Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CIFS with Passthru not working

clancydamon
Champ in-the-making
Champ in-the-making

‎01-29-2010 06:10 PM

Hello. I've been struggling to get this damn thing up and working for almost three weeks now, and each victory leads to two setbacks. I'm trying to run Alfresco 3.2r on a VirtualBox running CentOS 5.4. This VirtualBox is hosted on a PC running Win7 Professional 64-bit. The goal is to create an environment where all authentication is handled by the active directory on our main server running SBS 2008 (SP2), and using that machine to map CIFS network drives to all of our users through Group Policy. To that end, I've tried enabling passthru authentication for Alfresco. I've read through the wiki on this matter (http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Passthru), but I haven't met with success yet. The real hell of it is that I had CIFS working just fine on a clean installation. The authentication was a pain in the ass, so I started mucking about and now CIFS is broken on all but the Win7 machine that is hosting the virtual box.

Here's my alfresco-global.properties file, with all of the now commented random changes I was making in my frustration:

###############################
## Common Alfresco Properties #
###############################

#
# Sample custom content and index data location
#————-
dir.root=/opt/Alfresco/alf_data

#
# Sample database connection properties
#————-
db.name=alfresco
db.username=alfresco
db.password=alfresco
db.host=localhost
db.port=3306

#
# External locations
#————-
ooo.exe=/usr/lib64/openoffice.org/program/soffice
ooo.user=<%ShortInstallDir%>/alf_data/oouser
img.root=/usr
swf.exe=/usr/local/bin/pdf2swf

#
# Initial admin password
#————-
alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634

#
# MySQL connection
#————-
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://${db.host}:${db.port}/${db.name}
hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect

#
# Index Recovery Mode
#————-
#index.recovery.mode=Auto

#
# Outbound Email Configuration
#————-
#mail.host=
#mail.port=25
#mail.username=anonymous
#mail.password=
#mail.encoding=UTF-8
#mail.from.default=alfresco@alfresco.org
#mail.smtp.auth=false

#
# Alfresco Email Service and Email Server
#————-

# Enable/Disable the inbound email service.  The service could be used by processes other than
# the Email Server (e.g. direct RMI access) so this flag is independent of the Email Service.
#————-
#email.inbound.enabled=true

# Email Server properties 
#————-
#email.server.enabled=true
#email.server.port=25
#email.server.domain=alfresco.com
#email.inbound.unknownUser=anonymous

# A comma separated list of email REGEX patterns of allowed senders.
# If there are any values in the list then all sender email addresses
# must match.  For example:
#   .*\@alfresco\.com, .*\@alfresco\.org
# Allow anyone:
#————-
#email.server.allowed.senders=.*

#
# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
#authentication.chain=alfrescoNtlm1:alfrescoNtlm

authentication.chain=passthru1:passthru

passthru.authentication.servers=ourdomain.local\sbsserver
passthru.authentication.authenticateCIFS=true
passthru.authentication.defaultAdministratorUserNames=mainuser@ourdomain.local
ntlm.authentication.sso.enabled=false

ldap.authentication.active=true
ldap.synchronization.active=false

#
# LDAP configuration? Does not work with CIFS?
#

#authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

#ntlm.authentication.sso.enabled=false
#alfresco.authentication.authenticateCIFS=true

#ntlm.authentication.sso.enabled=true
#passthru.authentication.authenticateCIFS=true

#ldap.authentication.active=false
#ldap.synchronization.active=false

#ldap.authentication.java.naming.provider.url=ldap://10.10.0.2:389
#ldap.authentication.java.naming.security.authentication=SIMPLE

#ldap.synchronization.java.naming.security.principal=alfadmin@reality-tech.local
#ldap.synchronization.java.naming.security.credentials=temp@1234

#
# IMAP
#————-
#imap.server.enabled=true
#imap.server.port=143
#imap.server.host=localhost

# 
# CIFS
#
cifs.enabled=true
cifs.serverName=VirtualBoxHostName
cifs.domain=ourdomain.local
cifs.urlfile.prefix=http://${localname}:8080/alfresco/
cifs.broadcast=255.255.255.0

I honestly have almost no idea what I'm doing here. I only heard about Alfresco three weeks ago when I started this, and I've done very little with Linux. My boss has his goals, and I'm just here to make it happen. Can someone please tell me what I'm doing wrong, and how I can fix it?

———

I should also note that whenever any machine in the network tries map an Alfresco drive, it asks for authentication within our domain - it no longer accepts the admin/admin default Alfresco logins. Every user I try fails, saying the password failed to authenticate. I've checked the main alfresco.log file, and it says the following for each failure - ERROR [org.alfresco.smb.protocol.auth] org.alfresco.jlan.smb.SMBException: Invalid Parameter.

Also, we can use the web-interface without any issue at all. I've created random test users in our AD, and have successfully used them to log into Alfresco through the browser on any machine in our network. It's strictly CIFS that isn't working.
Labels:
0 Kudos
3 REPLIES 3

dranakan
Champ on-the-rise
Champ on-the-rise

‎02-01-2010 03:44 AM

Hello,

This is a sample working on RHEL and Centos.

Starting alfresco with another user than root avoid using the standart ports (445, …), that why the forwarding is used (for security reasons, it's better to start alfresco with a no-root user). (http://wiki.alfresco.com/wiki/File_Server_Configuration#Running_SMB.2FCIFS_from_a_normal_user_accoun...)

Do this (write inside iptables when it's working…) :
Forwarding :

# Rules for firewall
        echo 1 > /proc/sys/net/ipv4/ip_forward
        /sbin/modprobe iptable_nat
        /sbin/iptables -t nat -F
        /sbin/iptables -P INPUT ACCEPT
        /sbin/iptables -P FORWARD ACCEPT
        /sbin/iptables -P OUTPUT ACCEPT
        /sbin/iptables -t nat -A PREROUTING -p tcp –dport 445 -j REDIRECT –to-ports 1445
        /sbin/iptables -t nat -A PREROUTING -p tcp –dport 139 -j REDIRECT –to-ports 1139
        /sbin/iptables -t nat -A PREROUTING -p udp –dport 137 -j REDIRECT –to-ports 1137
        /sbin/iptables -t nat -A PREROUTING -p udp –dport 138 -j REDIRECT –to-ports 1138
        /sbin/iptables -t nat -A PREROUTING -p tcp –dport 21 -j REDIRECT –to-ports 1024
        /etc/init.d/network restart

Cifs configuration :

authentication.chain=passthru1:passthru

passthru.authentication.useLocalServer=false
passthru.authentication.domain=YOURDOMAIN
passthru.authentication.servers=YOURDOMAIN\\xxx.xxx.xxx.xxx,xxx.xxxx.xxx.xxx
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=YOURUSER
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true
ntlm.authentication.sso.enabled=false


cifs.enabled=true
cifs.ServerName=${localname}
cifs.domain=YOURDOMAIN
cifs.hostanounce=true
cifs.broadcast=0.0.0.0
cifs.tcpipSMB.port=1445
cifs.ipv6.enabled=false
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139
(change YOURDOMAIN, xxx, YOURUSER)
YOURDOMAIN\\xxx.xxx.xxx.xxx,xxx.xxxx.xxx.xxx write two times your AD : ex : dom\\10.0.0.1,10.0.0.1

Good luck 🙂
0 Kudos

clancydamon
Champ in-the-making
Champ in-the-making

‎02-03-2010 06:18 PM

Thank you very much for your reply. I tried your steps and, unfortunately, they didn't work. At least not with what I was trying to accomplish. However, we did find out what the problem was!

I noted before that we have all Win7 and Vista machines in our network. Well, I also have a laptop running WinXP that isn't part of the domain. On a whim, I tried mapping an alfresco drive on this laptop, and used the domain authentication (a username/password from our domain which I've never had reason to use on my laptop before). It worked instantly, and I had no problem accessing Alfresco! Bizarre to say the least, but a good clue.

My boss spent hours searching the net and eventually found the solution - http://blogs.techrepublic.com.com/networking/?p=577

That's it, change the NTLM authentication from the default V2 only to NTLM V1. I'm guessing (I really don't know here) that Alfresco does not support NTLMv2. I didn't even think we were using NTLM at all, given that we have it set to false as per your instructions dranakan, but there you go. If anyone else is having trouble using CIFS in a Win7/Vista environment, give that a try.
0 Kudos

mikeh
Star Contributor
Star Contributor

‎02-03-2010 06:35 PM

I believe the revised authentication protocols in NTLMv2 prevent "man in the middle" style attacks. Unfortunately this means the Alfresco CIFS implementation is also regarded as a man-in-the-middle, hence passthru NTLMv2 authentication isn't viable.

This should be made clear in the documentation, so I'll make sure the Docs Team are aware.

Thanks,
Mike
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC