Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CIFS and Kerberos authentication errors

cmgray
Champ in-the-making
Champ in-the-making

‎01-29-2010 04:58 PM

I've searched for answers to this problem and have yet to see anyone that is experiencing what I am right now.

I have community 3.2r2 setup to use kerberos authentication for CIFS. 

I have the configuration all set from what I can tell, after some back and forth we finally got the CIFS principal and keytabs set correctly so that I get this in the log when I start alfresco.


14:43:36,906 DEBUG [org.alfresco.smb.protocol.auth] Logged on using principal CIFS/dev-alfresco.my.host@MY.REALM
14:43:36,906 DEBUG [org.alfresco.smb.protocol.auth] Enabling mechTypes :-
14:43:36,906 DEBUG [org.alfresco.smb.protocol.auth]   Kerberos5
14:43:36,906 DEBUG [org.alfresco.smb.protocol.auth]   MS-Kerberos5

14:43:36,911 INFO  [org.alfresco.fileserver] CIFS server started


So that tells me that CIFS is started and that the kerberos authentication is ready to go.

Well when I try to authenticate I get only this in the log:

14:46:54,009 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction


I tried to trace the problem down and added some additional debugging statements into the EnterpriseCifsAuthenticator.java class and finally got it down to this error.  
Attempt to use non SSO-enabled authentication component for SSO

This is thrown on line 458 of CifsAuthenticatorBase.java

I'm at a loss as to what to try next.  Does anyone have any ideas?

Thanks,

Chris
Labels:
0 Kudos
5 REPLIES 5

rosemeyer2
Champ in-the-making
Champ in-the-making

‎02-01-2010 03:19 AM

Please post the configuration changes you have done to the default settings, so it's easier to find a solution. Also, did you enable logging for CIFS?
0 Kudos

cmgray
Champ in-the-making
Champ in-the-making

‎02-01-2010 02:54 PM

Here is the configuration.  Thanks for any insight you can offer.  I've turned on as much logging as I can, I even resorted at one point to setting the entire log to debug to try to figure it out but it added no additional info.   So I went to the step of manually adding more debug statements to the EnterpriseCifsAuthenticator.java class and compiling it into my installation so I could trace what was happening.

Configuration:

kerberos.authentication.realm=REALM.NAU.EDU
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=nothing
kerberos.authentication.authenticateCIFS=true

Alfresco {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
    com.sun.security.auth.module.Krb5LoginModule required
    debug=true
    storeKey=true
    useKeyTab=true
    keyTab="/opt/alfresco/krb/srv_AlfrescoCIFS_DEV.KEYTAB"
    principal="CIFS/server.nau.edu";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/opt/alfresco/krb/srv_AlfrescoHTTP_DEV.KEYTAB"
   principal="HTTP/server.nau.edu";
};

com.sun.net.ssl.client {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};


[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = REALM.NAU.EDU
    default_tkt_enctypes = DES-CBC-MD5
    default_tgs_enctypes = DES-CBC-MD5

[realms]
    NAU.FROOT.NAU.EDU = {
        kdc = server.nau.edu
        admin_server = server.nau.edu
    }

[domain_realm]
    server.nau.edu = REALM.NAU.EDU
    .server.nau.edu = REALM.NAU.EDU
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎02-02-2010 05:21 AM

It looks like your client is trying to negotiate NTLM authentication, despite your server not offering it.

Do these help?

http://support.microsoft.com/kb/299838

http://groups.google.co.uk/group/microsoft.public.platformsdk.security/browse_thread/thread/8ce32f7a...
0 Kudos

cmgray
Champ in-the-making
Champ in-the-making

‎02-03-2010 03:29 PM

Actually, yes that did help, it led me to try some other clients to see if the behavior differed. 

So it turns out that from other machines such as Windows XP, or Mac OS X it works fine.  But windows 7 seems to have an issue. 

I get this error message: "A specified logon session does not exist. It may already have been terminated"

So I'm not sure exactly what is causing this problem now.

-Chris
0 Kudos

cmgray
Champ in-the-making
Champ in-the-making

‎02-03-2010 05:55 PM

Actually, I take that back.  On a mac OS X when I try to connect I get an access denied error.  In the log is the same error:  Exception doing hashed password logon: Attempt to use non SSO-enabled authentication component for SSO

It appears the the Mac is trying NTLM instead of kerberos.  Is it even possible to do this with a mixed environment?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC