This website uses cookies for visitor traffic analysis. By using the website, you agree with storing the cookies on your computer.More information

JVx, NTLMv2, Samba4 AD - authentication rocks!

Samba4 - what a great product!

My first samba PDC was version 3, and it took many nights until my old NT machines joined the samba domain... that was long time ago. As I heard of samba 4 and the big ideas (2005), I thought c'mon how would you do this? But Microsoft released important documentation about the protocol internas. And this helped!

... and some years later, we have a final release of Samba4.
Respect!

Yesterday, I read about a prebuilt samba image from SerNet (EnterpriseSamba) and thought I should try it out, because the installation was so easy! 20 minutes later, my Samba4 VM was up and running.

My first test with Windows XP as client was successful and today I added Vista, Win7 and Win8 to my new domain.
It was too easy :(

Of course, I had a problem with name resolving. The client machines should use the Samba4 server as primary DNS. I didn't change my DNS server but set the primary DNS on every machine/VM.

After my virtual domain environment was setup, I made tests with JVx' NTLM authentication. We added NTLMv1 support in 2008 or earlier - not sure when. We used jCIFS - what else.

We support authentication with signed, unsigned Applets (YES - Applets) and Desktop applications. It is one of the most important features for our business customers: Single Sign-On.

Our problems with the implementation were the difference between OS versions and Java versions. In Windows XP, NTLMv1 was default. Since Vista, NTLMv2 is default. Java 1.5 and newer support NTLM authentication via http automatically. Since 1.6 update ?? the authentication implementation is not so nice as it was before...

My tests with 1.5 and 1.6 <= 20 on WinXP, Vista, Win7, Win8 were successful. With 1.6 u38 and 1.7 u10 we have to use a new authentication dialog (be careful - German):

Authentication dialog

Authentication dialog

I'm not sure if this dialog is good or not, because NTLM authentication worked with e.g. 1.6 u20 without this thing. I didn't find a property to bypass this dialog. But if you check "save", the dialog does not pop up again (not perfect but our business users can handle it).

At the end of the day, we have a working solution for automatic NTLMv1 + NTLMv2 authentication for JVx with support for WinXP, Vista, Win7, Win8 and jre 1.5 up to 1.7. Thanks to samba4, an ActiveDirectory costs nothing.

It's a nice present :)