cancel
Showing results for 
Search instead for 
Did you mean: 

4.2e kerberos auth error

vincent-kali
Star Contributor
Star Contributor
[Alfresco CE 4.2e on linux debian, MS2008R2 AD Ctrl]

Hi,
I'm trying to setup kerberos auth with MSAD / SSO for fileserver and HTTP.
I'm always facing the same error when starting alfresco:  
   javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

I did the following:

1) Create AD users on my DC 2008R2:
    AlfrescoCIFS
    AlfrescoHTTP
    (Password never expires, Disable “User must change password at next logon”, Do not require Kerberos preauthentication)


2) Create keytab files on my DC 2008R2:
     ktpass -princ cifs/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL -pass * -mapuser MYDOMAIN\AlfrescoCIFS -crypto RC4-HMAC-NT
     -ptype RB5_NT_PRINCIPAL -out AlfrescoCIFS.keytab -kvno 0

     ktpass -princ HTTP/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL -pass * -mapuser MYDOMAIN\AlfrescoHTTP -crypto RC4-HMAC-NT
     -ptype RB5_NT_PRINCIPAL -out AlfrescoHTTP.keytab -kvno 0

   And copy files to /etc/keys on my Alfresco server (linux debian)

3) Create SPN (and verify)
     setspn -a cifs/alfrescoserver.mydomain.local AlfrescoCIFS   
     setspn -a cifs/alfrescoserver AlfrescoCIFS   
     setspn -a HTTP/alfrescoserver.mydomain.local AlfrescoHTTP   
     setspn -a HTTP/alfrescoserver AlfrescoHTTP   


4) create /etc/krb5.conf on alfresco server
   
    [libdefaults]
     default_realm = MYDOMAIN.LOCAL
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
   
    [realms]
     MYDOMAIN.LOCAL = {
      kdc = mydc.mydomaine.local
      admin_server = mydc.mydomaine.local
     }
   
    [domain_realm]
     mydc.mydomaine.local = MYDOMAIN.LOCAL
    .mydc.mydomaine.local = MYDOMAIN.LOCAL

5) Update JAVA Security config file on alfresco server: /opt/alfresco-4.2.e/java/jre/lib/security/java.security:
   #
   # Default login configuration file
   #
   #login.config.url.1=file:${user.home}/.java.login.config
   login.config.url.1=file:${java.home}/lib/security/java.login.config

6) Create file /opt/alfresco-4.2.e/java/jre/lib/security/java.login.config

   Alfresco {
      com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
   AlfrescoCIFS {
      com.sun.security.auth.module.Krb5LoginModule required
      storeKey=true
      useKeyTab=true
      keyTab="/etc/keys/AlfrescoCIFS.keytab"
      principal="cifs/alfrescoserver.mydomain.local";
   };
   
   AlfrescoHTTP {
      com.sun.security.auth.module.Krb5LoginModule required
      storeKey=true
      useKeyTab=true
      keyTab="/etc/keys/AlfrescoHTTP.keytab"
      principal="HTTP/alfrescoserver.mydomain.local";
   };
   
   com.sun.net.ssl.client {
      com.sun.security.auth.module.Krb5LoginModule sufficient;
   };

   other {
      com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
   
Restart server, with error.

I'm trying from a Windows client to test keytab files, and I get the same error:

>kinit -k -t AlfrescoHTTP.keytab "HTTP/alfrescoserver.mydomain.local"
   Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun
   d in Kerberos database
   KrbException: Client not found in Kerberos database (6)


I understand that my keytab files are wrong/corrupted ? Is this correct ?
Do I miss something ? Anything to test ?

Please help !


Thanks,
Vincent












2 REPLIES 2

vincent-kali
Star Contributor
Star Contributor
Some updates:
I'm facing EXACTLY the problem described here: http://social.technet.microsoft.com/Forums/windowsserver/fr-FR/1fcca58d-ea35-423e-9c59-9c1329642e16/...

Not an Alfresco Issue, but a Kerberos/Keytab issue.
When creating a keytab file for a regular user using KTPASS.EXE on AD Contrl, everything is OK (tested using kinit from alfresco server)
When creating a keytab for the service account HTTP/alfrescoserver.mydomain.local, the following error occurs:
   > kinit -V AlfrescoHTTP -k -t keys/AlfrescoHTTP.keytab
    Using default cache: /tmp/krb5cc_0
    Using principal: AlfrescoHTTP@MYDOMAIN.LOCAL
    Using keytab: keys/AlfrescoHTTP.keytab
    kinit: Key table entry not found while getting initial credentials

The domain controller send back "PRINCIPAL UNKNOWN", but the SPN is correcly set.
It seeam that the syntact "HTTP/myserver…." using "/" is not supported.

Did one of you implement kerberos auth against 2008R2 DC successfully ?
Any idea ?

Thank in advance

vincent-kali
Star Contributor
Star Contributor
I finally found the issues:
- Duplicate UPN (I checked for duplicate SPN using setspn -X not for UPN. Finally did it using ldap query, and remove duplicates).
- Issue with ktpass using /mapuser option: this reset user password on 2008R2 DC (at least in my context); Then I had to map user manually, and run ktpass without this option.

Vincent