authentication

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

authentication

Torsten Curdt-2
Hi there,

I have a question regarding the ntlm authentication.

When I have the ip address of a machine - do I really need to provide
the domain? AFAIU jcifs requires the domain always to be set but it
was brought to my attention that using smbfs/cifsfs you can get away
with just the username/password. Same goes for the smbclient. Do they
all read the domain from the smb.conf? Or where can I find further
information on this?

So basically I am wondering whether I could use jcifs with just
username and password to connect to a machine.

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: authentication

Mario Ivankovits
Hi Torsten!
> So basically I am wondering whether I could use jcifs with just
> username and password to connect to a machine.
I dont know exactly what you try to do, but I tried it with
NtlmPasswordAuthentication and set the domain to null - and it worked.
To say the truth, even if I set a wrong domain here I can successfully
connect to the machine, strange ... But I tried it with an rather old
JCIFS - from VFS you know ;-)

I am pretty sure, you already tried this ...

Ciao,
Mario

Reply | Threaded
Open this post in threaded view
|

RE: authentication

Göran Karlsson (KA/EAB)
In reply to this post by Torsten Curdt-2
 
Hi, I can just verify that setting the domain to an empty string does not work on V1.2.9. That is, you don't get in. (I tried that to see if it would prevent IE from appending the domain name to the remote user name.)
Regards
/Göran

-----Original Message-----
From: jcifs-bounces+goran.karlsson=[hidden email] [mailto:jcifs-bounces+goran.karlsson=[hidden email]] On Behalf Of Mario Ivankovits
Sent: den 12 juli 2006 06:26
To: Torsten Curdt
Cc: [hidden email]
Subject: Re: [jcifs] authentication

Hi Torsten!
> So basically I am wondering whether I could use jcifs with just
> username and password to connect to a machine.
I dont know exactly what you try to do, but I tried it with NtlmPasswordAuthentication and set the domain to null - and it worked.
To say the truth, even if I set a wrong domain here I can successfully connect to the machine, strange ... But I tried it with an rather old JCIFS - from VFS you know ;-)

I am pretty sure, you already tried this ...

Ciao,
Mario

Reply | Threaded
Open this post in threaded view
|

Re: Re: authentication

Torsten Curdt-2
In reply to this post by Mario Ivankovits
> I dont know exactly what you try to do, but I tried it with

Well, so far we had the policy that one has to specify domain,
username, password to access a machine. Now someone came along and
pointed out that with smbfs/cifsfs you don't always have to specify
the domain. So the question was turned to us - why the domain.

At the moment I am trying to understand what is required from the
protocol level. Domain vs local authentication etc.

> NtlmPasswordAuthentication and set the domain to null - and it worked.

Ah, ok ...I'll give that a try again. I am sure at some stage I tried
that before ....but that was well more than a year ago.

> To say the truth, even if I set a wrong domain here I can successfully
> connect to the machine, strange ... But I tried it with an rather old
> JCIFS - from VFS you know ;-)

I know ;-) ...I just had a play with jardiff - looks like the latest
jcifs *should* be still compatible with the old jcifs-ext. Which looks
like good news.

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: RE: authentication

Torsten Curdt-2
In reply to this post by Göran Karlsson (KA/EAB)
> Hi, I can just verify that setting the domain to an empty string does not work on V1.2.9. That is, you don't get in. (I tried that to see if it would prevent IE from appending the domain name to the remote user name.)

Did you try with setting it to null (like Mario was talking about)
instead of an empty string as well?

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

RE: authentication

Göran Karlsson (KA/EAB)
In reply to this post by Torsten Curdt-2
Now I get unsure whether I understood the context correctly or not. I use jcifs as a servlet filter to authenticate web clients. The domain I'm thinking of is the one in the filter configuration in the web.xml.

In case we are talking about the same thing, I tried without the domain tag in the web.xml too. That would be null, right?
 
Regards
/Göran
-----Original Message-----
From: jcifs-bounces+goran.karlsson=[hidden email] [mailto:jcifs-bounces+goran.karlsson=[hidden email]] On Behalf Of Torsten Curdt
Sent: den 12 juli 2006 12:21
To: [hidden email]
Subject: Re: RE: [jcifs] authentication

> Hi, I can just verify that setting the domain to an empty string does
> not work on V1.2.9. That is, you don't get in. (I tried that to see if
> it would prevent IE from appending the domain name to the remote user
> name.)

Did you try with setting it to null (like Mario was talking about) instead of an empty string as well?

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: RE: authentication

Torsten Curdt-2
I am not talking about jcifs in a web context but doing a straight
connection from java to a smb share ...but I would assume the context
shouldn't really matter. Not sure whether the missing tag in the
web.xml passes a null into the NtlmPasswordAuthentication object
though.

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: authentication

Michael B Allen-4
In reply to this post by Göran Karlsson (KA/EAB)
On Wed, 12 Jul 2006 14:05:09 +0200
Göran Karlsson (KA/EAB) <[hidden email]> wrote:

> Now I get unsure whether I understood the context correctly or not. I use jcifs as a servlet filter to authenticate web clients. The domain I'm thinking of is the one in the filter configuration in the web.xml.
>
> In case we are talking about the same thing, I tried without the domain tag in the web.xml too. That would be null, right?

What are you're trying to achieve by leaving the Windows domain out? When
you don't specify the domain with smbclient I believe the remote server
simply assumes the user is to be authenticated against the domain
with which the server is joined. The domain in the NTLM HTTP Filter
is effectively the domain with which the Filter is joined. Therefore
not specifying a domain with the Filter should have no visible effect
on clients.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Reply | Threaded
Open this post in threaded view
|

Re: Re: authentication

Torsten Curdt-2
> What are you're trying to achieve by leaving the Windows domain out?

Let's say there are 25 domains ...all of them have the same user with
the same password. (Let's not go down the road and question the "why"
*sigh*) So...

domain1\admin password
domain2\admin password
...
domain25\admin password

At the moment we basically lookup the credentials by the domain and
then do the login. Now some one said "Well, why can't we just have"

 admin password

because when doing a mount of a smbfs/cifsfs he only has to specify
username and password.

So what I am now looking for is the definite answer whether this is
possible or not.

The smbclient might use the domain from smb.conf and pass that on. Not
sure about the smbfs/cifsfs implementations. Obviously this is meant
to work from windows to windows like that. But the question is: can
you leave out the domain on the protocol level and then the server
will assume its domain?

> When
> you don't specify the domain with smbclient I believe the remote server
> simply assumes the user is to be authenticated against the domain
> with which the server is joined.

Which would be what I am after. Would I have that by leaving the
domain set to null?

> The domain in the NTLM HTTP Filter
> is effectively the domain with which the Filter is joined. Therefore
> not specifying a domain with the Filter should have no visible effect
> on clients.

Personally I am not talking about the NTLM HTTP Filter ...I am trying
to see where I can connect (to the IPC$ share)

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: authentication

Michael B Allen-4
On Wed, 12 Jul 2006 18:39:20 +0200
"Torsten Curdt" <[hidden email]> wrote:

> So what I am now looking for is the definite answer whether this is
> possible or not.

No. It's not. Like I said, if you leave out the domain the server uses the domain for which it is a member. This works fine with smbclient and cifsfs because that's usually the domain you want. But the NTLM HTTP Filter is only a member of 1 domain. That domain has a 1 in 25 chance of being the domain you want.

The only way to authenticate users from multiple domains is to establish trust relationships between all domains AND supply the correct domain with the user's credentials.

> The smbclient might use the domain from smb.conf and pass that on. Not

Like I said before, I don't think this is what it does. I think smbclient uses what it was provided. The server sorts it out (uses the domain for which it is a member).

> to work from windows to windows like that. But the question is: can
> you leave out the domain on the protocol level and then the server
> will assume its domain?

Yes. But I'm not positive. I would have to take a capture.

> > When
> > you don't specify the domain with smbclient I believe the remote server
> > simply assumes the user is to be authenticated against the domain
> > with which the server is joined.
>
> Which would be what I am after. Would I have that by leaving the
> domain set to null?

Yes.

> > The domain in the NTLM HTTP Filter
> > is effectively the domain with which the Filter is joined. Therefore
> > not specifying a domain with the Filter should have no visible effect
> > on clients.
>
> Personally I am not talking about the NTLM HTTP Filter ...I am trying
> to see where I can connect (to the IPC$ share)

Oh. I thought you were trying to use the Filter.

Just do:

SmbFile f = new SmbFile("smb://server/ipc$", new NtlmPasswordAuthentication(null, "user", "pass"));

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Reply | Threaded
Open this post in threaded view
|

RE: authentication

Göran Karlsson (KA/EAB)
In reply to this post by Torsten Curdt-2
As I wrote in my previous post, it was an attempt to see if it would make IE not append the domain name to the remote user name. I didn't think it would work, but it didn't take long to try... ;)

/Göran

-----Original Message-----
From: Michael B Allen [mailto:[hidden email]]
Sent: den 12 juli 2006 18:19
To: Göran Karlsson (KA/EAB)
Cc: [hidden email]
Subject: Re: [jcifs] authentication

On Wed, 12 Jul 2006 14:05:09 +0200
Göran Karlsson (KA/EAB) <[hidden email]> wrote:

> Now I get unsure whether I understood the context correctly or not. I use jcifs as a servlet filter to authenticate web clients. The domain I'm thinking of is the one in the filter configuration in the web.xml.
>
> In case we are talking about the same thing, I tried without the domain tag in the web.xml too. That would be null, right?

What are you're trying to achieve by leaving the Windows domain out? When you don't specify the domain with smbclient I believe the remote server simply assumes the user is to be authenticated against the domain with which the server is joined. The domain in the NTLM HTTP Filter is effectively the domain with which the Filter is joined. Therefore not specifying a domain with the Filter should have no visible effect on clients.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization http://www.ioplex.com/
Reply | Threaded
Open this post in threaded view
|

Re: Re: authentication

Torsten Curdt-2
In reply to this post by Michael B Allen-4
> Just do:
>
> SmbFile f = new SmbFile("smb://server/ipc$", new NtlmPasswordAuthentication(null, "user", "pass"));

...but I also will have to check f.canRead() to see whether I can get
acces, right?

cheers
--
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: authentication

Michael B Allen-4
On Thu, 13 Jul 2006 12:16:06 +0200
"Torsten Curdt" <[hidden email]> wrote:

> > Just do:
> >
> > SmbFile f = new SmbFile("smb://server/ipc$", new NtlmPasswordAuthentication(null, "user", "pass"));
>
> ...but I also will have to check f.canRead() to see whether I can get
> acces, right?

Actually no. The canRead() method only checks to see if the Read-Only
attribute is set. The user may be blocked from accessing the file due to
an ACL entry (or lack thereof). The best method is to put the operation
into a try catch and do what you would do if you cannot read in the catch.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/