Hyland Connect

ok

i found in forum setup for kerberos and applied  Kerberos and CIFS

1. i add in global config alfresco

/opt/alfresco-community/tomcat/shared/classes/alfresco-global.properties

#MS Active Directory Integration authentication.chain=alfinst:alfrescoNtlm,ad1:ldap-ad,kerberos1:kerberos # Kerberos kerberos.authentication.active=true log4j.logger.org.alfresco.web.app.servlet.KerberosAuthenticationFilter=debug log4j.logger.org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter=debug ntlm.authentication.sso.enabled=false # CIFS configuration # cifs.enabled=true cifs.ipv6=disabled cifs.serverName=dc01 cifs.domain=PROEKTNG.LOCAL cifs.hostannounce=true cifs.urlfile.prefix=http://${localname}:8080/alfresco cifs.bindto=0.0.0.0 cifs.broadcast=255.255.255.255 cifs.hostannounce=true cifs.tcpipSMB.port=10445 cifs.netBIOSSMB.sessionPort=10139 cifs.netBIOSSMB.namePort=10137 cifs.netBIOSSMB.datagramPort=10138 cifs.platforms=linux,solaris,macosx cifs.WINS.autoDetectEnabled=true

questions  -" http://${localname} "- translate in patch ?

2. create a path and file

/opt/alfresco-community/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/kerberos/kerberos1/kerberos-authentication.properties

kerberos.authentication.active=true kerberos.authentication.realm=PROEKTNG.LOCAL kerberos.authentication.authenticateCIFS=true kerberos.authentication.browser.ticketLogons=true kerberos.authentication.cifs.configEntryName=CIFSFS02 kerberos.authentication.cifs.password=12345678 kerberos.authentication.http.configEntryName=HTTPFS02 kerberos.authentication.http.password=12345678 kerberos.authentication.defaultAdministratorUserNames=admin kerberos.authentication.user.configEntryName=Alfresco kerberos.authentication.stripUsernameSuffix=true

MS AD content users CIFSFS02@proektng.local and HTTPFS02@proektng.local

for a complete understanding, config java security

/opt/alfresco-community/java/lib/security/java.login.config

Alfresco {    com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoCIFS {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    debug=true    useKeyTab=true    doNotPrompt=true    keyTab="/etc/cifsfs02.keytab"    principal="cifs/fs02.proektng.local"; }; AlfrescoHTTP {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    debug=true    useKeyTab=true    doNotPrompt=true    keyTab="/etc/httpfs02.keytab"    principal="HTTP/fs02.proektng.local"; }; ShareHTTP {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    debug=true    useKeyTab=true    doNotPrompt=true    keyTab="/etc/httpfs02.keytab"    principal="HTTP/fs02.proektng.local"; }; com.sun.net.ssl.client {    com.sun.security.auth.module.Krb5LoginModule sufficient; }; other {    com.sun.security.auth.module.Krb5LoginModule sufficient; };

Now I have an error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'globalAuthenticationFilter' defined in file [/opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: java.io.IOException: Configuration Error:     No such file or directory

patch /opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ content two files

kerberos-filter-context.xml and kerberos-filter.properties

i changed erberos-filter.properties

kerberos.authentication.http.configEntryName=HTTPFS02 kerberos.authentication.http.password=12345678 kerberos.authentication.sso.enabled=true kerberos.authentication.browser.ticketLogons=true kerberos.authentication.sso.fallback.enabled=true

I started kerberos with the first installation (i use )Alfresco Authentication Subsystems

i create in AD user Alfresco CIFS(alfrescocifs) and Alfresco HTML(alfrescohtml)

and cread keytab files for each

copy keytab files in /etc/keys/

i add in /opt/alfresco-community/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfinst:alfrescoNtlm,ad1:ldap-ad,kerberos1:kerberos kerberos.authentication.active=true ntlm.authentication.sso.enabled=true

i create file /opt/alfresco-community/java/lib/security/java.login.config

Alfresco {    com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoCIFS {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    useKeyTab=true    keyTab='/etc/keys/alfrescocifs.keytab'    principal='cifs/fs02.proektng.local'; }; AlfrescoHTTP {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    useKeyTab=true    keyTab='/etc/keys/alfrescohttp.keytab'    principal='HTTP/fs02.proektng.local'; }; com.sun.net.ssl.client {    com.sun.security.auth.module.Krb5LoginModule sufficient; }; other {    com.sun.security.auth.module.Krb5LoginModule sufficient; };

fs02 - server content alfresco

proektng.local - my ad domen

i edit file /opt/alfresco-community/java/lib/security/java.security

add line

login.config.url.1=file:${java.home}/lib/security/java.login.config

reboot

i have error

2016-10-19 10:18:55,471 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2016-10-19 10:18:55,552 WARN  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext] [localhost-startStop-1] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in URL [jar:file:/opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.2.b-EA.jar!/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: java.io.IOException: Configuration Error:     Line 9: expected [option value], found [/etc/keys/alfrescocifs.keytab] 2016-10-19 10:18:55,553 WARN  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in URL [jar:file:/opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.2.b-EA.jar!/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: java.io.IOException: Configuration Error:     Line 9: expected [option value], found [/etc/keys/alfrescocifs.keytab]

very wrong manual !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

content error!!!!!

this correct

Create a file named java.login.config with the following entries :- Alfresco {    com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoCIFS {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    useKeyTab=true    keyTab="/etc/alfrescocifs.keytab"    principal="cifs/<cifs-server-name>.<domain>"; }; AlfrescoHTTP {    com.sun.security.auth.module.Krb5LoginModule required    storeKey=true    useKeyTab=true    keyTab="/etc/alfrescohttp.keytab"    principal="HTTP/<web-server-name>.<domain>"; }; com.sun.net.ssl.client {    com.sun.security.auth.module.Krb5LoginModule sufficient; }; other {    com.sun.security.auth.module.Krb5LoginModule sufficient; };

need change      '   =>  "

after the changes I have all earned!

i use

ad - win2008r2

client - win7

"... for Windows 7 clients use AES256-SHA1 ..."
I created again files keytab

ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab -kvno 0

and

ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 0

changed file /etc/krb5.conf

[libdefaults] default_realm = PROEKTNG.LOCAL default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 dns_lookup_realm = false dns_lookup_kdc = false

I have a new bug

2016-10-21 11:59:33,589 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2016-10-21 11:59:33,696 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] [localhost-startStop-1] CIFS Kerberos authenticator error javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

miracle occurred
I turned off to the server on Friday. On Monday I included and was surprised to read the log files

2016-10-24 08:17:26,586 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2016-10-24 08:17:26,801 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete

now I can not set up password-entry customer

the problem is not solved. No password-entry

i correct IE 11 (win7)

but no password entry

Setup can not be completed until you configure the client kerberos

I broke down. I have made all the necessary changes in chrom, faerfox and ie11.

Passwordless entrance does not work!

2016-10-25 16:23:16,807 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-2] Stopping 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2016-10-25 16:23:16,807 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-2] Stopped 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2016-10-25 16:23:16,807 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-2] Stopping 'sysAdmin' subsystem, ID: [sysAdmin, default] 2016-10-25 16:23:16,807 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-2] Stopped 'sysAdmin' subsystem, ID: [sysAdmin, default] 2016-10-25 16:29:05,545 INFO  [org.alfresco.repo.admin] [localhost-startStop-1] Using database URL 'jdbcostgresql://localhost:5432/alfresco' with user 'alfresco'. 2016-10-25 16:29:05,548 INFO  [org.alfresco.repo.admin] [localhost-startStop-1] Connected to database PostgreSQL version 9.4.4 2016-10-25 16:29:11,472 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V4.2-metadata-query-indexes 2016-10-25 16:29:11,473 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.1-metadata-query-indexes 2016-10-25 16:29:18,215 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2016-10-25 16:29:18,365 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Processing the JAAS callback list of 1 items. 2016-10-25 16:29:18,365 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Request for password. 2016-10-25 16:29:18,477 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful 2016-10-25 16:29:18,477 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/fs02.proektng.local@PROEKTNG.LOCAL 2016-10-25 16:29:18,502 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Processing the JAAS callback list of 1 items. 2016-10-25 16:29:18,502 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Request for password. 2016-10-25 16:29:18,558 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful 2016-10-25 16:29:18,558 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/fs02.proektng.local@PROEKTNG.LOCAL 2016-10-25 16:29:18,737 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete 2016-10-25 16:29:18,737 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, alfinst] 2016-10-25 16:29:18,882 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, alfinst] complete 2016-10-25 16:29:18,882 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ad1] 2016-10-25 16:29:19,153 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ad1] complete

authentication.chain=kerberos1:kerberos,alfinst:alfrescoNtlm,ad1:ldap-ad

I set up ad-ldap authentication and kerberos. What should be customized for password-entry?

which file correctly content setup "kerberos.authentication...."

alfresco-global.properties or kerberos-authentication.properties ?