Hyland Connect

hnulty · ‎11-07-2007

Setting the scene:
We have Alfresco Community 2.1.0 installed on RHEL4 with apache-tomcat 5.5.25
we have deployed alfresco.war from
alfresco-community-war-2.2.0dev.zip dated 10/30/2007 - hoping for the fix for AR-1727

CIFS authentication via Kerberos/AD is NOT working.

We have customized file-servers-custom.xml in the extension folder as so:

file-servers-custom.xml:
…
   <!– authenticate to ADS server –>
   <config evaluator="string-compare" condition="Filesystem Security">
      <authenticator type="enterprise">
      <KDC>ourdc.doma.domb.domc</KDC>
      <Realm>DOMA.DOMB.DOMC</realm>
      <LoginEntry>alfrescocifs</LoginEntry>
      <Password>——–</Password>
      </authenticator>
   </config>
…

java.security:
from java.security:
…
#
# Default login configuration file
#
login.config.url.1=file:${java.home}/lib/security/java.login.config

java.login.config:
alfrescocifs {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/krb5.keytab"
principal="cifs/ourrel4.doma.domb.domc";
};

klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
—- ————————————————————————–
   5 cifs/ourrel4.doma.domb.domc@DOMA.DOMB.DOMC (DES cbc mode with RSA-MD5)

krb5.conf
krb5.conf:
[libdefaults]
        default_realm = DOMA.DOMB.DOMC

[realms]
        DOMA.DOMB.DOMC = {
                kdc = ourdc.doma.domb.domc
                admin_server = ourdc.doma.domb.domc
        }

[domain_realms]
        .kerberos.server = DOMA.DOMB.DOMC

setspn -l alfrescocifs
Registered ServicePrincipalNames for CN=Alfresco CIFS,OU=Users,OU=Server Group,O
U=IIS,DC=doma,DC=domb,DC=domc:
    cifs/ourrel4.doma.domb.domc

For the web interface we have users defined in Alfresco and passwords set for them. These userids match AD userids. If passwords are set to match AD passwords, CIFS authentication works … it uses cached credentials. If passwords do not match we get errors as below. Can we expect to configure Alfresco to use AD/Kerberos for CIFS authentication and Alfresco user database for web?

Please advise, suggest, help, correct!!    –hnulty

from catalina.out
12:08:30,902 ERROR [smb.protocol.auth] Kerberos logon error
Logon failure
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1283)
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1113)
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:673)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:407)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:221)
        at org.alfresco.filesys.smb.server.SMBSrvSession.run(SMBSrvSession.java:1381)
        at java.lang.Thread.run(Thread.java:595)
GSSException: No valid credentials provided
No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

meansartin14 · ‎01-05-2009

I am having the exact same issue, with the exception being that I want to authenticate users for BOTH the Web UI AND CIFS through AD.

I've got the Web UI authenticating properly so that no login is necessary, but I can not get the CIFS server to allow itself to be mapped as a network drive on Windows client PCs.

Have you resolved this issue? If so, how?

hnulty · ‎01-06-2009

We never did resolve the issue. We actually abandoned Alfresco in favor of a different solution - Sharepoint.

Sorry we could be of no help.

Helen

meansartin14 · ‎01-06-2009

We never did resolve the issue. We actually abandoned Alfresco in favor of a different solution - Sharepoint.

Sorry we could be of no help.

Helen

Yikes. Sorry to hear that.

Hopefully, I can find a solution to this problem.

viktu · ‎01-08-2009

We never did resolve the issue. We actually abandoned Alfresco in favor of a different solution - Sharepoint.

Sorry we could be of no help.

Helen

Yikes. Sorry to hear that.

Hopefully, I can find a solution to this problem.

Sorry to hear it? Of course, but what alternative do we have?

I do have the following problem: we have to start a content management project, but we can't effort (at least by now) 17.000€ each year for a license, plus 50.000€ for the implementation of OpenBravo.

We would like to start using the free version, to grow up the project inhouse, so when being widely used be able to pay that amount.

How can I do that if there is no stable version? The only solution is to pay less for a fu…g sharepoint server, it's a fact.

Alfresco is following the best way to destroy the way of access to their product. Ok, you will have few companies paying 17k€ each year or more, but can you imagine how much oportunities are you loosing with this way of licensing? If I can mount my Alfresco for free, and I can make it used in my environment, and it becomes an essential part of my services, why shouldn't I pay for support? I would!!!

No way

meansartin14 · ‎01-13-2009

I have started a thread that I hope to eventually turn into a AlfrescoWiki page for how to configure Active Directory authentication for both CIFS and the Web Interface in Alfresco Labs 3c.

Please see my thread:
[ERROR]Alfresco Engineers: CIFS auth does not work. Sugg?

Please come join in the discussion, or at least subscribe to the thread. I want to try to get everyone having these types of issues into the thread so that we can get a large collection of experiences and configurations.

We WILL find the answer for how to enable Active Directory authentication with CIFS in Alfresco!!

Hyland Connect

Configuring CIFS for Kerberos/AD integration PROBLEM!!