Hello,
I am trying to get Kerberos authentication working against AD for CIFS support. I am currently running community 201605.
Kerberos on the OS, (CentoOS 7) works fine. kinit will grab a key. But it does not work in Alfresco.
No matter what I set the principal to be, a packet capture shows Alfresco trying to use the principle "root".
I have spent weeks reading and trying different configs with no luck.
Here is the error I get.
2016-09-20 15:06:32,431 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] [localhost-startStop-1] No changes were made to the schema.
2016-09-20 15:06:33,268 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2016-09-20 15:06:33,366 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
<------>at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
<------>at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
<------>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<------>at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
<------>at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
<------>at java.lang.reflect.Method.invoke(Method.java:497)
<------>at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
<------>at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
<------>at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
<------>at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
<------>at java.security.AccessController.doPrivileged(Native Method)
<------>at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
<------>at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
Below are my config files.
/opt/alfresco-community-201605/java/lib/security/java.login.config
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
debug=true
useKeyTab=true
doNotPrompt=true
keyTab="/data/alfresco-community-201605/java/lib/security/svc_alfresco.keytab"
principal="cifs/vm604.xxxDOMAIN";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
/opt/alfresco-community-201605/java/lib/security/java.security
login.config.url.1=file:/opt/alfresco-community-201605/java/lib/security/java.login.config
/opt/alfresco-community-201605/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/kerberos/kerberos1/kerberos-authentication.properties
kerberos.authentication.active=true
kerberos.authentication.realm=xxxDOMAIN
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxxxxxxx
kerberos.authentication.defaultAdministratorUserNames=
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.stripUsernameSuffix=true
/opt/alfresco-community-201605/tomcat/shared/classes/alfresco-global.properties
### CIFS/SMB Server Configuration ###
cifs.enabled=true
cifs.serverName="vm604"
cifs.hostannounce=false
cifs.domain=xxxDOMAIN
kerberos.authentication.active=true
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,passthru1
assthru,ldap-ad1:ldap-ad
Thanks for any help.
-Eddie
1 ACCEPTED ANSWER
