Discussion:
[jcifs] jcifs.http.domainController
Pollers, Roel [NCSBE - Non JJ]
2005-08-22 09:55:30 UTC
Permalink
Hello,

Does anyone know if there is a possibility to configure static comain
controllers (with a backup) per domain ?
Now for example I have

jcifs.smb.client.domain=DOMAIN
jcifs.http.domainController=xx.xx.xx.xx

But I would like to specify a different domain controller for another domain
and also a backup domain controller for if one goes down ...

Any ideas ?

R.
Michael B Allen
2005-08-22 16:09:02 UTC
Permalink
On Mon, 22 Aug 2005 11:55:30 +0200
Post by Pollers, Roel [NCSBE - Non JJ]
Hello,
Does anyone know if there is a possibility to configure static comain
controllers (with a backup) per domain ?
Now for example I have
jcifs.smb.client.domain=DOMAIN
jcifs.http.domainController=xx.xx.xx.xx
But I would like to specify a different domain controller for another domain
and also a backup domain controller for if one goes down ...
Any ideas ?
Just *don't* set jcifs.http.domainController and let the client find
DCs using WINS. See the NTLM HTTP docs for details.

Mike
Oliver Schoett
2005-09-07 15:41:51 UTC
Permalink
Post by Michael B Allen
On Mon, 22 Aug 2005 11:55:30 +0200
Post by Pollers, Roel [NCSBE - Non JJ]
Does anyone know if there is a possibility to configure static comain
controllers (with a backup) per domain ?
Now for example I have
jcifs.smb.client.domain=DOMAIN
jcifs.http.domainController=xx.xx.xx.xx
But I would like to specify a different domain controller for another domain
and also a backup domain controller for if one goes down ...
Just *don't* set jcifs.http.domainController and let the client find
DCs using WINS. See the NTLM HTTP docs for details.
My client would like to avoid WINS, which seems reasonable given that
Windows clients from Windows 2000 onwards can locate their domain
controllers not via WINS, but via DNS (see
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b05eb382-d13a-4eb5-ac6e-01ebc1450dac.mspx).
I presume that jCIFS cannot (yet) do this; but the question remains
relevant how to best avoid WINS usage by jCIFS, and still have backup
domain controllers.

Regards,

Oliver Schoett
Michael B Allen
2005-09-07 17:49:04 UTC
Permalink
On Wed, 07 Sep 2005 17:41:51 +0200
Post by Oliver Schoett
My client would like to avoid WINS, which seems reasonable given that
Windows clients from Windows 2000 onwards can locate their domain
controllers not via WINS, but via DNS (see
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b05eb382-d13a-4eb5-ac6e-01ebc1450dac.mspx).
Interesting! I didn't know this. Try this:

1) replace jcifs/smb/SmbSession.java:95 with:

InetAddress[] list = InetAddress.getAllByName("_ldap._tcp." + DNS_DOMAIN );

2) replace all NbtAddress types to InetAddress as necessary to resolve
any type mismatches in jcifs/smb/SmbSession.java. For example line 66
would be:

InetAddress[] dc_list = null;

3) Then add a new property at the top of SmbSession.java for the
DNS_DOMAIN (note we can't overload the jcifs.smb.client.domain
property because that is used for authentication too).

private static final String DNS_DOMAIN =
Config.getProperty("jcifs.smb.client.dns_domain", null);

Now set the jcifs.smb.client.dns_domain to the DNS domain name like
'megacorp.com'.

Actually, the FIRST thing you should do is write a very small simple test
program like examples/ListDC.java to see that the _ldap._tcp.megacorp.com
lookup actually works like the technet article claims.

Otherwise, no I can't think of a way to do backup domain controllers
without WINS.

Mike
Oliver Schoett
2005-09-08 10:12:18 UTC
Permalink
Post by Michael B Allen
Actually, the FIRST thing you should do is write a very small simple test
program like examples/ListDC.java to see that the _ldap._tcp.megacorp.com
lookup actually works like the technet article claims.
Yes, it does work, but with JNDI rather than with
InetAddress.getAllByName. You must do a DNS lookup with type=SRV
(service lookup) rather than type=A (host lookup). If you have the
nslookup program (Windows XP seems to have it), you can easily test
this (all names and addresses faked):

$ nslookup
Standardserver: locadc3.megacorp.com
Address: 194.101.181.203
Post by Michael B Allen
set type=SRV
_ldap._tcp.megacorp.com
Server: locadc3.megacorp.com
Address: 194.101.181.203

_ldap._tcp.megacorp.com SRV service location:
priority = 100
weight = 100
port = 389
svr hostname = locbdc3.megacorp.com
_ldap._tcp.megacorp.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = locadc4.megacorp.com
_ldap._tcp.megacorp.com SRV service location:
priority = 100
weight = 100
port = 389
svr hostname = loccdc1.megacorp.com
_ldap._tcp.megacorp.com SRV service location:
priority = 100
weight = 100
port = 389
svr hostname = locddc2.megacorp.com
_ldap._tcp.megacorp.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = locadc5.megacorp.com
_ldap._tcp.megacorp.com SRV service location:
priority = 100
weight = 100
port = 389
svr hostname = locedc2.megacorp.com
_ldap._tcp.megacorp.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = locadc3.megacorp.com
locbdc3.megacorp.com internet address = 196.125.137.6
locadc4.megacorp.com internet address = 194.101.181.204
loccdc1.megacorp.com internet address = 214.67.170.16
locddc2.megacorp.com internet address = 214.66.240.34
locadc5.megacorp.com internet address = 194.101.181.205
locedc2.megacorp.com internet address = 191.95.170.5
locadc3.megacorp.com internet address = 194.101.181.203

Attached is a Java test program that shows JNDI results versus
InetAddress.getAllByName. The output (names faked) is

$ java ListDC megacorp.com
Searching DCs for megacorp.com
... with JNDI-DNS
SRV:
[java.lang.String] 100 100 389 loccdc1.megacorp.com.
[java.lang.String] 100 100 389 locddc2.megacorp.com.
[java.lang.String] 0 100 389 locadc5.megacorp.com.
[java.lang.String] 100 100 389 locedc2.megacorp.com.
[java.lang.String] 0 100 389 locadc3.megacorp.com.
[java.lang.String] 100 100 389 locbdc3.megacorp.com.
[java.lang.String] 0 100 389 locadc4.megacorp.com.
... with InetAddress.getAllByName
java.net.UnknownHostException: _ldap._tcp.megacorp.com: _ldap._tcp.megacorp.com
at java.net.InetAddress.getAllByName0(InetAddress.java:1011)
at java.net.InetAddress.getAllByName0(InetAddress.java:981)
at java.net.InetAddress.getAllByName(InetAddress.java:975)
at ListDC.main(ListDC.java:33)
Exception in thread "main"

Actually, there are precise rules in RFC 2782 on how to try servers
given the priorities and weights returned by this lookup: try servers
in strict order of ascending priorities; within a priority, pick
servers sequentially at random with probability roughly proportional
to their weight (servers with weight 0 are given a chance also).

Presumably the LDAP service provider for JNDI
(http://java.sun.com/j2se/1.4.2/docs/guide/jndi/jndi-ldap.html)
implements these rules already, but I have not found a way to extract
the list of servers from this JNDI service provider.

Regards,

Oliver Schoett
Eric Glass
2005-09-08 13:16:42 UTC
Permalink
Just popping by...
Post by Michael B Allen
Actually, the FIRST thing you should do is write a very small simple test
program like examples/ListDC.java to see that the _ldap._tcp.megacorp.com
lookup actually works like the technet article claims.
I messed around with this at one point awhile back. The SRV resource
records you want to look for are probably:

_ldap._tcp.dc._msdcs.megacorp.com

i.e. the "dc._msdcs" entries; "_ldap._tcp.megacorp.com" is *any* LDAP
server, not necessarily a domain controller. You can also look for
"_ldap._tcp.pdc._msdcs" to get the primary domain controller in a
mixed-mode domain (i.e. the box acting as the PDC for the NT-style
domain). Similarly, you can look up "_kerberos._tcp" to find a
Kerberos KDC, or "_kerberos._tcp.dc._msdcs" for a Win2K domain
controller that is also a Kerberos KDC for the domain.

There are more details here:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_sdns.asp


See below for a small example. It doesn't apply the
priorities/weights to the result list, that is an exercise left to the
reader ;)


import java.net.InetAddress;
import java.util.Enumeration;
import javax.naming.directory.*;

public class Lookup {

public static void main(String[] args) throws Exception {
String domain = args[0];
DirContext context = new InitialDirContext();
Attributes attributes = context.getAttributes(
"dns:/_ldap._tcp.dc._msdcs." + domain,
new String[] { "SRV" });
Enumeration values = attributes.get("SRV").getAll();
while (values.hasMoreElements()) {
String value = (String) values.nextElement();
InetAddress server = InetAddress.getByName(value.replaceFirst(
"^\\d* \\d* \\d+ (.*)\\.$", "$1"));
System.out.println(server);
}
}

}
Michael B Allen
2005-09-08 17:21:16 UTC
Permalink
On Thu, 8 Sep 2005 09:16:42 -0400
Post by Eric Glass
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_sdns.asp
See below for a small example.
Neat. I didn't realize it would be so easy to extract this info. We
should really favor this method over WINS.

Mike

Loading...