Authentication CIFS using LDAP

nshong — Fri, 06 Nov 2015 09:09:44 GMT

I can login to share using ldap user but unable login ldap user to cifs use smb:\\X.X.X.X\alfresco log show as below.[security.sync.ChainingUserRegistrySynchronizer] [AlfJLANWorker11] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries[security.sync.Chain

Re: Authentication CIFS using LDAP

mrogers — Fri, 06 Nov 2015 10:09:30 GMT

Although Authentication could be via LDAP, Sync is a different process from authentication. Your log file extract above is not relevant, expect to show you are syncing something.

What is important is your authentication configuration.

And unfortunatly SMB authentication can be complicated due to an old obsolete authentication mechanism called NTLM.

Re: Authentication CIFS using LDAP

nshong — Wed, 11 Nov 2015 02:22:00 GMT

any different [security.sync.ChainingUserRegistrySynchronizer][AlfJLANWorker] vs [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker] , do it read the same ldap-authentication.properties file?

Re: Authentication CIFS using LDAP

billydekid — Wed, 18 Nov 2015 18:14:00 GMT

Hi,
Did you mean it's hard or 'impossible' to chain alfresco native NTLM with ldap?
I've similar problem.
When try accessing \\server.name\alfresco, only internal user (registered through Alfresco user mgmt) could access that CIFS shared folder. Exported LDAP users (I used samba) will always fail, repeated pop-up window login.

What's the correct guidance combining native Alfresco NTLM and ldap?
I've read this documentation [1] but still confused

Thanks,
[bayu]

[1] http://docs.alfresco.com/4.1/concepts/auth-subsystem-types.html

Re: Authentication CIFS using LDAP

xarope — Mon, 21 Dec 2015 08:30:47 GMT

I'm stuck with CIFS authentication too. This is 5.0.d on ubuntu 14.04 x64.

I can get internal CIFS working (see step 1 below).

I can get LDAP sync to my AD's DC, so that I can authenticate through the share interface for both internal and external users (see step 2 below).

But when I then configure the passthru for CIFS authentication, internal users can no longer authenticate (which is expected, since I turned it off), but LDAP users also cannot authenticate, and all I get in tomcat's catalina.log is "<TIMESTAMP> ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker21] org.alfresco.jlan.smb.SMBException: Invalid parameter".

For the purposes of documentation, I'm going to pretend my AD domain is "TEST-TEST", with IP domain "test-test.local", and my server is testalfresco.test-test.local with IP address 10.10.1.20

1) internal CIFS is easy enough. Just need to do:


filesystem.name=Alfresco
cifs.enabled=true
cifs.serverName=testalfresco
cifs.domain=
cifs.broadcast=10.255.255.255
cifs.bindto=10.10.1.20
cifs.disableNativeCode=false
cifs.hostannounce=true
ftp.enable=false
‍‍‍‍‍‍‍‍‍‍‍

Then from a test system, "sudo mount -t cifs -o user=admin //10.10.1.20/Alfresco/sites /usr/share/testMount", type in the Alfresco admin password and it will mount the sites folder to /usr/share/testMount.

2) Next I do an LDAP sync with my AD's DC.
For this, had to configure the alfresco/extensions/subsystems/Authentication/ldap/ldap1/ldap-ad-authentication.properties file (copied the original from the alfresco-repository-5.0.d.jar file).
Main changes:


ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.provider.url=ldap://10.10.1.20:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=non-admin-user@test-test.local
ldap.synchronization.java.naming.security.credentials=thepassword
# sync all active users and groups from the entire AD tree
ldap.synchronization.groupSearchBase=dc\=test-test,dc\=local
ldap.synchronization.userSearchBase=dc\=test-test,dc\=local 
‍‍‍‍‍‍‍‍‍‍‍‍

Then, added to the authentication chain in alfresco-properties:


authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad
‍‍‍

After an alfresco service restart, I can see users and groups synchronized, and can browse/search LDAP users in Admin Tools/ Users, and Groups.

Now, I add the passthru for LDAP authentication (but not CIFS yet)

Configure /alfresco/extension/subsystems/Authentication/passthru/passthru1/passthru-authentication.properties (again, copied the original from the alfresco-repository-5.0.d.jar file).

Main changes:


passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=TEST-TEST\\10.10.1.200,10.10.1.200 # DC's IP address
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NetBIOS
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=true
passthru.authentication.sessionCleanup=true
passthru.authentication.broadcastMask=
‍‍‍‍‍‍‍‍‍‍‍‍‍‍

And added to the authentication chain:


authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad
‍‍‍

After an alfresco service restart, I tested that I can login to the share interface with both internal and LDAP users.

Currently, CIFS for internal users is working, but not for LDAP users.

3) Following instructions found in https://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_1:_Advanced_AD_Chain

i)deactivate SSO in order to activate chained password-based login alfrescoNtlm1
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

ii) target CIFS at passthru1
ntlm.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true

iii)target synchronization (but not authentication) at ldap1
ldap.authentication.active=false
ldap.synchronization.active=true

Note1 in that link also says that I can only have either alfresco or passthru's authenticateCIFS=true, so I will expect that I can only have either internal or LDAP users be able to use CIFS, not both at the same time.

So the main changes now are:


# you can set this in alfresco-global.properties, but I made a copy of 
# /alfresco/extension/subsystems/Authentication/passthru/passthru1/passthru-authentication.properties
# from the alfresco-repository-5.0.d.jar file, and made changes in there instead
alfresco.authentication.authenticateCIFS=false
‍‍‍‍‍‍


# in passthru1/passthru-authentication.properties
passthru.authentication.authenticateCIFS=true
‍‍‍‍


# in ldap1/ldap-ad-authentication.properties
ldap.authentication.active=false # already done in step (2)
‍‍‍‍

After an alfresco service restart, I can still login to the share interface with both internal and LDAP users, however now CIFS has stopped working for internal (expected) and sadly doesn't work for LDAP users.

"sudo mount -t cifs -o user=non-admin-user,domain=TEST-TEST //10.10.1.20/Alfresco/sites /usr/share/testMount"

just gives me an error like this in catalina.out: "TIMESTAMP ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker21] org.alfresco.jlan.smb.SMBException: Invalid parameter"

I tried to debug further by changing some parameters in /opt/alfresco-5.0.d/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties, but nothing else extra appears in the catalina.out file other than the above error about invalid parameter:


# CIFS server debugging
#log4j.logger.org.alfresco.smb.protocol=error
log4j.logger.org.alfresco.smb.protocol=debug
log4j.logger.org.alfresco.smb.protocol.auth=debug
log4j.logger.org.alfresco.acegi=debug
# passthru debug
log4j.logger.org.alfresco.passthru.auth=debug
‍‍‍‍‍‍‍‍‍

I checked with wireshark from the client side (IP=10.10.1.40) that the parameters sent for the domain login are correct, and I do see something like this:
10.10.1.40 10.10.1.20 SMB 384 Session Setup AndX Request, User: TEST-TEST\non-admin-user

I thought this would be relatively simple, and for Alfresco internal users it is, but despite numerous hits in google for how people have done it (including this very useful site: https://andoylang.wordpress.com/2010/07/20/alfresco-with-cifs/), I am at a loss for why this is not working in my test environment.

Anybody have any other suggestions?

Re: Authentication CIFS using LDAP

andrew_hegerty — Wed, 30 Dec 2015 14:01:14 GMT

Hi,
I am trying to configure 5.0d Community on CENTOS 7 work with CIFS. I am using Kerberos as the authentication method. I have Kerberos working fine for Share. I have followed the instructions on docs.alfresco to do the configuration. Now I am stuck. When I check the Audit logs from the Active Directory DC I find that for CIFS, Alfresco is trying to authenicate to AD to get a kerberos token with the username "admin". With Share it Authenticates with HTTP/teamdocs.team.local. I have no idea where it is getting "admin" from. Do you guys have any ideas?

Cheers,
Andrew

Re: Authentication CIFS using LDAP

nileshyadav326 — Thu, 15 Feb 2018 18:23:23 GMT

can u share the code please.

topic Authentication CIFS using LDAP in Alfresco Archive

Authentication CIFS using LDAP

Re: Authentication CIFS using LDAP

Re: Authentication CIFS using LDAP

Re: Authentication CIFS using LDAP

Re: Authentication CIFS using LDAP

Re: Authentication CIFS using LDAP

Re: Authentication CIFS using LDAP