Hyland Connect

chapeaurouge · ‎01-23-2009

Hello all,

It's been several days I am trying to make kerberos authentication work (against AD running on Win2003 R2), both with the regular 3.0 labs and now the SVN version (rev 12844). The server running alfresco is a gentoo 64bits (xen virtualized), tomcat is tomcat-6.0.18.

Kerberos seems to work fine when I try manually. kinit and klist report correct stats. kvno is good. But neither the web, webdav or cifs auth is working… because the context simply fails to start.

Once I enabled the

<filter-class>org.alfresco.web.app.servlet.KerberosAuthenticationFilter</filter-class>‍

The /alfresco simply doesn't start, but there is no real error at all, just the following:

Jan 23, 2009 5:24:26 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 23, 2009 5:24:26 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.18
Jan 23, 2009 5:24:27 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive alfresco.war
Jan 23, 2009 5:24:28 PM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "org.apache.myfaces.webapp.StartupServletContextListener" is already configured for this context. The duplicate definition has been ignored.
17:24:42,572  INFO  [config.xml.XMLConfigService$PropertyConfigurer] Loading properties file from class path resource [alfresco/file-servers.properties]
17:24:43,636  DEBUG [webdav.auth.KerberosAuthenticationFilter] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@bb277f0, name=log4j:logger=org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter
17:24:43,637  DEBUG [smb.protocol.auth] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@bb277f0, name=log4j:logger=org.alfresco.smb.protocol.auth
17:24:43,637  DEBUG [security.authentication.ldap] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@bb277f0, name=log4j:logger=org.alfresco.repo.security.authentication.ldap
17:24:43,637  DEBUG [alfresco.smb.protocol] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@bb277f0, name=log4j:logger=org.alfresco.smb.protocol
17:24:43,638  DEBUG [alfresco.webdav.protocol] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@bb277f0, name=log4j:logger=org.alfresco.webdav.protocol
17:24:43,642  DEBUG [app.servlet.KerberosAuthenticationFilter] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@bb277f0, name=log4j:logger=org.alfresco.web.app.servlet.KerberosAuthenticationFilter
17:24:50,428  INFO  [domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.MySQLInnoDBDialect.
17:24:50,875  INFO  [domain.schema.SchemaBootstrap] No changes were made to the schema.
17:24:52,644 User:System INFO  [repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: /var/alf_data
17:24:52,688 User:System INFO  [admin.patch.PatchExecuter] Checking for patches to apply …
17:24:52,879 User:System INFO  [admin.patch.PatchExecuter] No patches were required.
17:24:52,881 User:System INFO  [repo.module.ModuleServiceImpl] Found 0 module(s).
17:24:52,997 User:System DEBUG [alfresco.smb.protocol] Found valid IP address from interface list
17:24:52,998 User:System INFO  [alfresco.smb.protocol] CIFS server started
17:24:52,998 User:System INFO  [alfresco.smb.protocol] FTP server NOT started
17:24:52,998 User:System INFO  [alfresco.smb.protocol] NFS server NOT started
17:24:53,130 User:System WARN  [alfresco.util.OpenOfficeConnectionTester] An initial OpenOffice connection could not be established.
17:24:53,195 User:System INFO  [service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_11-b03; maximum heap size 910.250MB
17:24:53,196 User:System INFO  [service.descriptor.DescriptorService] Alfresco started (Labs): Current version 3.0.0 (c 1342) schema 1000 - Installed version 3.0.0 (c @build-number@) schema 1000
17:25:02,747  DEBUG [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login using account HTTP/gandalf-white.bi.invik.lu@BI.INVIK.LU
17:25:02,752  DEBUG [webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos login using account HTTP/gandalf-white.bi.invik.lu@BI.INVIK.LU
Jan 23, 2009 5:25:02 PM org.apache.catalina.core.StandardContext start
SEVERE: Error filterStart
Jan 23, 2009 5:25:02 PM org.apache.catalina.core.StandardContext start
SEVERE: Context [/alfresco] startup failed due to previous errors
log4j:ERROR LogMananger.repositorySelector was null likely due to error in class reloading, using NOPLoggerRepository.
Jan 23, 2009 5:25:24 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-80
Jan 23, 2009 5:25:24 PM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
Jan 23, 2009 5:25:24 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 58135 ms
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

What could cause this error? What are other debug filters I could put in the log4j.properties?

Thanks a lot.

Cheers
fred

chapeaurouge · ‎02-13-2009

I got it working for the web and webdav ok.

No luck for CIFS, but this seems to be a topic coming up quite often. I haven't seen any clear solution to that. Is there actually one?

rogier_oudshoor · ‎02-16-2009

Could you share your CIFS configuration section from the file-servers-custom.xml of file-servers.xml? That would help us greatly in spotting issues

chapeaurouge · ‎02-16-2009

Sure. Here are the most relevant part of my file-servers.xml.

  <config evaluator="string-compare" condition="CIFS Server">
          <serverEnable enabled="true"/>
      <host name="${cifs.localname}" domain="${cifs.domain}"/>
      <comment>Alfresco CIFS Server</comment>

      <!– Set to the broadcast mask for the subnet –>
      <broadcast>${cifs.broadcast}</broadcast>

      <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
      <tcpipSMB platforms="linux,solaris,macosx"/>
      <netBIOSSMB platforms="linux,solaris,macosx"/>

           <!– Can be mapped to non-privileged ports, then use firewall rules to forward
                    requests from the standard ports –>
          <!–     
      <tcpipSMB port="1445" platforms="linux,solaris,macosx"/>
      <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/>
          –>

      <hostAnnounce interval="5"/>

      <!– Use Win32 NetBIOS interface on Windows –>
      <Win32NetBIOS/>
      <Win32Announce interval="5"/>

      <!– CIFS authentication –>
      <authenticator type="enterprise">
        <KDC>dcbi.mydomain.com</KDC>
        <Realm>MYDOMAIN</Realm>
        <Password>alfresco</Password>
        <Principal>cifs/gandalf-white.mydomain.com</Principal>
      </authenticator>

<!–
      <WINS>
         <primary>1.2.3.4</primary>
         <secondary>5.6.7.8</secondary>
      </WINS>
–>
      <sessionDebug flags="Negotiate,Socket"/>
   </config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 <config evaluator="string-compare" condition="Filesystem Security">

      <authenticator type="enterprise">
      <KDC>dcbi.mydomain.com</KDC>
      <Realm>MYDOMAIN</Realm>
      <Password>alfresco</Password>
      <Principal>cifs/gandalf-white.mydomain.com</Principal>
      </authenticator>

   </config>
‍‍‍‍‍‍‍‍‍‍‍

At start-up:

18:22:14,540 User:System DEBUG [smb.protocol.auth] Logged on using principal cifs/gandalf-white.mydomain.com@MYDOMAIN
18:22:14,540 User:System DEBUG [smb.protocol.auth] Enabling mechTypes :-
18:22:14,540 User:System DEBUG [smb.protocol.auth]   Kerberos5
18:22:14,540 User:System DEBUG [smb.protocol.auth]   MS-Kerberos5
18:22:14,541 User:System DEBUG [smb.protocol.auth]   NTLMSSP
18:22:14,547 User:System INFO  [alfresco.smb.protocol] CIFS server started
18:22:14,547 User:System INFO  [alfresco.smb.protocol] FTP server NOT started
18:22:14,547 User:System INFO  [alfresco.smb.protocol] NFS server NOT started
‍‍‍‍‍‍‍‍‍

Here is the log output:

18:22:29,634  DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=8, UID=0, PID=65279
18:22:29,639  DEBUG [smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=
912,Authenticator=EncType=3,Kvno=-1,Len=168]
18:22:29,640  DEBUG [smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
18:22:29,666  DEBUG [smb.protocol.auth] Using OID MS Kerberos5 for NegTokenTarg
18:22:29,670  DEBUG [smb.protocol.auth] Created NegTokenTarg using updated AP-REP, added subkey
18:22:29,670  DEBUG [smb.protocol.auth] Machine account logon, MPWKS150$, as null logon
18:22:29,670  DEBUG [smb.protocol.auth] Logged on using Kerberos, user MPWKS150$
18:22:29,671  DEBUG [smb.protocol.auth] User  logged on  (type Null)
18:22:29,672  DEBUG [smb.protocol.auth] Allocated UID=0 for VC=[0:0,[:null,Windows 2002 Service Pac
k 3 2600,Windows 2002 5.1,10.250.15.39],Tree=0,Searches=0]
18:22:29,695  DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=24, UID=0, PID=65279
18:22:29,701  DEBUG [smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=
1184,Authenticator=EncType=3,Kvno=-1,Len=168]
18:22:29,701  DEBUG [smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
18:22:29,717  DEBUG [smb.protocol.auth] Using OID MS Kerberos5 for NegTokenTarg
18:22:29,719  DEBUG [smb.protocol.auth] Created NegTokenTarg using updated AP-REP, added subkey
18:22:29,841 User:fredb ERROR [smb.protocol.auth] Kerberos logon error
18:22:29,841 User:fredb ERROR [smb.protocol.auth] org.alfresco.repo.security.authentication.Authent
icationException: Could not find user by userName: fredb
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

So, if log in with a user and try to access a CIFS share, and the user didn't previously existed in Alfresco, it does get in somehow. I can see the user when going to the alfresco admin console that got created. So it authenticates, but then, fails to find the user?

I wish this was a trivial config issue

Thanks for any tips..
fred

rogier_oudshoor · ‎02-17-2009

I've seen such an issue before, but not in the context of CIFS. Alfresco used to require a valid local authentication in order to validate a ticket. However, I don't think CIFS uses tickets.

Hyland Connect

Kerberos auth on HEAD