topic Kerberos / LDAP-AD (Samba 4) and File Service SSO in Alfresco Forum https://connect.hyland.com/t5/alfresco-forum/kerberos-ldap-ad-samba-4-and-file-service-sso/m-p/3743#M1482 <HTML><HEAD></HEAD><BODY><P>Hi All !</P><P></P><P>I'm currently&nbsp;working on the setup of an Alfresco Community server.&nbsp;I am running version 5.2.0&nbsp;on a freshly installed Ubuntu 16.04 64bits server.</P><P></P><P>This server will be used in a&nbsp;network containing a domain (Active Directory type, but managed by Samba 4). I have already setup LDAP&nbsp;and Kerberos auth (web user auth is working correctly), but while startup logs show me everything is alright, I cannot get Kerberos to authenticate my domain users for file service.</P><P></P><P>Here is the error stack I get when trying to login through netbios from a Windows Client :</P><PRE style="padding-left: 30px;">2017-01-19 09:52:29,760 ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN<BR />GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)<BR /> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)<BR /> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)<BR /> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)<BR /> at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)<BR /> at java.security.AccessController.doPrivileged(Native Method)<BR /> at javax.security.auth.Subject.doAs(Subject.java:360)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1543)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1427)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$2(EnterpriseCifsAuthenticator.java:1311)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:904)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:1)<BR /> at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)<BR /> at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:648)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:887)<BR /> at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:689)<BR /> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<BR /> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<BR /> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<BR /> at java.lang.reflect.Method.invoke(Method.java:498)<BR /> at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)<BR /> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<BR /> at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)<BR /> at com.sun.proxy.$Proxy209.processSessionSetup(Unknown Source)<BR /> at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)<BR /> at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)<BR /> at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1481)<BR /> at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:149)<BR /> at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)<BR /> at java.lang.Thread.run(Thread.java:745)<BR />Caused by: KrbException: Checksum failed<BR /> at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)<BR /> at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)<BR /> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)<BR /> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)<BR /> at sun.security.krb5.KrbApReq.&lt;init&gt;(KrbApReq.java:149)<BR /> at sun.security.jgss.krb5.InitSecContextToken.&lt;init&gt;(InitSecContextToken.java:108)<BR /> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)<BR /> ... 28 more<BR />Caused by: java.security.GeneralSecurityException: Checksum failed<BR /> at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)<BR /> at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)<BR /> at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)<BR /> ... 34 more<BR />2017-01-19 09:52:29,762 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed</PRE><P>Here is&nbsp;what I get when starting Alfresco server :</P><PRE style="padding-left: 30px;">2017-01-19 09:51:12,316 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful<BR />2017-01-19 09:51:12,317 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal http/myserver.mydomain@MYREALM<BR />2017-01-19 09:51:12,394 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful<BR />2017-01-19 09:51:12,394 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal http/myserver.mydomain@MYREALM</PRE><P>Here is my&nbsp;alfresco-global.properties :</P><PRE style="padding-left: 30px;">###############################<BR />## Common Alfresco Properties #<BR />###############################<BR /><BR />dir.root=/opt/alfresco/alf_data<BR /><BR />dir.contentstore=/home/alfresco/contentstore<BR />dir.contentstore.deleted=/home/alfresco/contentstore.deleted<BR /><BR />alfresco.context=alfresco<BR />alfresco.host=alfresco.public<BR />alfresco.port=8080<BR />alfresco.protocol=http<BR /><BR />share.context=share<BR />share.host=alfresco.public<BR />share.port=8080<BR />share.protocol=http<BR /><BR />cifs.enabled=true<BR />cifs.serverName=myserver<BR />cifs.domain=DOMAIN<BR />cifs.hostannounce=true<BR />cifs.tcpipSMB.port=1445<BR />cifs.netBIOSSMB.namePort=1137<BR />cifs.netBIOSSMB.datagramPort=1138<BR />cifs.netBIOSSMB.sessionPort=1139<BR /><BR />### database connection properties ###<BR />db.driver=org.postgresql.Driver<BR />db.username=alfresco<BR />db.password=is2t<BR />db.name=alfresco<BR />db.url=jdbc:postgresql://localhost:5432/${db.name}<BR />db.pool.max=275<BR />db.pool.validate.query=SELECT 1<BR /><BR /># The server mode. Set value here<BR /># UNKNOWN | TEST | BACKUP | PRODUCTION<BR />system.serverMode=UNKNOWN<BR /><BR />### FTP Server Configuration ###<BR />ftp.port=2121<BR /><BR />### RMI registry port for JMX ###<BR />alfresco.rmi.services.port=50500<BR /><BR />### External executable locations ###<BR />ooo.exe=/opt/alfresco/libreoffice/program/soffice.bin<BR />ooo.enabled=true<BR />ooo.port=8100<BR />img.root=/opt/alfresco/common<BR />img.dyn=${img.root}/lib<BR />img.exe=${img.root}/bin/convert<BR /><BR />jodconverter.enabled=false<BR />jodconverter.officeHome=/opt/alfresco/libreoffice<BR />jodconverter.portNumbers=8100<BR /><BR />### Initial admin password ###<BR />alfresco_user_store.adminpassword=verysecret<BR /><BR />### E-mail site invitation setting ###<BR />notification.email.siteinvite=false<BR /><BR />### License location ###<BR />dir.license.external=/opt/alfresco<BR /><BR />### Solr indexing ###<BR />index.subsystem.name=solr4<BR />dir.keystore=${dir.root}/keystore<BR />solr.host=localhost<BR />solr.port.ssl=8443<BR /><BR />### Allow extended ResultSet processing<BR />security.anyDenyDenies=false<BR /><BR />### Smart Folders Config Properties ###<BR />smart.folders.enabled=false<BR /><BR />### Remote JMX (Default: disabled) ###<BR />alfresco.jmx.connector.enabled=false<BR /><BR />authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm<BR /><BR />ntlm.authentication.sso.enabled=false<BR />ldap.authentication.allowGuestLogin=false<BR />ldap.authentication.userNameFormat=%s@mydomain<BR />ldap.authentication.java.naming.provider.url=ldap://myserver.mydomain:389<BR />ldap.authentication.defaultAdministratorUserNames=someusers<BR />ldap.synchronization.java.naming.security.principal=alfresco@mydomain<BR />ldap.synchronization.java.naming.security.credentials=verysecret<BR />ldap.synchronization.groupSearchBase=ou=Groups,ou=MyOU,dc=my,dc=domain<BR />ldap.synchronization.userSearchBase=ou=Users,ou=MyOU,dc=my,dc=domain<BR />ldap.synchronization.personQuery=memberOf=CN=Employees,OU=Groups,OU=MyOU,DC=my,DC=domain<BR />ldap.synchronization.userIdAttributeName=sAMAccountName<BR />ldap.synchronization.userFirstNameAttributeName=givenName<BR />ldap.synchronization.userLastNameAttributeName=sn<BR />ldap.synchronization.userEmailAttributeName=mail<BR />ldap.synchronization.groupIdAttributeName=cn<BR />ldap.synchronization.groupType=group<BR />ldap.synchronization.personType=user<BR />ldap.synchronization.groupMemberAttributeName=member<BR />ldap.synchronization.enableProgressEstimation=true<BR /><BR />kerberos.authentication.realm=MYREALM<BR />kerberos.authentication.sso.enabled=true<BR />kerberos.authentication.authenticateCIFS=true<BR />kerberos.authentication.user.configEntryName=alfresco<BR />kerberos.authentication.cifs.configEntryName=cifsalfresco<BR />kerberos.authentication.http.configEntryName=httpalfresco<BR />kerberos.authentication.cifs.password=verysecret<BR />kerberos.authentication.http.password=verysecret<BR />kerberos.authentication.defaultAdministratorUserNames=someusers<BR />kerberos.authentication.cifs.enableTicketCracking=false<BR />kerberos.authentication.stripUsernameSuffix=true<BR /><BR /><BR />mail.host=mymta.domain<BR />mail.port=25<BR />mail.encoding=UTF-8<BR />mail.smtp.auth=false</PRE><P>I have generate my two keytab files using samba-tools (the command is&nbsp;<EM>/usr/local/samba/bin/samba-tool domain exportkeytab --principal myserver.mydomain@MYREALM /tmp/cifsalfresco.keytab</EM>). Here is the result of a klist -ket :</P><PRE style="padding-left: 30px;">Keytab name: FILE:/etc/keytables/cifsalfresco.keytab<BR />KVNO Timestamp Principal<BR />---- ------------------- ------------------------------------------------------<BR /> 2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (arcfour-hmac)<BR /> 2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (aes256-cts-hmac-sha1-96)<BR /> 2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (aes128-cts-hmac-sha1-96)<BR /> 2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (des-cbc-md5)<BR /> 2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (des-cbc-crc)</PRE><P>Finally, here is my /etc/krb5.conf file :</P><PRE style="padding-left: 30px;">[logging]<BR /> default = FILE:/var/log/krb5libs.log<BR /> kdc = FILE:/var/log/krb5kdc.log<BR /> admin_server = FILE:/var/log/kadmind.log<BR /><BR />[libdefaults]<BR /> default_realm = MYREALM<BR /> allow_weak_crypto = yes<BR /> default_tkt_enctypes = rc4-hmac<BR /> default_tgs_enctypes = rc4-hmac<BR /><BR />[realms]<BR /> MYREALM = {<BR /> kdc = myadserver.mydomain<BR /> kpasswd_server = myadserver.mydomain<BR /> admin_server = myadserver.mydomain<BR /> }<BR /><BR />[domain_realm]<BR /> myadserver.mydomain = MYREALM<BR /> .myadserver.mydomain = MYREALM</PRE><P>I can't figure what I am missing here. Any help would be greatly appreciated. Please let me know if more information could be usefull.</P><P></P><P>Thanks !</P><P></P><P>Gilles</P></BODY></HTML> Thu, 19 Jan 2017 11:58:06 GMT gguillotin 2017-01-19T11:58:06Z Kerberos / LDAP-AD (Samba 4) and File Service SSO https://connect.hyland.com/t5/alfresco-forum/kerberos-ldap-ad-samba-4-and-file-service-sso/m-p/3743#M1482 Hi All !I'm currently&nbsp;working on the setup of an Alfresco Community server.&nbsp;I am running version 5.2.0&nbsp;on a freshly installed Ubuntu 16.04 64bits server.This server will be used in a&nbsp;network containing a domain (Active Directory type, but managed by Samba 4). I have already setup LDAP&nbsp;and Kerberos a Thu, 19 Jan 2017 11:58:06 GMT https://connect.hyland.com/t5/alfresco-forum/kerberos-ldap-ad-samba-4-and-file-service-sso/m-p/3743#M1482 gguillotin 2017-01-19T11:58:06Z Re: Kerberos / LDAP-AD (Samba 4) and File Service SSO https://connect.hyland.com/t5/alfresco-forum/kerberos-ldap-ad-samba-4-and-file-service-sso/m-p/3744#M1483 <HTML><HEAD></HEAD><BODY><P>Probably it isn't working because Samba&nbsp;wasn't supporting MIT Kerberos. Since a while now they do in a experimental stage. I am currently trying that <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://connect.hyland.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />:&nbsp;<A href="https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC" rel="nofollow noopener noreferrer">https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC</A><BR /><BR />Will come back to report my results.</P></BODY></HTML> Fri, 07 Jun 2019 16:49:58 GMT https://connect.hyland.com/t5/alfresco-forum/kerberos-ldap-ad-samba-4-and-file-service-sso/m-p/3744#M1483 mmuller88 2019-06-07T16:49:58Z