This website uses cookies for visitor traffic analysis. By using the website, you agree with storing the cookies on your computer.More information

JVx, NTLMv2, Samba4 AD - authentication rocks!

Samba4 - what a great product!

My first samba PDC was version 3, and it took many nights until my old NT machines joined the samba domain... that was long time ago. As I heard of samba 4 and the big ideas (2005), I thought c'mon how would you do this? But Microsoft released important documentation about the protocol internas. And this helped!

... and some years later, we have a final release of Samba4.

Yesterday, I read about a prebuilt samba image from SerNet (EnterpriseSamba) and thought I should try it out, because the installation was so easy! 20 minutes later, my Samba4 VM was up and running.

My first test with Windows XP as client was successful and today I added Vista, Win7 and Win8 to my new domain.
It was too easy :(

Of course, I had a problem with name resolving. The client machines should use the Samba4 server as primary DNS. I didn't change my DNS server but set the primary DNS on every machine/VM.

After my virtual domain environment was setup, I made tests with JVx' NTLM authentication. We added NTLMv1 support in 2008 or earlier - not sure when. We used jCIFS - what else.

We support authentication with signed, unsigned Applets (YES - Applets) and Desktop applications. It is one of the most important features for our business customers: Single Sign-On.

Our problems with the implementation were the difference between OS versions and Java versions. In Windows XP, NTLMv1 was default. Since Vista, NTLMv2 is default. Java 1.5 and newer support NTLM authentication via http automatically. Since 1.6 update ?? the authentication implementation is not so nice as it was before...

My tests with 1.5 and 1.6 <= 20 on WinXP, Vista, Win7, Win8 were successful. With 1.6 u38 and 1.7 u10 we have to use a new authentication dialog (be careful - German):

Authentication dialog

Authentication dialog

I'm not sure if this dialog is good or not, because NTLM authentication worked with e.g. 1.6 u20 without this thing. I didn't find a property to bypass this dialog. But if you check "save", the dialog does not pop up again (not perfect but our business users can handle it).

At the end of the day, we have a working solution for automatic NTLMv1 + NTLMv2 authentication for JVx with support for WinXP, Vista, Win7, Win8 and jre 1.5 up to 1.7. Thanks to samba4, an ActiveDirectory costs nothing.

It's a nice present :)

2 Responses to “JVx, NTLMv2, Samba4 AD - authentication rocks!”

  1. fidjet says:

    We too just successfully setup a Samba 4 AD DC on CentOS last week. So far the tests are terrific and we had zero issues connecting Windows 7, XP and Fedora clients to the DC. The Samba 4 HOWTO wiki was just fantastic and we were able to set it up in 20 minutes.
    What's really nice about this is that we now have an alternative to Microsoft which reduces cost not to mention running a fully functional Active Directory DC without the graphical GUI bloat required on a Windows 2008 server. The Samba devs belong in the history books!

  2. rjahn says:

    One advantage of Windows was or is, that the configuration is easy and you have GUIs. I like GUIs because I'm are faster.
    Now, it's possible to use Samba with the same GUIs. Manage your Samba server with Windows GUIs.

    I love using Samba 4 because it's really fast and configuration is possible with GUIs and it's open.

Leave a Reply

Spam protection by WP Captcha-Free