Hyland Connect

okelet · ‎02-23-2012

Hi

We are trying to configure Alfresco Community 4.0c to authenticate using MIT Kerberos. We already have a test Kerberos server, using a LDAP backend; the Kerberos server works fine, as I can login in the machine with SSH using kerberos credentials, and the ticket is created. This is krb5.conf:


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = PRUEBAS.COMPANY
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = true
 krb4_convert = false

[realms]
 PRUEBAS.COMPANY = {
  kdc = kerberos.pruebas.local
  admin_server = kerberos.pruebas.local
  kpasswd_server = kerberos.pruebas.local
  default_domain = kerberos.pruebas.local
 }

[domain_realm]
 .pruebas.local = PRUEBAS.COMPANY
 pruebas.local = PRUEBAS.COMPANY
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Then, I have generated some principals for the Alfresco server, and created the keytabs in it; from the Kerberos server:


kadmin.local "-q addprinc -randkey host/alfresco.pruebas.local"
kadmin.local "-q addprinc -randkey HTTP/alfresco.pruebas.local"
kadmin.local "-q addprinc -randkey cifs/alfresco.pruebas.local"
kadmin.local "-q addprinc -randkey cifs/alfrescoa"
‍‍‍‍‍‍

From the alfresco server:


kadmin -p root/admin "-q ktadd -k /etc/krb5.keytab host/alfresco.pruebas.local"
kadmin -p root/admin "-q ktadd -k /etc/krb5.alfresco.http.keytab HTTP/alfresco.pruebas.local"
kadmin -p root/admin "-q ktadd -k /etc/krb5.alfresco.cifs.keytab cifs/alfresco.pruebas.local"
kadmin -p root/admin "-q ktadd -k /etc/krb5.alfresco.cifs.keytab cifs/alfrescoa"
‍‍‍‍‍‍

Then, I created JAAS file (/opt/alfresco/java/jre/lib/security/java.login.config):


Alfresco {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    debug=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.cifs.keytab"
    isInitiator=false
    principal="cifs/alfresco.pruebas.local";
};

AlfrescoHTTP {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    debug=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.http.keytab"
    isInitiator=false
    principal="HTTP/alfresco.pruebas.local";
};

ShareHTTP {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.http.keytab"
    isInitiator=false
    principal="HTTP/alfresco.pruebas.local";
};

com.sun.net.ssl.client {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I created a new propfile for Kerberos authentication subsystem (/opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/kerberos/kerberos1/kerberos-authentication.properties); I have commented the properties about secrets because the principals were created with randkey:


kerberos.authentication.realm=PRUEBAS.MYCOMPANY
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=Alfresco
# kerberos.authentication.cifs.password=secret
# kerberos.authentication.http.password=secret
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.browser.ticketLogons=true
‍‍‍‍‍‍‍‍‍‍‍‍

Finally, I configured the authentication chain in /opt/alfresco/tomcat/shared/classes/alfresco-global.properties (ldap1 is a authentication profile with LDAP, working fine):


authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap
‍‍‍

Now (after restart Alfresco), I login in a machine by SSH, so the Kerberos ticket is generated; then, I try to smbclient to the kerberos server, using kerberos authentication, but i get an error:


[myuser@kerberos ~]$ smbclient -k -L ALFRESCOA -I XXX.XXX.XXX.XXX
session setup failed: NT_STATUS_LOGON_FAILURE
‍‍‍‍

In the Alfresco / Tomcat (Catalina) LOG I get this:


2012-02-23 10:09:27,235  DEBUG [smb.protocol.auth] [AlfJLANWorker4] NT Session setup NTLMSSP, MID=2, UID=0, PID=8822
2012-02-23 10:09:27,242  DEBUG [smb.protocol.auth] [AlfJLANWorker4] Using Write transaction
2012-02-23 10:09:27,271  DEBUG [smb.protocol.auth] [AlfJLANWorker4] NT Session setup NTLMSSP, MID=3, UID=0, PID=8822
2012-02-23 10:09:27,271  DEBUG [smb.protocol.auth] [AlfJLANWorker4] Using Write transaction
2012-02-23 10:09:27,278  WARN  [smb.protocol.auth] [AlfJLANWorker4] User does not exist, myuser
‍‍‍‍‍‍‍

So I think that alfrescoNtlm1 is trying to authenticate my Kerberos user, and as it fails, but does not continue with kerberos1 profile. If I change the order of the authentication chain to this:


authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
‍‍‍

With this configuration, when Tomcat is started, this message appears:


Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kerberos.pruebas.local UDP:88, timeout=30000, number of retries =3, #bytes=150
>>> KDCCommunication: kdc=kerberos.pruebas.local UDP:88, timeout=30000,Attempt =1, #bytes=150
>>> KrbKdcReq send: #bytes read=177
>>> KrbKdcReq send: #bytes read=177
>>> KdcAccessibility: remove kerberos.pruebas.local
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
    cTime is Thu Feb 23 10:14:38 CET 2012 1329988478000
    sTime is Thu Feb 23 10:14:38 CET 2012 1329988478000
    suSec is 241378
    error code is 6
    error Message is Client not found in Kerberos database
    crealm is PRUEBAS.MYCOMPANY
    cname is admin
    realm is PRUEBAS.MYCOMPANY
    sname is krbtgt/PRUEBAS.MYCOMPANY
    msgType is 30
KRBError received: CLIENT_NOT_FOUND
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I Think this is because Alfresco is trying to authenticate the admin user against Kerberos, as it is the first now in the authentication chain. If I ignore that message, and do again the smbclient I get this in Alfresco log:


2012-02-23 10:17:03,976  DEBUG [smb.protocol.auth] [AlfJLANWorker16] NT Session setup SPNEGO, MID=2, UID=0, PID=8918
2012-02-23 10:17:03,983  DEBUG [smb.protocol.auth] [AlfJLANWorker16] Using Write transaction
2012-02-23 10:17:03,991  DEBUG [smb.protocol.auth] [AlfJLANWorker16] Kerberos AP-REQ - [AP-REQ:APOptions=,Ticket=Len=280,Authenticator=EncType=1,Kvno=-1,Len=144]
Search Subject for Kerberos V5 ACCEPT cred (cifs/alfresco.pruebas.local@PRUEBAS.MYCOMPANY, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for cifs/alfresco.pruebas.local@PRUEBAS.MYCOMPANY(1)
Found key for cifs/alfresco.pruebas.local@PRUEBAS.MYCOMPANY(16)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
2012-02-23 10:17:04,023  ERROR [org.alfresco.fileserver] [AlfJLANWorker16] Error from JLAN
 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
   at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:337)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1409)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1289)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:86)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:798)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:782)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:388)
   at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:594)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:781)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy217.processSessionSetup(Unknown Source)
   at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:416)
   at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:222)
   at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1439)
   at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:138)
   at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
   at java.lang.Thread.run(Thread.java:662)
Caused by: KrbException: Checksum failed
   at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:77)
   at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:69)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
   at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268)
   at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
   at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
   … 27 more
Caused by: java.security.GeneralSecurityException: Checksum failed
   at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:365)
   at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:56)
   at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:75)
   … 33 more
2012-02-23 10:17:04,026  DEBUG [smb.protocol.auth] [AlfJLANWorker16] No SPNEGO response, Kerberos logon failed
2012-02-23 10:17:04,029  ERROR [smb.protocol.auth] [AlfJLANWorker16] Kerberos logon error
2012-02-23 10:17:04,029  ERROR [smb.protocol.auth] [AlfJLANWorker16] org.alfresco.jlan.smb.server.SMBSrvException: Access denied
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Also tried from a Windows Account, with the same results. Even with local admin account using password authentication (no kerberos), the access is denied:


2012-02-23 11:01:27,601  DEBUG [smb.protocol.auth] [AlfJLANWorker3] NT Session setup SPNEGO, MID=2, UID=0, PID=9190
2012-02-23 11:01:27,601  DEBUG [smb.protocol.auth] [AlfJLANWorker3] Using Write transaction
2012-02-23 11:01:27,605  DEBUG [smb.protocol.auth] [AlfJLANWorker4] NT Session setup SPNEGO, MID=3, UID=0, PID=9190
2012-02-23 11:01:27,608  DEBUG [smb.protocol.auth] [AlfJLANWorker4] Using Write transaction
‍‍‍‍‍‍

HTTP form (using the browser) and kerberos (using curl, it shows the wellcome page, not the login form) authentication works fine:


curl –location –negotiate -u : http://alfresco.pruebas.local:8080/alfresco/
‍‍‍

I have read lot of documentation about Alfresco, but the most of them is regarding to integration with Active Directory, not MIT Kerberos we are using. Now I am stuck; I have changed encryption types for generating the principals and keytabs, changed isInitiator attribute in JAAS, etc. without success:

http://dmdaa.wordpress.com/2010/03/13/kerberos-setup-and-jaas-configuration-for-running-sun-jgss-tut...

http://dmdaa.wordpress.com/2010/03/27/the-impact-of-isinitiator-on-jaas-login-configuration-and-the-...

Any idea what more can I test?

Regards and thanks in advance.

okelet · ‎03-21-2012

Anyone?

ashex · ‎03-27-2012

Are you using kerberos for SSO? If not disable that option. Additionally, make sure only Kerberos is set to authenticate CIFS. Take a look at this page:

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuring_the_Authentication_Chai...

nicolasraoul · ‎08-26-2013

I am trying to do the same, and I am wondering:
- Why you did not specify a policy when creating the principals. I get WARNING: no policy specified for host/xxx@xxx; defaulting to no policy
- Why randkey means you can comment out passwords in kerberos-authentication.properties

Since you got HTTP Kerberos authentication to work I guess these are not problems, though.

Hyland Connect

CIFS login with MIT Kerberos