topic Re: passthru with 2 different domains works every other time in Alfresco Archive

passthru with 2 different domains works every other time

gnyce — Fri, 25 Sep 2015 11:02:19 GMT

According to http://docs.alfresco.com/community/concepts/auth-passthru-domainprops.html I can have two different domains with two different domain-controllers doing the authentication (for CIFS). So let's say I have: passthru.authentication.servers=WINDOM.COM\\master.domain.com,SMBDOM\\samba4.anot

Re: passthru with 2 different domains works every other time

mrogers — Fri, 25 Sep 2015 12:53:30 GMT

SMB authentication is generally an oddity and needs to be described separately. I don't see anything on that page talking about how passthrough applies to the different authentication methods so perhaps that should be added. You can't chain NTLM authentication. If it is indeed load balancing between the two domain controllers then your behaviour is exactly what I'd expect.

I think there needs to be a little more investigation and clarification of that page since it may be misleading, unfortunately I don't have the answers off the top of my head so some investigation is required.

Re: passthru with 2 different domains works every other time

gnyce — Fri, 25 Sep 2015 13:06:41 GMT

OK, thank you mrogers. I'll add some detail, in case that helps. I am taking that page at face value, so if that is not quite the case, that might make a difference. Specifically the parts to which I refer are:

- "If the client specifies a domain name in its login request, then the appropriate server will be used for the authentication.
- Domain mappings can also be specified to route authentication requests to the appropriate server.
- If a server handles authentication for multiple domains then multiple entries can be added in the server list prefixed with each domain name."
__________________

My auth chain is: alfrescoNTLM, passthru, ldap. My ./tomcat/shared/classes/alfresco-global.properties has these lines:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru,ldap1:ldap
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.authenticateCIFS=false
passthru.authentication.authenticateCIFS=true
ldap.authentication.active=yes
ldap.authentication.authenticateCIFS=false

which I think means that CIFS should only apply to the passthru subsystem. So I don't think what I'm doing is "different authentication methods" for CIFS, but rather, wholly within the passthru subsystem, using multiple (distinct) domains.

Re-reading the doc page, I notice that I am missing one thing in my config… "There must be at least one entry in the server list that does not have a domain prefix. This is the catch all entry that will be used if the client domain cannot be determined from the NTLM request or using domain mapping." I will try that when I get some downtime scheduled.