/usr/share/doc/libjcifs-java/faq.html is in libjcifs-java-doc 1.3.19-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<STYLE TYPE="text/css">
BODY {
font-family: verdana, arial;
font-size: small;
background-color: #ffffff;
}
H1 {
font-family: verdana, arial;
font-size: normal;
color: #000000;
}
H2 {
font-family: arial, verdana;
font-size: normal;
color: #000000;
}
H3 {
font-family: arial, verdana;
font-size: small;
color: #000080;
}
A {
font-family: arial, verdana;
font-weight: bold;
color: #000080;
}
A:HOVER {
text-decoration: none;
}
BIG {
color: #000080;
font-family: arial, verdana;
font-weight: bold;
font-size: 50px;
}
EM {
color: #000080;
font-family: Times New Roman;
font-weight: bold;
font-size: 20px;
}
PRE {
font-family: monospaced, courier;
border: 1px lightgrey dotted;
white-space: pre;
color: black;
padding: 4px;
background-color: #f0f0f0;
}
TABLE {
border-collapse: collapse;
border: 1px lightgrey solid;
}
TH {
font-family: verdana, arial;
border: 1px lightgrey solid;
background-color: #f0f0f0;
}
TD {
font-family: verdana, arial;
font-size: small;
border: 1px lightgrey solid;
}
</STYLE>
<TITLE></TITLE>
</HEAD>
<BODY>
<H1>JCIFS Frequently Asked Questions</H1>
<ol>
<li>
<a href="#ntlmhttpauth">How do I do NTLM HTTP authentication (a.k.a Single Sign On) for my website?</a>
</li>
<li>
<a href="#ntlmv2">Does jCIFS support NTLMv2?</a>
</li>
<li>
<a href="#ukproto">Why is java.net.URL throwing unknown protocol: smb Exceptions?</a>
</li>
<li>
<a href="#ukhost">I'm getting these UnknownHostExceptions right from the start. What am I doing wrong?</a>
</li>
<li>
<a href="#netunreach">Why do I get these "Network is unreachable" IOExceptions?</a>
</li>
<li>
<a href="#auth">How can I authenticate arbitrary user credentials from an application or web clients against Active Directory?</a>
</li>
</ol>
<a name="ntlmhttpauth"></a>
<em>Q:</em> How do I do NTLM HTTP authentication (a.k.a Single Sign On) for my website?
<p></p>
<em>A:</em> See "Jespa":
<blockquote>
<a href="http://www.ioplex.com/jespa.html">http://www.ioplex.com/jespa.html</a>
</blockquote>
Jespa is a <i>complete</i> NTLM implementation in 100% Java that properly implements both the server and client side of NTLMv2, NTLMv1, NTLM2 Session Security and Key Exchange.
Of particular interest to users of the old JCIFS SSO Filter, Jespa can properly authenticate NTLMv2 clients just like a Windows server does (using the NetrLogonSamLogon DCERPC call over NETLOGON w/ Secure Channel) and it includes an HTTP SSO Servlet Filter.
<p></p>
Note: Jespa uses JCIFS for DCERPC transport and some basic client side NTLM calculations. Jespa is not Open Source (although it is free for up to 25 users). Please contact IOPLEX Software support if you have any questions regarding Jespa.
<p></p>
Note: The old SSO Filter that used to be included with JCIFS used a "man in the middle" technique that cannot support NTLMv2 and has therefore been removed from the JCIFS package. See the following post for details:
<p></p>
<blockquote>
<a href="http://lists.samba.org/archive/jcifs/2008-October/008227.html">http://lists.samba.org/archive/jcifs/2008-October/008227.html</a>
</blockquote>
<p></p>
<!-- * * * * * * * * -->
<a name="ntlmv2"></a>
<em>Q:</em> Does jCIFS support NTLMv2?
<p></p>
<em>A:</em> Yes. As of 1.3.0, JCIFS fully supports NTLMv2 and uses it by default.
<p></p>
Note: The NTLM HTTP SSO Filter that used to be included with JCIFS cannot support NTLMv2. See <a href="#ntlmhttpauth">the above question</a> for details.
<p></p>
<!-- * * * * * * * * -->
<a name="ukproto"></a>
<em>Q:</em> Why is java.net.URL throwing unknown protocol: smb Exceptions?
<pre>
Exception in thread "main" java.net.MalformedURLException: unknown protocol: smb
at java.net.URL.<init>(URL.java:480)
at java.net.URL.<init>(URL.java:376)
at java.net.URL.<init>(URL.java:330)
at jcifs.smb.SmbFile.<init>(SmbFile.java:355)
...
</pre>
<em>A:</em> The SMB URL protocol handler is not being successfully installed. In short, the jCIFS jar must be loaded by the <tt>System</tt> class loader. The problem is reported frequently with servlet containers that load the jCIFS jar using a more restricted class loader (i.e. placing the jar in <tt>WEB-INF/lib</tt> is not adequate). In this case the solution is to add the jar to the servlet container's <tt>CLASSPATH</tt> (for Resin this is simply a matter of placing it in the top level lib directory).
<p></p>
More specifically, the SMB URL protocol handler (<tt>jcifs.smb.Handler</tt>) is used by the <tt>java.net.URL</tt> class to provide the Java "smb://" URL implementation. There are two possible reasons why this handler is not being recognized.
<ol>
<li>
The current security policy is preventing jCIFS from setting the <tt>java.protocol.handler.pkgs</tt> system property which is required to install the SMB URL protocol handler. For example, some servlet containers install a security manager or restrictive policy file. In this case, add the jCIFS jar file to the container's <tt>CLASSPATH</tt> because servlet containers usually associate a policy file with the class files of web applications. Otherwise, the specific (minimum) grant required by jCIFS to successfully install the SMB URL protocol handler is:
<pre>
permission java.util.PropertyPermission "java.protocol.handler.pkgs", "read, write";
</pre>
If jCIFS is not permitted to write this system property, the <tt>SecurityException</tt> throw will be caught and a message will be printed to <tt>System.err</tt>. Alternatively the property can also be set using a VM command line parameter:
<pre>
java -Djava.protocol.handler.pkgs=jcifs ...
</pre>
This should permit the URL protocol handler to be installed regardless of what security policy is installed (however this isn't recommended as it will override other protocol handlers).
</li>
<li>
The jCIFS jar file is not in a suitable location. Even if the <tt>java.protocol.handler.pkgs</tt> property is set successfully, the <tt>java.net.URL</tt> class must then access the <tt>jcifs.smb.Handler</tt> class. But if the jCIFS classes are loaded by a different class loader this handler will not be found and again, you will get the "unknown protocol: smb" exception. It is very common for servlet containers to load classes from a class loader other than the <tt>System</tt> class loader. Like the first scenario, the solution is to add the jCIFS jar file to the container's <tt>CLASSPATH</tt> and <i>not</i> the <tt>WEB-INF/lib</tt> directory of the web app.
</li>
</ol>
<!-- * * * * * * * * -->
<a name="ukhost"></a>
<em>Q:</em> I'm getting these UnknownHostExceptions right from the start. What am I doing wrong?
<pre>
$ java List smb://server/share/
Exception in thread "main" java.net.UnknownHostException: SERVER<20>
at jcifs.netbios.NbtAddress.doNameQuery(NbtAddress.java, Compiled Code)
at jcifs.netbios.NbtAddress.getByName(NbtAddress.java, Compiled Code)
at jcifs.smb.SmbFile.<init>(SmbFile.java, Compiled Code)
at jcifs.smb.SmbFile.<init>(SmbFile.java, Compiled Code)
at List.main(List.java, Compiled Code)
</pre>
<p></p>
<em>A:</em> In a nutshell, this is what happens when jCIFS cannot even find the target host.
<p></p>
For jCIFS to access another computer's files and services the target must be running a CIFS server over a NetBIOS LAN. This is exactly the case with 90% of MS Windows networks as CIFS over NetBIOS is MS's native networking setup. In this environment jCIFS should work flawlessly. However the above <tt>UnknownHostException</tt> is occurring because the name of the target computer cannot be resolved. There could be many reasons why this is happening.
<h3>Breakdown of Possible Name Resolution Problems:</h3>
<ul>
<li>
<b>The name really doesn't exist.</b> The computer name is misspelled or the machine is off. Doah!
</li>
<li>
<b>The target is on a different subnet and the name service properties are not set correctly.</b> Larger computer networks are divided up into "subnets". In this case a WINS server is required to resolve hostnames (although fully qualified DNS names will work just as well). The <tt>jcifs.netbios.wins</tt> property must be set to the IP address of the WINS server for your network.
<p></p>
See the <a href="api/overview-summary.html#scp">Setting Client Properties</a> page for information on how to set jCIFS properties. Also see the <a href="resolver.html">Setting Name Resolution Properties</a> page for more detail about resolver properties and what they do. You might also ask your network administrator about what NetBIOS name services are available or check the Network Settings of a nearby MS Windows host for this information.
</li>
<li>
<b>The target computer is not running a CIFS server.</b> Not all operating systems have CIFS servers running. Generally Windows NT, Windows 95/98/ME/2000/XP, Samba on UNIX, and possibly OS/2 should work fine (although you can run jCIFS <b>from</b> any computer with an adequate version of Java). The best way to confirm that the target is in fact running a CIFS server is to try to "share" a folder on the target machine and access files on it from another machine (see Diagnostics below). Otherwise you may need to configure it to run a CIFS server ( e.g. Samba on Linux) or get third party software (e.g. Thursby Software's Dave for MacOS). Note, Windows 95/98/ME do not have the CIFS server running by default -- you must "Allow others access to my files" under <tt>Control Panel > Network Settings</tt> first.
</li>
<li>
<b>You are using the NetBIOS "scope id".</b> This is rarely encountered but you may need to set the <tt>jcifs.netbios.scope</tt> property. Ask your network administrator if a NetBIOS scope id is being used and look at the Network Settings of nearby machines. It will just be a string like '<tt>CHEM_BLDNG</tt>' or '<tt>scope.com</tt>' or similar. See the <a href="resolver.html">Setting Name Resolution Properties</a> page for more information about scope and other properties that control hostname resolution.
</li>
<li>
<b>Your hostname is resolving to 127.0.0.1.</b> It is not uncommon on Linux for an /etc/hosts file to map the hostname to 127.0.0.1 such as:
<pre>
127.0.0.1 nano localhost.localdomain localhost
</pre>
Taking the host name (e.g. <tt>nano</tt>) out of the localhost line should solved the problem.
</li>
<li>
<b>JCIFS is not reading the properties file.</b> If you are using the <tt>-Djcifs.properties=<filename.prp></tt> command line option, make sure you spell it correctly or the properties file will silently be ignored, including any important name service properties within it.
</li>
</ul>
In general, if jCIFS is producing unwarranted <tt>UnknownHostException</tt>s, you will need to find out a little more about your network. Be sure to read the <a href="api/overview-summary.html#scp">Setting Client Properties</a> section from the <a href="api/index.html">API Documentation</a> and pay close attention to the <tt>jcifs.netbios.wins</tt> property. Connecting to Windows machines on the local subnet should work even without setting the WINS property. To connect to a machine on another subnet you can use the IP address of the host (eg. <tt>smb://192.168.1.15/someshare/</tt>) or set the <tt>jcifs.netbios.wins</tt> property and use NetBIOS server names. Below are some diagnostics that might help.
<h3>Diagnosis:</h3>
Personally I much prefer to take a packet capture when trying to diagnose networking issues. See <a href="capture.html">Obtaining a Network Packet Capture</a> for instructions on how to do that.
<p></p>
Otherwise, first check to see if your local hostname reverse-resolves properly. On UNIX you should look at your /etc/hosts file to make sure it's not mapped to 127.0.0.1. Otherwise just try pinging yourself. The below shows a problem. It should really be resolving to the real IP.
<pre>
[miallen@nano jcifs]$ ping nano
PING nano (<b>127.0.0.1</b>) from 127.0.0.1 : 56(84) bytes of data. // 127.0.0.1 INCORRECT
64 bytes from nano (127.0.0.1): icmp_seq=0 ttl=255 time=0.1 ms
...
[miallen@bogus jcifs]$ ping bogus
PING bogus.research.ml.com (<b>172.32.29.134</b>) from 172.32.29.134 : 56(84) bytes of data. // Real IP is CORRECT
64 bytes from bogus.research.ml.com (172.32.29.134): icmp_seq=1 ttl=255 time=0.090 ms
</pre>
There are many ways to test the machines on your network for the necessary NetBIOS name services. If you have a Windows machine available you can use <tt>nbtstat</tt> and <tt>ipconfig</tt>. On Linux and UNIX you can use <tt>ifconfig</tt> and <tt>nmblookup</tt> (nmblookup is from the Samba package). More specifically try:
<pre>
C:\> ipconfig
or
C:\> ipconfig /all
to confirm your IP address(e.g. 192.168.1.15) and then do:
C:\> nbtstat -A 192.168.1.15
</pre>
You should get the netbios hostname of the machine as well as some other useful information. You can now do this on other hosts as well provided you know their IP addresses. If this is working and the necessary properties are set correctly jCIFS should work flawlessly.
<p></p>
The Samba suite has a similar tool that you can use on Linux and UNIX. Again, first verify your IP address with:
<pre>
$ /sbin/ifconfig
$ nmblookup -A 192.168.1.15
</pre>
If any of the above fails you need to look closer at your network settings or have a discussion with your network administrator. But if you determine that the NetBIOS service is in fact listening on the targets of interest you can use the <tt>net</tt> command on Windows, <tt>smbclient</tt> on Linux/UNIX, or jCIFS to test connecting to services:
<pre>
C:\> net use * \\servername\share
</pre>
or on UNIX with
<pre>
$ smbclient -L //servername
$ smbclient //servername/share
$ smbclient //servername/share -W research
// -W required for domain auth
</pre>
If the above works the below <tt>List</tt> example (in the examples directory) should work as well. Try it with <tt>-Djcifs.util.loglevel=10</tt> to see detailed log messages.
<pre>
$ java -Djcifs.util.loglevel=10 List smb://server/share/
</pre>
<!-- * * * * * * * * -->
<a name="netunreach"></a>
<em>Q:</em> Why do I get these "Network is unreachable" IOExceptions?
<pre>
java.io.IOException: Network is unreachable
at java.net.PlainDatagramSocketImpl.send(Native Method)
at java.net.DatagramSocket.send(DatagramSocket.java, Compiled Code)
at jcifs.netbios.NameServiceClient.send(NameServiceClient.java, Compiled Code)
...
</pre>
<em>A:</em>
Most likely you need to set the broadcast address that jCIFS should use to broadcast name query requests. The Java Language does not provide a way to extract this information from a host so we simply try to use '255.255.255.255'. This will work with most network configurations, however this will fail under certain conditions producing the above exception.
<p></p>
To set the broadcast address, use the <tt>jcifs.netbios.baddr</tt> property such as adding <tt>jcifs.netbios.baddr=192.168.1.255</tt> or similar to your properties or use <tt>-Djcifs.netbios.baddr=192.168.1.255</tt> on the commandline. You can determine your proper broadcast address by running the <tt>ipconfig</tt> command on Windows or <tt>/sbin/ifconfig</tt> on Unix (Linux at least). See the <a href="api/overview-summary.html#scp">Setting JCIFS Properties</a> page for details.
<pre>
C:\> ipconfig
C:\> ipconfig /all
or on Linux:
$ /sbin/ifconfig
</pre>
Another cause of this is if your host does not have a suitable network interface over which to communicate (e.g. laptops with certain power management facilities can switch the NIC to powersave mode if theres nothing plugged into it).
<p></p>
<!-- * * * * * * * * -->
<a name="auth"></a>
<em>Q:</em> How can I authenticate arbitrary user credentials from an application or web clients against Active Directory?
<p></p>
<em>A:</em> There are two ways to do this. One is to use the <tt>jcifs.smb.Session.logon()</tt> method to perform an <tt>SMB_COM_SESSION_SETUP_ANDX</tt> like:
<pre>
UniAddress mydomaincontroller = UniAddress.getByName( "192.168.1.15" );
NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication( "ntdom", "user", "pass" );
try {
SmbSession.logon( mydomaincontoller, mycreds );
// SUCCESS
return true;
} catch( SmbAuthException sae ) {
// AUTHENTICATION FAILURE
return false;
} catch( SmbException se ) {
// NETWORK PROBLEMS?
se.printStackTrace();
}
</pre>
However, just like using an LDAP "bind" to validate credentials, the above method is a mild abuse of the protocol and can cause issues (e.g. with personal workstation AD security policy). The only way to <i>properly</i> validate NTLM credentials is with a NetrLogonSamLogon DCERPC call with the NETLOGON service. The only 100% Java solution that does that is <a href="http://www.ioplex.com/jespa.html">Jespa</a>.
<HR noshade="noshade">
<SMALL>
Last updated Mar 18, 2009<BR>jcifs-1.3.7<BR>
Copyright © 2004 The JCIFS Project<BR>
<a style="color: black;" href="http://validator.w3.org/check/referer">validate this page</a></SMALL>
</BODY>
</HTML>
|