topic Re: CIFS with Passthru not working in Alfresco Archive

CIFS with Passthru not working

clancydamon — Fri, 29 Jan 2010 23:10:18 GMT

Hello. I've been struggling to get this damn thing up and working for almost three weeks now, and each victory leads to two setbacks. I'm trying to run Alfresco 3.2r on a VirtualBox running CentOS 5.4. This VirtualBox is hosted on a PC running Win7 Professional 64-bit. The goal is to create an envir

Re: CIFS with Passthru not working

dranakan — Mon, 01 Feb 2010 08:44:29 GMT

Hello,

This is a sample working on RHEL and Centos.

Starting alfresco with another user than root avoid using the standart ports (445, …), that why the forwarding is used (for security reasons, it's better to start alfresco with a no-root user). (http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_from_a_normal_user_account)

Do this (write inside iptables when it's working…) :
Forwarding :


# Rules for firewall
        echo 1 > /proc/sys/net/ipv4/ip_forward
        /sbin/modprobe iptable_nat
        /sbin/iptables -t nat -F
        /sbin/iptables -P INPUT ACCEPT
        /sbin/iptables -P FORWARD ACCEPT
        /sbin/iptables -P OUTPUT ACCEPT
        /sbin/iptables -t nat -A PREROUTING -p tcp –dport 445 -j REDIRECT –to-ports 1445
        /sbin/iptables -t nat -A PREROUTING -p tcp –dport 139 -j REDIRECT –to-ports 1139
        /sbin/iptables -t nat -A PREROUTING -p udp –dport 137 -j REDIRECT –to-ports 1137
        /sbin/iptables -t nat -A PREROUTING -p udp –dport 138 -j REDIRECT –to-ports 1138
        /sbin/iptables -t nat -A PREROUTING -p tcp –dport 21 -j REDIRECT –to-ports 1024
        /etc/init.d/network restart
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Cifs configuration :


authentication.chain=passthru1:passthru

passthru.authentication.useLocalServer=false
passthru.authentication.domain=YOURDOMAIN
passthru.authentication.servers=YOURDOMAIN\\xxx.xxx.xxx.xxx,xxx.xxxx.xxx.xxx
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=YOURUSER
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true
ntlm.authentication.sso.enabled=false


cifs.enabled=true
cifs.ServerName=${localname}
cifs.domain=YOURDOMAIN
cifs.hostanounce=true
cifs.broadcast=0.0.0.0
cifs.tcpipSMB.port=1445
cifs.ipv6.enabled=false
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

(change YOURDOMAIN, xxx, YOURUSER)
YOURDOMAIN\\xxx.xxx.xxx.xxx,xxx.xxxx.xxx.xxx write two times your AD : ex : dom\\10.0.0.1,10.0.0.1

Good luck 🙂

Re: CIFS with Passthru not working

clancydamon — Wed, 03 Feb 2010 23:18:49 GMT

Thank you very much for your reply. I tried your steps and, unfortunately, they didn't work. At least not with what I was trying to accomplish. However, we did find out what the problem was!

I noted before that we have all Win7 and Vista machines in our network. Well, I also have a laptop running WinXP that isn't part of the domain. On a whim, I tried mapping an alfresco drive on this laptop, and used the domain authentication (a username/password from our domain which I've never had reason to use on my laptop before). It worked instantly, and I had no problem accessing Alfresco! Bizarre to say the least, but a good clue.

My boss spent hours searching the net and eventually found the solution - http://blogs.techrepublic.com.com/networking/?p=577

That's it, change the NTLM authentication from the default V2 only to NTLM V1. I'm guessing (I really don't know here) that Alfresco does not support NTLMv2. I didn't even think we were using NTLM at all, given that we have it set to false as per your instructions dranakan, but there you go. If anyone else is having trouble using CIFS in a Win7/Vista environment, give that a try.

Re: CIFS with Passthru not working

mikeh — Wed, 03 Feb 2010 23:35:02 GMT

I believe the revised authentication protocols in NTLMv2 prevent "man in the middle" style attacks. Unfortunately this means the Alfresco CIFS implementation is also regarded as a man-in-the-middle, hence passthru NTLMv2 authentication isn't viable.

This should be made clear in the documentation, so I'll make sure the Docs Team are aware.

Thanks,
Mike