topic Re: LDAP and CIFS not working together in Alfresco Archive

LDAP and CIFS not working together

simon — Tue, 02 May 2006 15:28:20 GMT

Hi, yet another LDAP releated problem…We configured Alfresco to authenticate with Active Directory, wasn't easy but it works now… almost.Authentication in the web client is working fine but CIFS fails horribly. CIFS works like expected when the LDAP authentication isn't used but when we enable the L

Re: LDAP and CIFS not working together

andy — Thu, 04 May 2006 16:19:52 GMT

Hi Simon

The current CIFS code requires an MD4 password hash to work or the NTLM passthrough authentication component.
This is just how NTLM authentication chit-chit-chat works.
The LDAP authentication does not have this information to hand.
(Windows has it sneeked away or uses some other mechanism such as Kerberos) This is the only reason we use MD4 password hashes.

The situation is covered in the authentication docs.

NTLM authentication would work with CIFS and SingleSignOn, but it can not go against multiple servers, nor is it being updated as part of the CIFS upgrades. You could chain them together but CIFS does not do similar chaining yet. I have raised this with our CIFS expert.

Work is active to support the more advanced options for CIFS authentication. Here are the quotes….

The new CIFS authenticator can use MD4 hashes if the auth component supports it, that allows the client to use NTLMv1 or v2, and/or also do kerberos to AD, depending on what the client decides to do.

A Windows domain workstation will use kerberos whereas a non-domain client tends to use NTLMv2, also tested with Mac OSX, that used NTLMv2

It would be possible to store MD4 hashes in memory for people who had previously authenticated against the repo….then use these. You must have logged in at least one to the repo to use CIFS. Would this do? I have no other ideas here …

Hope this explains it.

Regards

Andy

Re: LDAP and CIFS not working together

simon — Thu, 04 May 2006 21:07:08 GMT

Thanks Andy!

So there are 2 different sollutions here: NTLM or MD4 hashing. The NTLM authentication solves the MD4 hashing as I understand from your schema, correct?

NTLM is a problem for some reasons in our current setup (no login page to show messages, problems with our OpenLDAP authentication,…) so I would like to solve the MD4 hashing problem without using NTLM. Is this possible?

How do I use MD4 hashing for the CIFS interface?!

Would be nice to have it up and running before the weekend.

Re: LDAP and CIFS not working together

andy — Fri, 05 May 2006 10:49:09 GMT

Hi Simon

The diagram shows how it will be ….

CIFS uses NTLM/NTLMv2/Kerberos under the hood.
It has its own authentication dialog between the client and our own CIFS server code.

For an authentication service to fit in with current CIFS authentication it has to provide passthrough NTLM support or be able to provide the MD4 password hash. This is then used between our server and the CIFS client in the authentication protocol.

So how can LDAP in general get the MD4 password hash given a user name?
The answer is it can not.

There are two special cases - one that the password is in plain text or it is already MD4 hashed. This latter is how our base authentication service supports CIFS. The NTLM authentication component does real NTLM auth. by pass through to the real thing.

You will not be able to use CIFS with LDAP and the current release.
Simply due to the MD4 password issue. We do not support the two special cases above in the LDAP authentication.

What I was going on about (without enough background) in the previous post is …..

It is possible that as users login (and we know the password is correct) we could cache the MD4 hash of the password, and make this available for CIFS. So in effect, all authentication components could support CIFS regardless of what happens underneath. This would require code changes and the user would have to log into the repo once before they could use CIFS - which would be a bit odd.

The next release of the CIFS server may not have this restriction for clients that support Kerberos tickets, but as I understand it NTLM and NTLMv2 will still need to get hold of the MD4 hash.

I hope this explains the situation

Regards

Andy

Re: LDAP and CIFS not working together

eron123 — Wed, 09 Aug 2006 20:26:33 GMT

I am getting this same few errors, but I don't believe I'm using the CIFS syste. (I haven't rename file-servers-custom.xml.sample to .xml)

I am using LDAP, and the bottom three messages on this trace are the issue. Notice the first two lines as well, as these may be related. Can this issue come up if I'm not using the file-servers-custom.xml file? Is the license error related? We are using a valid enterprise version 1.3 of alfresco, but I have always seen this error.

13:16:54,080 WARN [DescriptorService] Alfresco license: Failed to verify license - Invalid License!
13:16:54,081 WARN [DescriptorService] Alfresco license: Restricted Alfresco Repository to read-only capability
13:16:54,082 INFO [RAMJobStore] RAMJobStore initialized.
13:16:54,082 INFO [StdSchedulerFactory] Quartz scheduler 'LicenseVerifier' initialized from an externally provided properties instance.
13:16:54,082 INFO [StdSchedulerFactory] Quartz scheduler version: 1.4.5
13:16:54,087 INFO [QuartzScheduler] Scheduler LicenseVerifier_$_NON_CLUSTERED started.
13:16:54,397 INFO [PatchExecuter] Checking for patches to apply …
13:16:54,454 INFO [PatchExecuter] No patches were required.
13:16:54,541 INFO [ContentDiskDriver] Locked files will be marked as offline
13:16:54,578 ERROR [protocol] Failed to get local domain/workgroup name, using default of WORKGROUP
13:16:54,578 ERROR [protocol] (This may be due to firewall settings or incorrect <broadcast> setting)
13:16:54,588 ERROR [org.alfresco.smb.protocol] File server configuration error, Wrong authentication setup for alfresco authenticator

Re: LDAP and CIFS not working together

hansasi — Mon, 02 Oct 2006 21:32:22 GMT

I was wondering if anyone at Alfresco (or other) could comment on the status of these proposed authentication changes. We are having the same issue with trying to enable CIFS server when using LDAP for authenticator.

Are these new proposed changes supported by the upcoming 1.4?

Thanks-
Hans

Re: LDAP and CIFS not working together

andy — Tue, 03 Oct 2006 09:56:58 GMT

Hi

CIFS can now authenticate direct to active deirectoty using kerberos.

You could use LDAP, or Kerberos to authenticate against the same AD server.

Regards

Andy