresco JLAN Server

Gary Spencer gk.spencer at mac.com
Mon Jul 19 06:31:23 MDT 2010 

Hi,

I'm the author of the Java based CIFS server JLAN Server, which has been owned by the open source company Alfresco for a while now. The JLAN Server code is used within Alfresco's content management system to provide CIFS/FTP/NFS access, as well as being available for use as a component in other projects.

The JLAN Server code supports Kerberos logons from AD clients but we have a problem when trying to connect using the smbclient application when Kerberos is used.

The problem seems to be due to a mismatch in the type of checksum that the Java JDK runtime code expects for the authenticator checksum in the Kerberos ticket. In the JDK source code I have found a check which tests to see if the checksum starts with the bytes 0x10, 0x00, 0x00, 0x00, here's the output from Wireshark :-

                                      Authenticator
                                            Authenticator vno: 5
                                            Client Realm: ALFRESCO.ORG
                                            Client Name (Principal): gkspencer
                                            Checksum
                                                Type: gssapi-8003 (32771)
                                                checksum: 100000000000000000000000000000000000000001000000...
                                                Length: 16
                                                Bnd: 00000000000000000000000000000000
                                                .... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE
                                                .... .... .... .... .... .... ..0. .... = Integ: Do NOT use integrity protection
                                                .... .... .... .... .... .... ...0 .... = Conf: Do NOT use Confidentiality (sealing)
                                                .... .... .... .... .... .... .... 0... = Sequence: Do NOT enable out-of-sequence detection
                                                .... .... .... .... .... .... .... .0.. = Replay: Do NOT enable replay protection
                                                .... .... .... .... .... .... .... ..0. = Mutual: Mutual authentication NOT required
                                                .... .... .... .... .... .... .... ...1 = Deleg: Delegate credantials to remote peer
                                                DlgOpt: 1
                                                DlgLen: 646
                                                CRED_BODY KRB-CRED

This check fails with the following Java error on the server side :-
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Incorrect checksum)

Are there plans to support this style of checksum in the Samba/smbclient code ?, are there any options on the build or smbclient command line that may help ?.

Thanks

Gary
--
Gary Spencer
gary.spencer at alfresco.org

More information about the samba-technical mailing list