JCIFS

The Java CIFS Client Library

JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java. CIFS is the standard file sharing protocol on the Microsoft Windows platform (e.g. Map Network Drive ...). This client is used extensively in production on large Intranets.

Links

Download
JCIFS NTLM HTTP Authentication
The FAQ
Mailing List Archive (GMANE)
Obtaining a Network Packet Capture

Developer Information

JCIFS API Documentation
Setting Client Properties
Setting Name Resolution Properties
Using JCIFS to Connect to Win32 Named Pipes
JCIFS Exceptions and NtlmAuthenticator
Using JCIFS NTLM Authentication for HTTP Connections
JCIFS is Licensed Under the LGPL

Related Java Projects

j-interop - Java COM Interop (uses Jarapac)
sharehound - CIFS network search engine
IntegraTUM WebDisk - HTTP to CIFS gateway
jcifs-ext - JCIFS Extensions
Jarapac - DCE/RPC in Java
The Jacob Project - Java/COM Bridge
JNBridge - Java/.NET Bridge
J-Integra - DCE/RPC in Java
Davenport - WebDAV to CIFS gateway
Alfresco JLAN Shared File Drive Interface

CIFS Authorities

http://www.samba.org/
http://www.samba-tng.org/

Other CIFS Utilities and Tools

Samba for Amiga
Sharity-Lite
SMB Browse for MacOSX
Xamba Network Integration Project

MSRPC

Rpcdump utility for querying RPC servers
OpenGroup DCE/RPC Specification
OpenGroup DCE/RPC Specification - NDR
What OLE Is Really About

Kerberos

RFC1510 - Kerberos V5 Specification
How a Kerberos Logon Works in Win2K
JGSS Example
Kerberos Explained
W2K PAC Specification

Technical Documentation

"Implementing CIFS" (complete online book)
Annotated CIFS Specification: draft-leach-cifs-v1-spec-02.html
SNIA CIFS Technical Reference (V1.0)
The NTLM Authentication Protocol
A .NET Developer's Guide to Windows Security
Windows System Error Codes
Windows Network Management Error Codes
rfc1001 - NetBIOS Concepts and Methods
rfc1002 - NetBIOS Detailed Specifications
CIFS Explained (A whitepaper by John Kleven)
SMB URL draft specification V07
NetBIOS, NetBEUI, NBF, SMB, CIFS networking links page
Microsoft Writeup on WINS behavior
Microsoft Writeup on WINS under W2K
Microsoft Server Documentation on Browsing WANs using WINS
Windows IT Library: NT Network Plumbing
Thursby Software's CIFS pages
Linux Mag: Understanding the Network Neighborhood

Other

Join the JCIFS Mailing List
Browse the Source
Batching
http://www.gnu.org/
http://www.opensource.org/
Microsoft's CIFS Mailing List Archives

News

jcifs-krb5-1.3.17 released / Kerberos Package Update
posted by Mike, November 11, 2011
The Kerberos package been updated to 1.3.17. Special thanks to Mr. Shun for contributing this package.

jcifs-1.3.17 released / SO_TIMEOUT Fixed, Connect Timeout Control Added
posted by Mike, October 18, 2011
The jcifs.smb.client.soTimeout property, which controls how long the client will wait to read data from a server, was broken in the previous release (1.3.16). Not only was it broken but no SO_TIMEOUT was specified at all meaning if a server became unresponsive, JCIFS could hang for an uncontrollably long time. This behavior of this property has been restored.

Additionally, a new jcifs.smb.client.connTimeout has been added which specifies the number of milliseconds that the client will wait to connect to a server (how long it will wait for a response to the TCP SYN). This can be very useful when trying to communicate with many servers in parallel.

jcifs-1.3.16 released / SO_TIMEOUT, Disconnect Improvements, copyTo() Exceptions and more
posted by Mike, June 25, 2011
This release includes the following minor fixes and improvements:
  • JCIFS now uses the InetSocketAddress class to explicitly bind and set the SO_TIMEOUT on client sockets before they are connected. This makes the SO_TIMEOUT effective when the target server socket is not listening and the client OS socket implementation takes a long time for the dropped SYN to timeout. This may significantly reduce resource consumption in applications that use multiple threads to constantly query servers that may not be listening.
  • When disconnecting a transport, new clauses have been added to better reset transport state whereas previously transports could get stuck in a disconnected state for unnecessarily long periods of time.
  • A new property jcifs.smb.client.ignoreCopyToException has been added. When set to "true" (the default), the SmbFile.copyTo() method will ignore (but log) exceptions trying to copy individual files or directories (such as because of a permissions error). To maintain backward compatibility, the default value of this property is "true" (exceptions are ignored). Setting this property to "false" will cause any exception that occurs trying to copy an individual file or directory to be thrown out of copyTo and abort the copy operation at the point of failure.
  • If an authentication exception occurs trying to connect to a server that has multiple IP addresses, JCIFS will not attempt to connect to more than one IP addresses because doing so could result in an account lockout.
  • The SID resolver code incorrectly resolved SIDs of an ACE in blocks of at most 10 where it should have used a limit of 64. This performance issue has been fixed.
  • JCIFS will not throw the artifical "Access is denied" error if the special NtlmPasswordCredential.ANONYMOUS credential is used explicitly (whereas normally JCIFS will deliberately throw an SmbAuthException if a login results in a guest login or if the anonymous identity is used).
  • The NetrServerEnum2 RAP call used incorrect parameter descriptiors which could result in "SmbException: 2320" errors trying to list domains and servers from the local NetBIOS browse service.
  • The NTLMSSP AUTHENTICATE_MESSAGE (aka "Type 2 Message") encoding routine incorrectly left out the TargetName field (although this had no effect on CIFS client behavior).

The JCIFS Team would like to thank IOPLEX Software for contributing to this work.

jcifs-1.3.15 released / Minor DcerpcHandle Locking Adjustments
posted by Mike, October 7
Minor adjustments have been applied to DcerpcHandle locking routines in the SID class to fix sporadic occurances of "All pipe instances are busy" errors under high load.

The JCIFS Team would like to thank Vivísimo, Inc. for supporting this work. Vivísimo provides enterprises with innovative search solutions to find, access, and manipulate all content. For consumer web searches, Vivísimo offers Clusty.com.

jcifs-1.3.14 released / NetBIOS Node Status Disabled and Named Pipe Errors
posted by Mike, February 11, 2010
JCIFS will no longer do a NetBIOS Node Status to determine the server hostname because it seems some servers no longer respond to it. Under high load "All pipe instances are busy" errors could occur. This has been fixed by adding a lock to ensure that the MSRPC bind and pipe open request are performed together.

jcifs-1.3.13 released / Deadlock Fixed, OSX Snow Leopard, and EMC
posted by Mike, January 5, 2010
Locking throughout the transport layer has been rewritten. This should fix the long standing deadlock that has been reported in the past. Note that these are significant changes to the I/O layer. The package should be tested carefully before being deployed.

The size of the transient input buffer used to read the SMB_COM_NEGOTIATE response has been doubled to accommodate a security blob (as observed with OSX Snow Leopard). A signing issue reading data from an EMC server has been fixed. NTLMSSP logging has been improved.

The JCIFS Team would like to thank Stoneware, Inc. for supporting this work. Stoneware, Inc. provides innovative software that enables organizations to build their own 'private' cloud for simplified access to all of their web, Windows or hosted applications and services.

JCIFS U.S. Export Control Classification Numbers (ECCN)
posted by Mike, August 27, 2009
JCIFS uses cryptography including RC4 128 (for NTLMv2) and AES 256 (for Kerberos) for authentication, digital signatures and encryption. Products that use cryptography and which are exported from the U.S. to other countries are supposed to obtain an export classification. The United States Department of Commerce Bureau of Industry and Security (BIS) has issued two ECCNs for the JCIFS package:
5D002.C.1 License Exception TSU
5D992.C (for binary only distribution of "mass market" software)
For commercial products that ship JCIFS in binary form, you will need to reference the second ECCN in your export classification requests. For further information such as CCATS numbers, please contact ioplex@gmail.com.

The JCIFS Team would like to thank BIS for their excellent service and patience.

jcifs-1.3.12 released / Two NullPointerExceptions Fixed and DFS
posted by Mike, August 14, 2009
If NtlmPasswordAuthentication.ANONYMOUS was used, CAP_EXTENDED_SECURITY could be incorrectly turned off resulting in a NullPointerException. If a DFS server did not return any referrals, a NullPointerException could occur. Both of these exceptions have been corrected. Also, JCIFS could become confused when connecting to a server that also happened to be a DFS root server. This issue has been fixed.

jcifs-1.3.11 released / NTLMv2 Calculation Correction
posted by Mike, July 21, 2009
The nTOWFv2 computation for NTLMv2 authentication was slightly wrong in that it upper-cased the domain. This had no effect on JCIFS but it has been corrected for technical accuracy.

jcifs-1.3.10 released / Bugfix for SmbException: The parameter is incorrect
posted by Mike, June 4, 2009
This release fixes a bug that could sporadically trigger a "The parameter is incorrect" error.

The JCIFS Team would like to thank IOPLEX Software for contributing to this work. IOPLEX Software has many years of experience with HTTP Single Sign-On, Kerberos, NTLM, Active Directory, MSRPC and related networking protocols.

jcifs-1.3.9 released / Robust Retry of Replicated DFS Targets, copyTo Fix, UTF-16LE, and More
posted by Mike, May 30, 2009
This package adds the following fixes:
  • JCIFS will now iteratively try multiple replicated DFS targets if some are not enabled (whereas previously JCIFS would quit if the first root target was not accessible)
  • Fixed "Invalid operation for ????? service" error when querying DFS
  • SmbFile.copyTo will now copy files larger than 4GB
  • All instances of UnicodeLittleUnmarked have been changed to UTF-16LE (for platforms like Android)

The JCIFS Team would like to thank MetaCarta, Inc. for supporting this work. MetaCarta, Inc., a provider of geographic intelligence solutions, offers users map-driven geographic search, geographic referencing, and data visualization capabilities.

jcifs-1.3.8 released / RC4 Implemented, Java 1.4 Now Supported Again
posted by Mike, Mar 29, 2009
RC4 has been implemented and therefore JCIFS no longer requires Java 1.5 update 7 or an implementation that provides RC4. Java 1.4 should work as well as it did prior to JCIFS 1.3.

jcifs-1.3.7 released / Share Security Fixed
posted by Mike, Mar 18, 2009
Share security was broken in both 1.2 and 1.3. It has been fixed. Note that share security is considered deprecated and is only supported by older software like Windows 98 and Samba 3.0.

jcifs-1.3.5 released / Stand-alone DFS with IP Address Hostname Issue Fixed
posted by Mike, Mar 12, 2009
Stand-alone DFS did not work properly if the hostname used in the SMB URL was an IP address and not a DNS or NetBIOS hostname. This issue has been fixed.

The JCIFS Team would like to thank Vivísimo, Inc. for supporting this work. Vivísimo provides enterprises with innovative search solutions to find, access, and manipulate all content. For consumer web searches, Vivísimo offers Clusty.com.

jcifs-1.3.4 released / Parameter Words, Status Codes and Minor Fixes
posted by Mike, Mar 9, 2009
This release includes some minor protocol adjustments and the addition of some more common status code text.

jcifs-1.3.3 released / NTLMv2 Requirements, "Invalid parameter" Error, and NetBIOS Broadcast Lookup Timeouts
posted by Mike, Jan 25, 2009
NTLMv2 support requires the RC4 cipher. Note that Sun's Java did not include RC4 until Java 1.5 update 7.

If the above mentioned RC4 cipher was not available, an "Invalid parameter" error would occur. Logic has been corrected so that the more informative "Cannot find any provider supporting RC4" error is reported instead.

To date, JCIFS has always tried NetBIOS broadcast lookups in favor of DNS which frequently resulted in a 6 second delay if the jcifs.resolveOrder property was not adjusted. This behavior has been changed to try DNS before NetBIOS broadcast lookups which should result in much less frequent delays when using default settings. To restore the old behavior, simply set jcifs.resolveOrder=LMHOSTS,BCAST,DNS.

The NTLMSSP code would not fallback to ASCII if Cp850 was not available (which is the case with stock JREs). This issue has been fixed.

jcifs-krb5-1.3.1 released / Kerberos 5 Package Updated
posted by Mike, Dec 22, 2008
The Kerberos package been updated to 1.3.1. The KerberosAuthExample.java example has been independently verified to work. Special thanks to Mr. Shun for contributing this package.

jcifs-1.3.2 released / Samba DFS
posted by Mike, Dec 22, 2008
Accessing a DFS link on Samba directly could result in an error. This issue has been fixed. Samba 3.0.x does not support raw NTLMSSP and therefore the new default JCIFS settings that use NTLMSSP break JCIFS and Samba 3.0.x compatibility. To work-around, turn off extended security and use NTLMv1 by setting jcifs.smb.client.useExtendedSecurity=false and jcifs.smb.lmCompatibility=0.

jcifs-1.3.1 released / NTLM HTTP Filter Fixed, DFS Adjustments and More
posted by Mike, Nov 30, 2008
The NTLM HTTP Filter was broken in 1.3.0. Setting jcifs.smb.client.useExtendedSecurity to false fixes the issue. This property has been changed in the Filter init method. Some minor DFS changes have been applied that users claim prevent issues in certain DFS scenarios. The NTLMv2 code has been refined in several ways (in particular the getNTLMv2Response method has changed). The NtlmPasswordAuthentication constructor will now split the username if it appears to be composed of a domain and username.

jcifs-1.3.0 released / NTLMv2 Support
posted by Mike, Oct 25, 2008
NTLMv2 has been fully implemented and will be used by default.

To emulate the old behavior you must set jcifs.lmCompatibility = 0 and jcifs.smb.client.useExtendedSecurity = false (new defaults are 3 and true respectively).

NTLMv2 and NTLMv1 over NTLMSSP has been fairly well tested with and without SMB signing negotiated and various NTLMSSP flags (e.g. NTLMSSP_NEGOTIATE_NTLM2).

Note: The NTLM HTTP Filter does not and can never support NTLMv2 as it uses a main-in-the-middle technique that is broken by NTLMSSP's "target information" used in computing password hashes. However, the existing Filter should continue to work.

The JCIFS Team would like to thank MetaCarta, Inc. for supporting this work. MetaCarta, Inc., a provider of geographic intelligence solutions, offers users map-driven geographic search, geographic referencing, and data visualization capabilities.

jcifs-1.2.25 released / ArrayIndexOutOfBoundsException, copyTo and IBM iSeries Fixes
posted by Mike, Oct 20, 2008
An ArrayIndexOutOfBoundsException could occur listing a large number of shares (DCERPC response larger than 65535 bytes). The copyTo method could deadlock if the server was disconnected during a copy. The IBM iSeries server can send the NativeFileSystem field in ASCII even though Unicode was negotiated and it requires the '?????' service string (and not 'A:'). These issues have been fixed.

The JCIFS Team would like to thank MetaCarta, Inc. for supporting this work. MetaCarta, Inc., a provider of geographic intelligence solutions, offers users map-driven geographic search, geographic referencing, and data visualization capabilities.

jcifs-1.2.18 released / DCERPC, Robust Recovery, URL Decoding, NPEs and Much More
posted by Mike, Feb 18, 2008
This release includes a few significant fixes for DCERPC related issues. It also includes numerous minor fixes for issues that have accumulated over time. The issues that have been fixed are as follows:
  • The SID.getServerSid() method could fail with NetApp servers due to a "generic" mask values. The mask has been changed to 0x00000001 which corresponds to an LsaOpenPolicy mask of POLICY_VIEW_LOCAL_INFORMATION.
  • The LsaPolicyHandle class would not throw an error if the LsarOpenPolicy2 call failed. This has been fixed.
  • If a share was unshared while JCIFS was in the middle of reading files from it, the transport could enter an error state from which it could not immediately recover if the share was subsequently restored. A small change to SmbTransport.doRecv() fixes this problem.
  • The SmbFile constructor could inappropriately URL decode the authority component of SMB URLs.
  • The NTLM HTTP Filter documentation has been updated.
  • An Invalid state: 4 error has been fixed.
  • A NetBIOS name service issue caused by Jetdirect printers has been fixed.
  • An ArrayIndexOutOfBounds exception in the SmbException class has been fixed.
  • A NullPointerException in SmbSession.getChallengeForDomain() has been fixed.
  • A NullPointerException in NbtAddress related to hosts without adequate localhost address configuration has been fixed.
  • An ArrayIndexOutOfBounds exception could be thrown if a server requires NTLMv2. This exception has been replaced with a more informative one.
  • The SmbSessionSetup constructor will now compare the challenge and encryptionKey using Arrays.equals instead of == to satisfy unforseen use-cases that otherwise trigger an NT_STATUS_ACCESS_VIOLATION.
The JCIFS Team would like to thank Vivísimo, Inc. for supporting this work. Vivísimo provides enterprises with innovative search solutions to find, access, and manipulate all content. For consumer web searches, Vivísimo offers Clusty.com.

The JCIFS Team would like to thank IOPLEX Software for contributing to this work. IOPLEX Software has many years of experience with HTTP Single Sign-On, Kerberos, NTLM, Active Directory, MSRPC and related networking protocols. IOPLEX Software's Plexcel extension for PHP provides unmatched integration with Active Directory for PHP applications.

Alfresco releases Java CIFS server under GPL
posted by Mike, Nov 2, 2007
Alfresco have announced the release of the JLAN Shared File Drive Interface under the terms of the Gnu General Public License (GPL). JLAN includes a CIFS server written in Java, as well as several other Java-based network components.

"I am very excited about this Open Source contribution", said Chris Hertel, Samba Team member and co-founder the jCIFS project. "Every Open Source CIFS implementation adds to the community's understanding, and to the utility of the protocol itself."

Their press release has a link to the source code at the bottom of the page.

jcifs-1.2.16 released / Domain-Based DFS Support
posted by Mike, Aug 2, 2007
With this release, JCIFS now supports domain-based DFS. With domain-based DFS, clients access DFS roots under the DNS domain name like \\example.com\dfs\foo so that users do not need to remember server names. However, for clients to work with these DFS roots they have to be prepared to connect to each domain controller as necessary to find the target share and successfully authenticate. JCIFS now includes this retry logic. JCIFS will also do something that it seems even Windows clients do not do - if you list the shares of a domain (e.g. (new SmbFile("smb://example.com/")).listFiles()), JCIFS will build a merged list of all shares on all domain controllers.

Note that these changes are fairly significant. Whenever JCIFS tries to connect to a server this new logic is used. So if anyone notices anything out of the ordinary please report it to the JCIFS mailing list.

The JCIFS Team would like to thank MetaCarta, Inc. for supporting this work. MetaCarta, Inc., a provider of geographic intelligence solutions, offers users map-driven geographic search, geographic referencing, and data visualization capabilities.

jcifs-1.2.15 released / NetApp Compatibility, SMB signing with DFS and More
posted by Mike, Jul 16, 2007
This release includes some significant changes. Most of these changes are related to NetApp compatibility. The changes in this release include the following:
  • An SMB signing failure related to DFS that could result in "Access denied" errors has been fixed.
  • The DCERPC bind did not exactly mimic Windows which uses SMB_COM_{WRITE,READ}_ANDX. We were using TransactNmPipe throughout which could result in an 'Incorrect function' error when querying the LSA on a NetApp server. JCIFS now implements the bind exactly like Windows to help ensure compatibility with other servers.
  • Other changes related to NetApp compatibility include falling back to SamrConnect2 if a DCERPC_FAULT_OP_RNG_ERROR error occurs, more closely mimicking the SMB_COM_NT_CREATE_ANDX "extended" response, adjusting various RPC handle operation access masks, uncommenting some padding code that was commented out for what appeared to be a NetWare problem, disabling some logic to use port 139 if the jcifs.netbios.hostname was set and finally adding code to include LsarQosInfo structures in the MSRPC bind.
  • Some new error code information has been added.
  • Constants for common SIDs have been added to the SID class.
  • The SID.getGroupMemberSids() method will now return an empty SID array if the SID is not of type SID_TYPE_DOM_GRP or SID_TYPE_ALIAS.
  • A minor performance flaw in the DCERPC code was found and fixed.

The JCIFS Team would like to thank Simple Groupware Solutions and the Leibniz Computing Centre Munich (LRZ) for supporting this work.

The JCIFS Team would like to thank Vivísimo, Inc. for supporting this work. Vivísimo provides enterprises with innovative search solutions to find, access, and manipulate all content. For consumer web searches, Vivísimo offers Clusty.com.

jcifs-krb5-1.2.13 released / Kerberos Authentication Support Update
posted by Mike, Feb 8, 2007
The stock jcifs-1.2.13 package has been patched by a third party to support Kerberos 5 / SPNEGO extended security authentication. Additionally, SMB signing and DFS issues that existed in jcifs-krb5-1.2.9 have been fixed.

The JCIFS team has compiled the package and confirmed that it works with at least the one test case provided (examples/KerberosAuthExample.java) but otherwise the code should be used with caution.

Great thanks again to Mr. Shun from Japan for contributing this work.