[Alfresco CE 4.2e on linux debian, MS2008R2 AD Ctrl]
Hi,
I'm trying to setup kerberos auth with MSAD / SSO for fileserver and HTTP.
I'm always facing the same error when starting alfresco:
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
I did the following:
1) Create AD users on my DC 2008R2:
AlfrescoCIFS
AlfrescoHTTP
(Password never expires, Disable “User must change password at next logon”, Do not require Kerberos preauthentication)
2) Create keytab files on my DC 2008R2:
ktpass -princ cifs/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL -pass * -mapuser MYDOMAIN\AlfrescoCIFS -crypto RC4-HMAC-NT
-ptype RB5_NT_PRINCIPAL -out AlfrescoCIFS.keytab -kvno 0
ktpass -princ HTTP/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL -pass * -mapuser MYDOMAIN\AlfrescoHTTP -crypto RC4-HMAC-NT
-ptype RB5_NT_PRINCIPAL -out AlfrescoHTTP.keytab -kvno 0
And copy files to /etc/keys on my Alfresco server (linux debian)
3) Create SPN (and verify)
setspn -a cifs/alfrescoserver.mydomain.local AlfrescoCIFS
setspn -a cifs/alfrescoserver AlfrescoCIFS
setspn -a HTTP/alfrescoserver.mydomain.local AlfrescoHTTP
setspn -a HTTP/alfrescoserver AlfrescoHTTP
4) create /etc/krb5.conf on alfresco server
[libdefaults]
default_realm = MYDOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
MYDOMAIN.LOCAL = {
kdc = mydc.mydomaine.local
admin_server = mydc.mydomaine.local
}
[domain_realm]
mydc.mydomaine.local = MYDOMAIN.LOCAL
.mydc.mydomaine.local = MYDOMAIN.LOCAL
5) Update JAVA Security config file on alfresco server: /opt/alfresco-4.2.e/java/jre/lib/security/java.security:
#
# Default login configuration file
#
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/java.login.config
6) Create file /opt/alfresco-4.2.e/java/jre/lib/security/java.login.config
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/AlfrescoCIFS.keytab"
principal="cifs/alfrescoserver.mydomain.local";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/AlfrescoHTTP.keytab"
principal="HTTP/alfrescoserver.mydomain.local";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
Restart server, with error.
I'm trying from a Windows client to test keytab files, and I get the same error:
>kinit -k -t AlfrescoHTTP.keytab "HTTP/alfrescoserver.mydomain.local"
Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun
d in Kerberos database
KrbException: Client not found in Kerberos database (6)
I understand that my keytab files are wrong/corrupted ? Is this correct ?
Do I miss something ? Anything to test ?
Please help !
Thanks,
Vincent