topic Re: alfresco 5.0c and kerberos in Alfresco Archive

alfresco 5.0c and kerberos

vincent-kali — Fri, 06 Feb 2015 14:22:30 GMT

Hi,I'm facing issues to setup kerberos authentication against 2008R2 AD domain controller on an Alfresco Community 5c platform (on linux debian 7).I followed the procedure that we applied on alf 4.2, which was working fine. I made the following:- create services accounts on AD (alfrescoCIFS & a

Re: alfresco 5.0c and kerberos

vincent-kali — Mon, 09 Feb 2015 21:28:37 GMT

After further analysis, I see that :
- Alfresco is getting the initial TGT correctly for CIFS at startup
- User fails to get TGS for alfresco with error KRB5KDC_ERR_BADOPTION 'STATUS_NOT_SUPPORTED'

any suggestion ?
really nobody can help ?
thanks

Re: alfresco 5.0c and kerberos

vincent-kali — Wed, 11 Feb 2015 11:32:06 GMT

Issue has been identified on AD side.
Tricky problem: mixed upper/lowercase in the domain name, and consequently in the Kerberos TGS (refused by alfresco JAAS).
No easy solution at this time.

Vincent.

Re: alfresco 5.0c and kerberos

vincent-kali — Fri, 06 Mar 2015 13:22:11 GMT

After digging out Kerberos and AD, I finally found that the problem was (again) a kvno issue.
conclusions:
- kinit does NOT validate the keytab file, even if you use it as parameter as it requests to get a TGT. kvno is not checked at this step (it does validate the Kerberos config only - krb5.conf)
- you need to check the kvno on AD U&C directly, parameters (constructed): msDS-KeyVersionNumber

Vincent

Re: alfresco 5.0c and kerberos

borisstankov — Fri, 03 Apr 2015 12:10:19 GMT

Would you please send me the settings for you installation?

Re: alfresco 5.0c and kerberos

vincent-kali — Sat, 04 Apr 2015 19:43:05 GMT

could you please give me some details about the settings you want me to send ?
as explain above the issue is solved (kvno issue), but I'm of course ready to
share everything you need if it can help….

Re: alfresco 5.0c and kerberos

borisstankov — Tue, 07 Apr 2015 08:45:49 GMT

Well, I can see those error messeges in the catalina.out:
2015-04-07 11:22:18,591 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required (filter), chaining …
2015-04-07 11:22:18,658 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-10] Authentication not required (filter), chaining …
2015-04-07 11:22:18,674 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Authentication not required (filter), chaining …
2015-04-07 11:22:18,691 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Authentication not required (filter), chaining …
2015-04-07 11:22:18,697 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authentication not required (filter), chaining …
2015-04-07 11:22:18,720 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Authentication not required (filter), chaining …
2015-04-07 11:22:19,264 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Authentication not required (filter), chaining …
2015-04-07 11:22:19,272 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Authentication not required (filter), chaining …
2015-04-07 11:22:20,093 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] New Kerberos auth request from 192.168.192.240 (192.168.192.240:50747)
2015-04-07 11:22:20,093 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Issuing login challenge to browser.
2015-04-07 11:22:20,660 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Performing fallback authentication…
2015-04-07 11:22:20,697 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Issuing login challenge to browser.
2015-04-07 11:22:20,698 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Fallback authentication failed. Restarting login…
11:22:20,699 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Unauthorized

At this time my browser asks me about my password in a loop and never goes our of it.

I edited: global.properties files with:
authentication.chain=kerberos1:kerberos

kerberos.authentication.realm=CORP.INT
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=Password123!
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=Password123!
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.browser.ticketLogons=true

Also I edited the /opt/alfresco-5.0/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml as expalined here: http://docs.alfresco.com/community/tasks/auth-kerberos-shareSSO.html

I have this configs in my JAVA_OPTS which are located in this file :


JAVA_HOME=/opt/alfresco-5.0/java
JRE_HOME=$JAVA_HOME
JAVA_OPTS="-XX:+DisableExplicitGC -Djava.awt.headless=true -Dalfresco.home=/opt/alfresco-5.0 -Dcom.sun.management.jmxremote -Dsun.security.krb5.msinterop.kstring=true -XX:ReservedCodeCacheSize=128m $JAVA_OPTS "
JAVA_OPTS="-XX:MaxPermSize=5120M -Xms4096M -Xmx5120M $JAVA_OPTS " # java-memory-settings
export JAVA_HOME
export JRE_HOME
export JAVA_OPTS
‍‍‍‍‍‍‍‍‍

THose are the configs for my /etc/krb5.conf file (the DOMAIN is my domain and it's the correct one in the real file):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true

[realms]
DOMAIN= {
kdc = dc1.domain
admin_server = dc1.domain
}

[domain_realm]
.corp.int = DOMAIN
corp.int = DOMAIN

Both keyfiles are location in the /etc dir.

I created a file java.login.config under here:/opt/alfresco-5.0/java/lib/security with the following code (system.domain = my alfresco fqdn):


Alfresco {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };

    AlfrescoCIFS {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/cifsportal2.keytab"
        principal="cifs/system.domain";
    };

    AlfrescoHTTP {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/httpportal2.keytab"
        principal="HTTP/system.domain";
    };

    ShareHTTP {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/httpportal2.keytab"
        principal="HTTP/system.domain";
    };

    com.sun.net.ssl.client {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };

    other {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I also edited the java.security file in the same dir by adding this line:
login.config.url.1=file:${java.home}/lib/security/java.login.config

Do you have any idea if I'm missing some and I should add it, or I setup some of the setting not in the right way?

Regards!

Re: alfresco 5.0c and kerberos

vincent-kali — Tue, 07 Apr 2015 14:07:05 GMT

Hi,
Could you first validate your SSO Kerberos config using CIFS (you'll bypass all possible misconfiguration on the client browser) ?
Are you running Alfresco on Linux ?
Here are the main steps to follow: (Assuming your KDC is an MS AD DC)
- Service account creation with correct UPN/SPN
- Linux Keberos client config (krb5.conf)
- Test Kinit (krb5-user package on debian) to check that authentication is correct
   -> kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC
- Generate keytab (with correct kvno !!)
   -> I'm using ktpass on linux. Check service account's kvno on AD (attribute msDS-KeyVersionNumber, don't forget to show 'constructed' user attributes on AD Users&Computers)
- Test Kinit using keytab
   -> kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile
Could you confirm you did this successfully ? (I'll post my alf config soon if you need).

Vincent

Re: alfresco 5.0c and kerberos

borisstankov — Wed, 08 Apr 2015 08:59:42 GMT

Hi,

You assumed correctly.
My alfresco version 5.0.c is on centOS 6.5 and our MS AD is on Windows Server 2012.

Thanks for the notes you sent, we checked them closely with our team here. At this point:
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC ->>> this one was Authorized, but
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile ->>> this one failed

Then we generated the keytabs with the correct knvo. It was version 4, but generated it with 0 at first.
Now both commands are returning the Authozired:
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile

However I'm still not able to use the single-sign on authentication and I can't login to alfresco using this type of authentication. here is what I can see now in the "catalina.out":

Apr 08, 2015 11:50:21 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 139796 ms
2015-04-08 11:50:21,763 WARN [scripts.solr.AlfrescoModelsDiff] [http-bio-8443-exec-2] Unable to fetch model changes from /alfresco/service/api/solr/modelsdiff
2015-04-08 11:50:21,768 WARN [scripts.solr.AlfrescoModelsDiff] [http-bio-8443-exec-1] Unable to fetch model changes from /alfresco/service/api/solr/modelsdiff
2015-04-08 11:50:22,233 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Performing fallback authentication…
Apr 08, 2015 11:50:22 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [cmisatom10] in context with path [/alfresco] threw exception
org.alfresco.service.namespace.InvalidQNameException: A QName must consist of a local name
   at org.alfresco.service.namespace.QName.createQName(QName.java:87)
   at org.alfresco.repo.security.person.PersonServiceImpl.getChildNameLower(PersonServiceImpl.java:1768)
   at org.alfresco.repo.security.person.PersonServiceImpl.getPersonOrNullImpl(PersonServiceImpl.java:537)
   at org.alfresco.repo.security.person.PersonServiceImpl.getUserIdentifier(PersonServiceImpl.java:1880)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:93)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:90)
   at org.alfresco.repo.tenant.TenantUtil.runAsWork(TenantUtil.java:119)
   at org.alfresco.repo.tenant.TenantUtil.runAsTenant(TenantUtil.java:88)
   at org.alfresco.repo.tenant.TenantUtil$1.doWork(TenantUtil.java:62)
   at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
   at org.alfresco.repo.tenant.TenantUtil.runAsUserTenant(TenantUtil.java:58)
   at org.alfresco.repo.tenant.TenantUtil.runAsSystemTenant(TenantUtil.java:112)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:89)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:86)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:342)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.authenticateImpl(AuthenticationComponentImpl.java:84)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:162)
   at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:68)
   at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:195)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
   at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy64.authenticate(Unknown Source)
   at org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver.authenticateRequest(SSOFallbackBasicAuthenticationDriver.java:120)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.performFallbackAuthentication(BaseSSOAuthenticationFilter.java:604)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:279)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:155)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy274.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.CmisSecurityContextCleanerFilter.doFilter(CmisSecurityContextCleanerFilter.java:49)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
   at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2378)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)

<b>
11:50:22,377 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Internal Server Error
2015-04-08 11:50:24,388 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Performing fallback authentication…
</b>

All the BEST!

Re: alfresco 5.0c and kerberos

vincent-kali — Tue, 21 Apr 2015 13:24:58 GMT

Hi
Sorry for the delay I was in vacation…
To be honest I never tried Kerberos SSO for HTTP with share (does not make sense for us as users needs to log on from the Internet).
I know that you need to configure extra things for HTTP SSO like delegation on AD.
Do you have the opportunity to test Kerberos SSO using on CIFS connector ? (this may help to identify the source of the issue)

Vincent

Re: alfresco 5.0c and kerberos

borisstankov — Thu, 23 Apr 2015 08:11:58 GMT

Hi Vincent,

Nice to hear form you again and there is no problem in the delay.

Ok, let's try from a different point of view.
Here is what I want to achive:
Our alfresco is only for internal use of all employees of our company. Every employee has a LDAP AD account and we want to configure those accounts to use single-sign on, meaning then do not have to enter user and passowrd when they open the url link for the alfresco.

I never used kerberos before and maybe I'm doing it wrong.

Please let me know if you think that I need to do some changes or I should do something else entirely.

Boris

Re: alfresco 5.0c and kerberos

vincent-kali — Thu, 23 Apr 2015 16:14:50 GMT

Hi Boris,
I understand your needs.
My point is that I never experienced kerberos SSO on share (what you want to do).
But I configured very often kerberos sso on CIFS connector. My suggestion is to try first
to make this working (kerberos sso on CIFS) which is less complicated, and could valide the whole config (alfresco, AD, kerberos client).
Did you enable CIFS connector ?
Vincent

Re: alfresco 5.0c and kerberos

borisstankov — Fri, 24 Apr 2015 13:23:51 GMT

Hi Vicent,

Thanks for helping me about this problem - its much appriciated!

Sorry, but I'm not sure how I can do the thing you described above. Would you please give me some pointers, steps, advice or etc?

Cheers,
Bobi

Re: alfresco 5.0c and kerberos

vincent-kali — Wed, 29 Apr 2015 21:13:57 GMT

Hi Boris,
here's a config example to make CIFS with Kerberos SSO working (alfresco-share.properties)
Could you make this working: accessing the CIFS share from a Workstation in your domain ?


###LDAP###
ldap.authentication.active=true
ldap.synchronization.active=true

#ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@MYDOMAIN.LOC
ldap.authentication.java.naming.provider.url=ldap://1.2.3.4:389
ldap.authentication.defaultAdministratorUserNames=administrator
ldap.synchronization.java.naming.security.principal=userThatCanReadADUsersProperties@MYDOMAIN.LOC
ldap.synchronization.java.naming.security.credentials=userPassword

###ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
###ldap.synchronization.groupDifferentialQuery=(objectclass\=group)
###ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
###ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=ou\=GROUPS,dc\=MYDOMAIN,dc=LOC
ldap.synchronization.userSearchBase=ou\=USERS,dc\=MYDOMAIN,dc=LOC

## fileserver subsystem
filesystem.name=NAME_OF_CIFS_SHARE
cifs.enabled=true
cifs.serverName=myServerName
cifs.domain=MYDOMAIN.LOC
cifs.hostannounce=false
##cifs.pseudoFiles.enabled=true
## turn off Desktop actions
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false

### AUTH & SYNC ###
authentication.chain=kerberos1:kerberos,my-domain:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### LDAP SYNC SUBSYSTEM ###
# startup and authent sync process always is differential mode sync mode (if false, sync is in full mode):
synchronization.synchronizeChangesOnly=true

# The cron expression defining when imports should take place
## Synchro toutes les 30 minutes
synchronization.import.cron=0 0/15 * * * ?

synchronization.syncWhenMissingPeopleLogIn=true
# Should we trigger a differential sync on startup?
synchronization.syncOnStartup=true

synchronization.allowDeletions=true
## disable home folders creation
ldap.synchronization.defaultHomeFolderProvider=companyHomeFolderProvider

## KERBEROS
kerberos.authentication.realm=MYDOMAIN.LOC
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.sso.enabled=false

kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator

kerberos.authentication.cifs.configEntryName=Alfresco5-CIFS // should match JAAS config entry and AD account
kerberos.authentication.cifs.password=userPassword

kerberos.authentication.http.configEntryName=Alfresco5-HTTP  // should match JAAS config entry and AD account
kerberos.authentication.http.password=userPassword
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.stripUsernameSuffix=true
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: alfresco 5.0c and kerberos

borisstankov — Fri, 08 May 2015 12:26:24 GMT

HI Vincent,

Sorry for the late reply, but I was out of office.

I'm not sure how to use those:


## fileserver subsystem
filesystem.name=NAME_OF_CIFS_SHARE
cifs.enabled=true
cifs.serverName=myServerName
cifs.domain=MYDOMAIN.LOC
cifs.hostannounce=false
##cifs.pseudoFiles.enabled=true
## turn off Desktop actions
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Would you please give me more details about them and how to use them correctly?

(I already tested with the configs, but nothing much happens, because I'm not sure what are the correct values of those properties.)

Thanks a lot man!

Re: alfresco 5.0c and kerberos

vincent-kali — Tue, 12 May 2015 12:36:23 GMT

Hi,

the most important is:

filesystem.name=NAME_OF_CIFS_SHARE -> name of your CIFS share

cifs.enabled=true -> enable CIFS for Alfresco

cifs.serverName=myServerName -> the NetBIOS name of the CIFS server

cifs.domain=MYDOMAIN.LOC -> the domain name, must match your AD domain and kerberos realm

-> could you check your log when starting alfresco, and look for
'Startup of 'Authentication' subsystem…' and
'Starting 'fileServers' subsystem…'

try to access your alfresco using \\alfrescoServerName\NAME_OF_CIFS_SHARE

and check here for options: http://docs.alfresco.com/community/concepts/fileserv-subsystem-CIFS.html

Regards,
Vincent

Re: alfresco 5.0c and kerberos

sudheer424 — Sat, 23 May 2015 12:13:12 GMT

I have followed the documentation to set up kerberos for AD authentication .Your config files match with mine .There are no errors found in the log file during startup of alfresco services.The web application is working fine.However when i access from windows 7 machine connected to AD(Microsoft 2008 R2 server)the CIFS shared folders i get an error as shown in the image. I have implemented Alfresco on Ubuntu server.

Any suggestions on this issue,and also please post your config files.

Thank You,
Sudheer

Re: alfresco 5.0c and kerberos

vincent-kali — Tue, 26 May 2015 19:21:10 GMT

Hi,
When you say "windows 7 machine connected to AD" you mean integrated in a 2008 R2 AD domain ?
Could you please post the Catalina.out trace when error occurs ?
Could you please confirm that you have kerberos enabled for CIFS ?
Did you check that the KVNO set in your keytab file is matching the service account in AD ?

Vincent