Hello Everyone,
I'm new to Alfresco. First of all everything is working fine with my configuration.
The Authentication over LDAP to the Active Directory works fine.
Now I want activate CIFS and authentification with Kerberos.
I finished all steps succesfully from here: http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
But If I start Alfresco, in the log comes the following failures:
2015-03-26 13:13:18,612 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] [localhost-startStop-1] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
Caused by: KrbException: Client not found in Kerberos database (6)
Caused by: KrbException: Identifier doesn't match expected value (906)
2015-03-26 13:13:18,617 WARN [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in URL [jar:file:/opt/alfresco-5.0.d/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar!/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
Caused by: org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
I have installed Alfresco 5.0.d (and with Alfresco 5.0.c I have the same Problem).
The Authentication works against a Windows Server 2012 R2 Active Directory.
If I execute the command 'kinit -V -k -t /etc/keys/AlfrescoCIFS.keytab "cifs/sles-alfresco.my.domain"' everything works fine -
Using existing cache: :/run/user/0/krb5cc/tkt
Using principal: cifs/sles-alfresco.my.domain@MY.DOMAIN
Using keytab: /etc/keys/AlfrescoCIFS.keytab
Authenticated to Kerberos v5
Here are some examples from my configs:
krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = my.domain
default_keytab_name = FILE:/etc/keys/AlfrescoCIFS.keytab
default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
CONSENSO.LOCAL = {
kdc = dc01.my.domain
admin_server = dc01.my.domain
}
[domain_realm]
dc01.my.domain = MY.DOMAIN
.dc01.my.domain = MY.DOMAIN
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE
AEMON
alfresco-global.properties:
## cifs
filesystem.name=Alfresco
cifs.enabled=true
cifs.serverName=sles-alfresco
cifs.domain=my.domain
cifs.hostannounce=false
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
java.login.config:
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/AlfrescoCIFS.keytab"
principal="cifs/sles-alfresco.my.domain";
};
AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/AlfrescoHTTP.keytab"
principal="HTTP/sles-alfresco.my.domain";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
Hope you can help me.
Thanks
Patrick
I'm new to Alfresco. First of all everything is working fine with my configuration.
The Authentication over LDAP to the Active Directory works fine.
Now I want activate CIFS and authentification with Kerberos.
I finished all steps succesfully from here: http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
But If I start Alfresco, in the log comes the following failures:
2015-03-26 13:13:18,612 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] [localhost-startStop-1] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
Caused by: KrbException: Client not found in Kerberos database (6)
Caused by: KrbException: Identifier doesn't match expected value (906)
2015-03-26 13:13:18,617 WARN [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in URL [jar:file:/opt/alfresco-5.0.d/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar!/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
Caused by: org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
I have installed Alfresco 5.0.d (and with Alfresco 5.0.c I have the same Problem).
The Authentication works against a Windows Server 2012 R2 Active Directory.
If I execute the command 'kinit -V -k -t /etc/keys/AlfrescoCIFS.keytab "cifs/sles-alfresco.my.domain"' everything works fine -
Using existing cache: :/run/user/0/krb5cc/tkt
Using principal: cifs/sles-alfresco.my.domain@MY.DOMAIN
Using keytab: /etc/keys/AlfrescoCIFS.keytab
Authenticated to Kerberos v5
Here are some examples from my configs:
krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = my.domain
default_keytab_name = FILE:/etc/keys/AlfrescoCIFS.keytab
default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
CONSENSO.LOCAL = {
kdc = dc01.my.domain
admin_server = dc01.my.domain
}
[domain_realm]
dc01.my.domain = MY.DOMAIN
.dc01.my.domain = MY.DOMAIN
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE
AEMONalfresco-global.properties:
## cifs
filesystem.name=Alfresco
cifs.enabled=true
cifs.serverName=sles-alfresco
cifs.domain=my.domain
cifs.hostannounce=false
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
java.login.config:
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/AlfrescoCIFS.keytab"
principal="cifs/sles-alfresco.my.domain";
};
AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/AlfrescoHTTP.keytab"
principal="HTTP/sles-alfresco.my.domain";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
Hope you can help me.
Thanks
Patrick
