topic Re: WebDav and/or CIFS SSO in Alfresco Archive

WebDav and/or CIFS SSO

zakire — Tue, 08 Apr 2014 20:01:42 GMT

Okey, I have been fighting with my first Alfresco installation for a week now. I have been trying both Windows and Linux. Right now I'm running Alfresco on an Ubuntu-server behind another Ubuntu-server with Apache and mod-jk (to be able to to access Alfresco on port 443 using a valid certificate).Ri

Re: WebDav and/or CIFS SSO

mlagneaux — Wed, 09 Apr 2014 09:03:39 GMT

Hello,

Could you give your alfresco-global.properties and configuration files for passthru and ldap-ad ?
Is SSO working when trying to access to Alfresco Explorer ?

Re: WebDav and/or CIFS SSO

zakire — Wed, 09 Apr 2014 12:44:58 GMT

Hi and thank you for your help!

This is my alfresco-global.proporties (note that I have masked password, servernames etc.):


###############################
## Common Alfresco Properties #
###############################

dir.root=/opt/alfresco/alf_data

alfresco.context=alfresco
alfresco.host=intranet.domain.com
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=intranet.domain.com
share.port=8080
share.protocol=http

### database connection properties ###
db.driver=org.gjt.mm.mysql.Driver
db.username=alfresco
db.password=password123
db.url=jdbc:mysql://sql.domain.com:3306/alfresco?useUnicode=yes&characterEncoding=UTF-8

### FTP Server Configuration ###
ftp.enabled=true
ftp.port=21

### RMI service ports ###
alfresco.rmi.services.port=50500
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0

### External executable locations ###
ooo.exe=/opt/alfresco/libreoffice/program/soffice.bin
ooo.enabled=true
ooo.port=8100
img.root=/opt/alfresco/common
img.dyn=${img.root}/lib
img.exe=${img.root}/bin/convert
swf.exe=/opt/alfresco/common/bin/pdf2swf
swf.languagedir=/opt/alfresco/common/japanese

jodconverter.enabled=false
jodconverter.officeHome=/opt/alfresco/libreoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=abc123

### E-mail site invitation setting ###
notification.email.siteinvite=false

### License location ###
dir.license.external=/opt/alfresco

### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8443

### BPM Engine ###
system.workflow.engine.jbpm.enabled=false

### Authentication ###
#authentication.chain=alfrescoNtlm1:alfrescoNtlm, passthru1:passthru, ldap-ad1:ldap-ad
authentication.chain=ldap-ad1:ldap-ad

## NTLM ##
#alfresco.authentication.allowGuestLogin=false
#alfresco.authentication.authenticateCIFS=false
#ntlm.authentication.sso.enabled=false
#ntlm.authentication.mapUnknownUserToGuest=false

## PASSTHRU ##
#passthru.authentication.useLocalServer=false
#passthru.authentication.domain=
#passthru.authentication.servers=DOMAIN.COM\\ldap.domain.com
#passthru.authentication.guestAccess=false
#passthru.authentication.defaultAdministratorUserNames=Administrator
#passthru.authentication.connectTimeout=5000
#passthru.authentication.offlineCheckInterval=300
#passthru.authentication.protocolOrder=NetBIOS,TCPIP
#passthru.authentication.authenticateCIFS=true
#passthru.authentication.authenticateFTP=true

## LDAP-AD ##
#ldap.authentication.active=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldapuser@domain.com
ldap.synchronization.java.naming.security.credentials=password123
ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userIdAttributeName=userPrincipalName

### Sync AD ###
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 40 * * * ?

### SMTP ###
mail.host=mail.domain.com

### SharePoint Protocol ###
vti.server.port=7070
vti.server.external.host=sharepoint.domain.com
vti.server.external.port=443
vti.server.external.protocol=https

### CIFS ###
cifs.enabled=true
cifs.serverName=SERVER01
cifs.domain=DOMAIN.LOCAL
cifs.hostannounce=true
cifs.ipv6.enabled=false
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: WebDav and/or CIFS SSO

eswbitto — Thu, 10 Apr 2014 16:20:00 GMT

A couple of things here…

On your Apache config did you define a virtual host for your Sharepoint to work? Also I have a similar setup. Need to make sure your SSL.conf is listening to port 7070.

Are you mapping your drive to https://intranet.domain.com/alfresco/webdav

Take a look at this POST and see if you need to change any steps in your apache setup.

Also…The vanilla install of Alfresco does a auto creation of users if no users exists. You can find posts on how to disable this as well. Hope this helps.

Also for my ldap config I had to put.


ldap.authentication.userNameFormat=domainname\\%s
‍‍‍

These are just some suggestions.

Re: WebDav and/or CIFS SSO

zakire — Fri, 18 Apr 2014 21:58:00 GMT

I have now understand that LDAP-AD is not supported in CIFS authentication. I will therefore try using KERBEROS.

I have followed this guide in order to set up KERBEROS: http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-ADconfig.html

I have also installed krb5-clients and krb5-users with the following commands:

apt-get install krb5-clients
apt-get install krb5-user‍‍

I have made the following changes to my config files:

alfresco-global.proporties

### Authentication ###
authentication.chain=kerberos1:kerberos, ldap1:ldap-ad

## ALFRESCO ##
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false

## KERBEROS ##
kerberos.authentication.realm=DOMAIN.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=Password123
kerberos.authentication.http.password=Password123
kerberos.authentication.defaultAdministratorUserNames=Administrator
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true

## LDAP-AD ##
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=DOMAIN\\%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldapuser@domain.com
ldap.synchronization.java.naming.security.credentials=Password123
ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userIdAttributeName=sAMAccountName

### Sync AD ###
ldap.synchronization.active=true
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 15 * * * ?

### SharePoint Protocol ###
vti.server.port=7070
vti.server.external.host=sharepoint.domain.com
vti.server.external.port=443
vti.server.external.protocol=https

### CIFS ###
cifs.enabled=true
cifs.serverName=server1
cifs.domain=domain.com
cifs.hostannounce=true
cifs.ipv6.enabled=false‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

java.login.config

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescocifs.keytab"
   principal="cifs/server1.domain.com";
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescohttp.keytab"
   principal="HTTP/server1.domain.com";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescohttp.keytab"
   principal="HTTP/server1.domain.com";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

java.security

login.config.url.1=file:${java.home}/lib/security/java.login.config‍

/etc/krb5.conf

[libdefaults]
        default_realm = DOMAIN.COM

[realms]
        DOAIN.COM = {
                kdc = ldap.domain.com
                admin_server = ldap.domain.com
        }

[domain_realm]
        ldap.domain.com = DOMAIN.COM
        .ldap.domain.com = DOAIN.COM
‍‍‍‍‍‍‍‍‍‍‍‍‍

Now I'm unable to login at all (Share, Alfresco, CIFS).

If I run kinit -V -k -t /etc/keytables/alfrescohttp.keytab HTTP/server1.domain.com@DOMAIN.COM I get the following result:

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/server1.domain.com@DOMAIN.COM
Using keytab: /etc/keytables/alfrescohttp.keytab
kinit: Key table entry not found while getting initial credentials‍‍‍‍

Any suggestions?

Re: WebDav and/or CIFS SSO

mrogers — Sat, 19 Apr 2014 22:30:44 GMT

Have you created the accounts in ad?

Re: WebDav and/or CIFS SSO

zakire — Sun, 20 Apr 2014 18:17:00 GMT

Yes. I have followed the guide I mentioned in my previous post.

I found out that the reason I was unable to login was that the KERBEROS subsystem didn't start up because of some error (don't remember what the log did say exactly).

If I disabled KERBEROS SSO and CIFS, I was able to login. However, I want CIFS to work.

EDIT: After I installed ldapsearch on the Ubuntu server I do no longer get error when I run kinit (not sure if it really was ldapsearch that fixed the problem).

This is now the result of running kinit -V -k -t /etc/keytables/alfrescocifs.keytab cifs/server1.domain.com@DOMAIN.COM

Using default cache: /tmp/krb5cc_0
Using principal: cifs/server1.domain.com@DOAIN.COM
Using keytab: /etc/keytables/alfrescocifs.keytab
Authenticated to Kerberos v5‍‍‍‍

So I now tried to enable KERBEROS CIFS again in my alfresco-global.properties:

## KERBEROS ##
kerberos.authentication.realm=DOAIN.COM
kerberos.authentication.sso.enabled=false
kerberos.authentication.authenticateCIFS=true
#kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=alfrescocifs
#kerberos.authentication.http.configEntryName=alfrescohttp
kerberos.authentication.cifs.password=Password123
#kerberos.authentication.http.password=Password123
kerberos.authentication.defaultAdministratorUserNames=Administrator
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true‍‍‍‍‍‍‍‍‍‍‍‍

But when I start Alfresco service, KERBEROS substystem is not started and it gives me the following error:

20:04:23,718 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
        at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:353)
        at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)
        at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:364)
        at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)‍‍‍‍‍

22:10:21,029 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
…
…
Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)
        … 82 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        … 85 more‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

ERROR [20:27:51,343 WARN  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service] CIFS Kerberos authenticator error‍‍

‍

I have been struggling with this for over two weeks now and really need to get it working. Could it really be that hard? =(

Re: WebDav and/or CIFS SSO

zakire — Mon, 21 Apr 2014 13:37:00 GMT

Okey, just to clarify a little bit.

If i run kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/server1.domain.com I get the following result:

Using default cache: /tmp/krb5cc_0
Using principal: cifs/server1.domain.com@DOMAIN.COM
Using keytab: /etc/keytabs/alfrescocifs.keytab
Authenticated to Kerberos v5‍‍‍‍

And if I run kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/badserver.domain.com I get the following result:

Using default cache: /tmp/krb5cc_0
Using principal: cifs/badserver.domain.com@DOAIN.COM
Using keytab: /etc/keytabs/alfrescocifs.keytab
kinit: Client not found in Kerberos database while getting initial credentials‍‍‍‍

Everything seems to work on my Domain Controller, right?

And my java.login.config contains this:

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytabs/alfrescocifs.keytab"
   principal="cifs/server1.domain.com";
};‍‍‍‍‍‍‍

And the output of alfresco.log is this:

15:21:07,667 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)‍‍

It looks like that KERBEROS is working properly between server1 and my Domain Controller, but Alfresco is for some reason not using cifs/server1.domain.com as principal, despite that I have configured that in java.login.config.

Does anyone has a clue? Thanks in advance!

EDIT: Ahhhhhhh…… I just read the documentation and it all turned out it was a "typo" in alfresco-global.proporties. I thought that kerberos.authentication.cifs.configEntryName was supposed to be the username… But that was not the case. It's supposed to be the name of the config entry in java.login.config, which in my case is the default; AlfrescoCIFS. Sorry 😃

Now Alfresco is starting correctly without any errors and I have enabled both KERBEROS SSO and KERBEROS CIFS authentication. I can now login to the Alfresco Share.

I can also reach Alfresco CIFS from a domain connected computer without any problem, how ever I can't login throught CIFS from a non domain connected computer. I get no errors in alfresco.log or catalina.out. Windows just saying "Undefined error".
Any suggestions?