Smbclient/Kerberos/Alfresco JLAN Server

Jeremy Allison jra at samba.org
Mon Jul 19 15:34:16 MDT 2010 

On Mon, Jul 19, 2010 at 01:31:23PM +0100, Gary Spencer wrote:
> Hi,
> 
> I'm the author of the Java based CIFS server JLAN Server, which has been owned by the open source company Alfresco for a while now. The JLAN Server code is used within Alfresco's content management system to provide CIFS/FTP/NFS access, as well as being available for use as a component in other projects.
> 
> The JLAN Server code supports Kerberos logons from AD clients but we have a problem when trying to connect using the smbclient application when Kerberos is used.
> 
> The problem seems to be due to a mismatch in the type of checksum that the Java JDK runtime code expects for the authenticator checksum in the Kerberos ticket. In the JDK source code I have found a check which tests to see if the checksum starts with the bytes 0x10, 0x00, 0x00, 0x00, here's the output from Wireshark :-
> 
>                                       Authenticator
>                                             Authenticator vno: 5
>                                             Client Realm: ALFRESCO.ORG
>                                             Client Name (Principal): gkspencer
>                                             Checksum
>                                                 Type: gssapi-8003 (32771)
>                                                 checksum: 100000000000000000000000000000000000000001000000...
>                                                 Length: 16
>                                                 Bnd: 00000000000000000000000000000000
>                                                 .... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE
>                                                 .... .... .... .... .... .... ..0. .... = Integ: Do NOT use integrity protection
>                                                 .... .... .... .... .... .... ...0 .... = Conf: Do NOT use Confidentiality (sealing)
>                                                 .... .... .... .... .... .... .... 0... = Sequence: Do NOT enable out-of-sequence detection
>                                                 .... .... .... .... .... .... .... .0.. = Replay: Do NOT enable replay protection
>                                                 .... .... .... .... .... .... .... ..0. = Mutual: Mutual authentication NOT required
>                                                 .... .... .... .... .... .... .... ...1 = Deleg: Delegate credantials to remote peer
>                                                 DlgOpt: 1
>                                                 DlgLen: 646
>                                                 CRED_BODY KRB-CRED
> 
> This check fails with the following Java error on the server side :-
>     GSSException: Failure unspecified at GSS-API level (Mechanism level: Incorrect checksum)
> 
> Are there plans to support this style of checksum in the Samba/smbclient code ?, are there any options on the build or smbclient command line that may help ?.

Yes, we should support this. Can you point me at the JDK source
code that does the checksum calculation and check, that would
help me *greatly* with fixing this for you.

Thanks,

Jeremy.

More information about the samba-technical mailing list