Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CIFS not working when enabled LDAP authentication

g_rathod
Star Contributor
Star Contributor

‎05-27-2008 01:07 AM

Friends,

Once I have enabled my LDAP authentication on alfresco 2.9b community version , I can't access CIFS now.
Even I am giving correct credentials its not working.

Do you have any idea, do I need to configure any file for LDAP + CIFS access?

my file-servers-custom.xml is as below  :



<alfresco-config area="file-servers">

   <!– To override the default Alfresco filesystem use replace="true", to –>
   <!– add additional filesystems remove the replace="true" attribute     –>
   
   <config evaluator="string-compare" condition="Filesystems" replace="true">
      <filesystems>

         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

            <!– Add a URL file to each folder that links back to the web client –>
            <urlFile>
               <filename>__Alfresco.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>

            <!– Mark locked files as offline –>
            <offlineFiles/>

            <!– Desktop actions –>

            <desktopActions>
               <global>
                  <path>alfresco/desktop/Alfresco.exe</path>
                  <webpath>http://${localname}:8080/alfresco/</webpath>
               </global>
            <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.EchoDesktopAction</class>
                  <name>Echo</name>
                  <filename>__AlfrescoEcho.exe</filename>
               </action>
            <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.URLDesktopAction</class>
                  <name>URL</name>
                  <filename>__AlfrescoURL.exe</filename>
               </action>
            <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.CmdLineDesktopAction</class>
                  <name>CmdLine</name>
                  <filename>__AlfrescoCmd.exe</filename>
               </action>
               <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class>
                  <name>CheckInOut</name>
                  <filename>__CheckInOut.exe</filename>
               </action>
               <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
                  <name>JavaScriptURL</name>
                  <filename>__ShowDetails.exe</filename>
                  <script>alfresco/desktop/showDetails.js</script>
                  <attributes>anyFiles</attributes>
                  <preprocess>copyToTarget</preprocess>
               </action>
          </desktopActions>

            <accessControl default="Write">
               <user name="admin" access="Write"/>
               <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
            </accessControl>

         </filesystem>
        
       <!– AVM virtualization view of all stores/versions for WCM –>
         <avmfilesystem name="AVM">
            <virtualView/>
         </avmfilesystem>
        
      </filesystems>
   </config>

    <config evaluator="string-compare" condition="Filesystem Security">
      <authenticator type="passthru">
      <Server>xx.xx.xx.xx</Server> ( x = ldap server ip )
      </authenticator>
   </config>

</alfresco-config>


Do you have any idea ??
Labels:
0 Kudos
7 REPLIES 7

ajmillar
Champ in-the-making
Champ in-the-making

‎05-27-2008 04:53 AM

Had the same problem myself. Spent over a week working on it. Think its a "feature"  :wink: of version 2.9B. I went back to 2.1 and it worked first time. I'm hoping once version 3.0 comes out it'll be fixed.
0 Kudos

pmonks
Star Contributor
Star Contributor

‎05-27-2008 10:33 AM

The problem is that CIFS uses MD4 for hashing passwords, but most LDAP systems use MD5 or AES.  So what happens is that the CIFS client (Windows, Samba, MacOSX, etc.) sends up an MD4 hashed password which Alfresco dutifully sends to LDAP, but LDAP won't ever match it against the user's password because the user's password is MD5 / AES hashed in the LDAP system.

Unfortunately there's no easy way around this since most LDAP administrators are unwilling to store passwords in MD4 (it's not secure), and no one but Microsoft has control over the CIFS protocol (and by extension, the CIFS client built into Windows).

You may be able to configure Kerberos based authentication instead (see http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration), but I've heard rumours that the Windows CIFS client will only work with Kerberos tokens generated by Active Directory (presumably Microsoft have "extended" the ticket with non-standard information that the Windows CIFS client requires to function properly).  And if you're using Active Directory then you don't have the MD4 / MD5 / AES problem since Active Directory (unlike other LDAP systems) does store passwords in MD4 (so that it has backwards compatibility with the Windows CIFS client!!  :winkSmiley Happy.

Cheers,
Peter
0 Kudos

g_rathod
Star Contributor
Star Contributor

‎05-29-2008 05:23 AM

So peter,

what will be the solution for this problem ?
since we revert back to alfresco enterprise 2.1.2 version with daisy chaining..
but still my CIFS not working. It shows me username/password prompt. but when I am applying
admin/admin or ldap credentials its not working.

So what will be the solution for this ??
0 Kudos

pmonks
Star Contributor
Star Contributor

‎05-29-2008 02:04 PM

Unless your authentication system supports MD4 password encryption there's not a lot that can be done.  Unfortunately Microsoft is solely in control of the CIFS protocol (as well as the most widely used CIFS clients), so there aren't too many options.    Smiley Sad

Cheers,
Peter
0 Kudos

vycitalr
Champ in-the-making
Champ in-the-making

‎06-02-2008 04:55 AM

There is one dirty option which I personally use. It is not really very nice from architecture point of view but works fine for me. That is to store the MD-4 hashed password in alfresco in user's props as is normally when there is not LDAP. I perform the storing of the password in the LDAPAuthenticationComponent after user successfully authenticates.  Then the CIFS configuration is just as there is no LDAP. It's a workaround but works. See also http://forums.alfresco.com/viewtopic.php?f=4&t=12633.

Regards Robert
0 Kudos

jzulu2000
Champ in-the-making
Champ in-the-making

‎10-08-2008 05:20 PM

I did the following in my enviroment and it worked

First of all, alfresco can not authenticate directly to ldap when using the CIFS interface; we have to use a passthru server; the passthru server can be one of kerberos or another machine running native samba.

What I did is to configure samba in another server, let's call it server2 (not the server running alfresco, who's called for example server1) and make it authenticate against ldap; users should be able to connect to the system using the ldap user and password (for example, using a ssh client like putty), and should be able to map a network drive to that server too (for example, normal network drive map).

I had to configure the ldap, extending the schema to support the "universal password", so users can authenticate from the operating system and from samba using their md5 passwords.

Until now, we can have for example a cifs client (let's say, a windows client) who maps a network drive to the server2 (who exposed the samba service) and the server2 authenticates such user against LDAP.

So, what's left? we have to make alfresco cifs to authenticate against the server2 samba service as passthru server, and then, make the client map the alfresco server (not the server2)

The total solution includes:
1. A CIFS client who maps the alfresco CIFS service.
2. Alfresco running in server1 who exposses the CIFS server, and authenticates against a passthru server.
3. The samba service running in server2, who acts like a passthru server for Alfresco, and authenticates against an LDAP.
4. An LDAP configured, so the passthru server can authenticate against it.

LDAP Configuration:
We should install posixAccount and sambaAccount extensions, then assign this extensions to the users.
We have to create a user called, let's say, ALFRESCOCM, and allow this user to examinate all entries, compare and read attributes, and supervise, compare, read and write ACL's.
You have to export the certifying entity and the certificate, to be used in the server2 for the connection.

Server2 Configuration. (Here, we have to configure samba against LDAP, and Operating Sistem against LDAP; I did this for AIX, but I think it's similar to a linux)
1. Configuring Operating system:
- You have to import the certificate (see: ver http://www-03.ibm.com/systems/p/os/aix/whitepapers/ldap_client.html, chapter 7) and then create the database in CMS format, for example in /usr/bin/key.kdb ; remember the password.
- Then you have to configurate the LDAP client for the Operating System, using the following command
mksecldap -c -h ldap_server -a cn=ALFRESCOCM,o=COMPANY -p CLAVE_DEL_ALFRESCOCM -n 636 -d o=COMPANY  -k /usr/bin/key.kdb -w CLAVE_DEL_key_kdb
- Edit the /etc/security/user  file and tells the operating system to use too the ldap for authentication, in the stanza default, like this
SYSTEM = "compat OR LDAP"
Now, you should be able to authenticate to the operating system using an LDAP user.

2. Configuring SAmba
Modify the smb.conf file; it has to use TSL; for example



[global]
   workgroup = WORKGROUP
   printing = cups
   printcap name = cups
   printcap cache time = 750
   cups options = raw
   map to guest = Bad User
   include = /etc/samba/dhcp.conf
   logon path = 
   logon home = 
   logon drive = P:
        log level = 100
   enable privileges=Yes
   os level = 65
   lanman auth = yes


   netbios name = NETBIOS-NAME
        ldap admin dn = cn=ALFRESCOCM,o=COMPANY
        passdb backend = NDS_ldapsam:ldap://LDAP_SERVER:389
        ldap suffix = o=COMPANY
        ldap ssl = start tls

    ldap passwd sync = on
   security = user
   encrypt passwords = yes

   use sendfile = no
   domain logons = no
   local master = yes
   wins support = no
   preferred master = auto


[netlogon]
        path = /home/netlogon/
        browseable = No
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles
        #force user = %U
        # next line allows administrator to access all profiles
        #valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes

[prueba]
   browseable = yes
   comment = Prueba
   path = /temp
   valid users = USER1, USER2, USER3
   writeable = yes
   guest ok = no
   printable = no


The ldap.conf and slapd.conf must include the following, to allow samba to connect using tsl:

TLS_REQCERT allow

After this configurations are made, we have to indicate the ALFRESCOCM password to samba, using the command:
smbpasswd -w ALFRESCOCM_PASSWORD

Then, start the samba service and test it.

Now, we can configure alfresco to use this samba as passthru server.

See this link too… http://www.novell.com/coolsolutions/appnote/11788.html
0 Kudos

subemontes
Champ in-the-making
Champ in-the-making

‎10-16-2008 10:41 AM

Great job.
I'm happy someone gets LDAP working Smiley Happy

what a round have u done!
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC