Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP and CIFS not working together

simon
Champ in-the-making
Champ in-the-making

‎05-02-2006 11:28 AM

Hi, yet another LDAP releated problem…

We configured Alfresco to authenticate with Active Directory, wasn't easy but it works now… almost.

Authentication in the web client is working fine but CIFS fails horribly. CIFS works like expected when the LDAP authentication isn't used but when we enable the LDAP authentication the CIFS server dissapears. I can ping alfresco_A when LDAP is turned off but not when it's enabled, conlusion: the CIFS server doesn't even start when we use the LDAP authentication.

I get te following error when starting Alfresco:
16:58:38,898 ERROR [org.alfresco.smb.protocol] Failed to get local domain/workgroup name, using default of WORKGROUP
16:58:38,898 ERROR [org.alfresco.smb.protocol] (This may be due to firewall settings or incorrect <broadcast> setting)
16:58:38,908 ERROR [org.alfresco.smb.protocol] File server configuration error, Wrong authentication setup for alfresco authenticator
The first 2 lines shouldn't be important, we get the same errors if we don't use the LDAP authentication but CIFS works, the third line is the new one. Which Alfresco authenticator and where should I define this?

Does it has something to do with the file-servers.xml? Don't know where this is for:
<globalAccessControl default="None">
         <user name="admin" access="Write"/>
         <address ip="90.1.0.90" access="Write"/>
      </globalAccessControl>

      <users>
         <localuser name="user">
            <password>user</password>
            <comment>Normal user account</comment>
         </localuser>

         <localuser name="administrator">
            <password>admin</password>
            <administrator/>
            <comment>Administrator account</comment>
         </localuser>
      </users>

Using Alfresco Enterprise 1.2.0 on Linux. Thanks for helping out!

UPDATE _________________________

The 3th error (wrong authenticator error) is gone when I remove these 2 lines in the file-servers.xml file:
      <authenticator type="alfresco">
      </authenticator>
Alfresco starts up and the CIFS server starts. When I mount a network drive from Windows all goes wrong. The drive is mounted but immediatly the "network drive no longer available" will show up.

The log file is filled with error messages:
17:22:36,474 ERROR [org.alfresco.smb.protocol] Closing session due to exception
net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
        at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:477)
        at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:355)
        at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:37)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)
        at $Proxy16.selectNodes(Unknown Source)
        at org.alfresco.repo.model.filefolder.FileFolderServiceImpl.search(FileFolderServiceImpl.java:389)
        at org.alfresco.repo.model.filefolder.FileFolderServiceImpl.search(FileFolderServiceImpl.java:338)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:335)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:181)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148)
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:37)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)
        at $Proxy28.search(Unknown Source)
        at org.alfresco.filesys.smb.server.repo.CifsHelper.getDirectDescendents(CifsHelper.java:387)
        at org.alfresco.filesys.smb.server.repo.CifsHelper.addDescendents(CifsHelper.java:361)
        at org.alfresco.filesys.smb.server.repo.CifsHelper.getNodeRefs(CifsHelper.java:436)
        at org.alfresco.filesys.smb.server.repo.CifsHelper.getNodeRef(CifsHelper.java:459)
        at org.alfresco.filesys.smb.server.repo.ContentDiskDriver.getNodeForPath(ContentDiskDriver.java:1883)
        at org.alfresco.filesys.smb.server.repo.ContentDiskDriver.getFileInformation(ContentDiskDriver.java:526)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.procTrans2QueryPath(NTProtocolHandler.java:4214)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.processTransactionBuffer(NTProtocolHandler.java:2009)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.procTransact2(NTProtocolHandler.java:1828)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:229)
        at org.alfresco.filesys.smb.server.SMBSrvSession.runHandler(SMBSrvSession.java:1667)
        at org.alfresco.filesys.smb.server.SMBSrvSession.run(SMBSrvSession.java:1568)
        at java.lang.Thread.run(Thread.java:595)
17:22:36,474 ERROR [org.alfresco.smb.protocol] Closing session due to exception
net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
        at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:477)
        at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:355)
        at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:37)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)
… (keeps on going like this)

Seems that I should define a propper authenticator in the file-servers.xml file but which one?!
Labels:
0 Kudos
6 REPLIES 6

andy
Champ on-the-rise
Champ on-the-rise

‎05-04-2006 12:19 PM

Hi Simon

The current CIFS code requires an MD4 password hash to work or the NTLM passthrough authentication component.
This is just how NTLM authentication chit-chit-chat works.
The LDAP authentication does not have this information to hand.
(Windows has it sneeked away or uses some other mechanism such as Kerberos) This is the only reason we use MD4 password hashes.

The situation is covered in the authentication docs.

NTLM authentication would work with CIFS and SingleSignOn, but it can not go against multiple servers, nor is it being updated as part of the CIFS upgrades. You could chain them together but CIFS does not do similar chaining yet. I have raised this with our CIFS expert.

Work is active to support the more advanced options for CIFS authentication. Here are the quotes….

The new CIFS authenticator can use MD4 hashes if the auth component supports it, that allows the client to use NTLMv1 or v2, and/or also do kerberos to AD, depending on what the client decides to do.

A Windows domain workstation will use kerberos whereas a non-domain client tends to use NTLMv2, also tested with Mac OSX, that used NTLMv2

It would be possible to store MD4 hashes in memory for people who had previously authenticated against the repo….then use these.  You must have logged in at least one to the repo to use CIFS. Would this do? I have no other ideas here … 

Hope this explains it.

Regards

Andy
0 Kudos

simon
Champ in-the-making
Champ in-the-making

‎05-04-2006 05:07 PM

Thanks Andy!

So there are 2 different sollutions here: NTLM or MD4 hashing. The NTLM authentication solves the MD4 hashing as I understand from your schema, correct?

NTLM is a problem for some reasons in our current setup (no login page to show messages, problems with our OpenLDAP authentication,…) so I would like to solve the MD4 hashing problem without using NTLM. Is this possible?

How do I use MD4 hashing for the CIFS interface?!

Would be nice to have it up and running before the weekend.
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎05-05-2006 06:49 AM

Hi Simon

The diagram shows how it will be ….

CIFS uses NTLM/NTLMv2/Kerberos under the hood.
It has its own authentication dialog between the client and our own CIFS server code.

For an authentication service to fit in with current CIFS authentication it has to provide passthrough NTLM support or be able to provide the MD4 password hash. This is then used between our server and the CIFS client in the authentication protocol.

So how can LDAP in general get the MD4 password hash given a user name?
The answer is it can not.

There are two special cases - one that the password is in plain text or it is already MD4 hashed. This latter is how our base authentication service supports CIFS. The NTLM authentication component does real NTLM auth. by pass through to the real thing.

You will not be able to use CIFS with LDAP and the current release.
Simply due to the MD4 password issue. We do not support the two special cases above in the LDAP authentication.

What I was going on about (without enough background) in the previous post is …..

It is possible that as users login (and we know the password is correct) we could cache the MD4 hash of the password, and make this available for CIFS. So in effect, all authentication components could support CIFS regardless of what happens underneath. This would require code changes and the user would have to log into the repo once before they could use CIFS - which would be a bit odd.

The next release of the CIFS server may not have this restriction for clients that support Kerberos tickets, but as I understand it NTLM and NTLMv2 will still need to get hold of the MD4 hash.

I hope this explains the situation

Regards

Andy
0 Kudos

eron123
Champ in-the-making
Champ in-the-making

‎08-09-2006 04:26 PM

I am getting this same few errors, but I don't believe I'm using the CIFS syste. (I haven't rename file-servers-custom.xml.sample to .xml)

I am using LDAP, and the bottom three messages on this trace are the issue.  Notice the first two lines as well, as these may be related.  Can this issue come up if I'm not using the file-servers-custom.xml file?  Is the license error related?   We are using a valid enterprise version 1.3 of alfresco, but I have always seen this error.

13:16:54,080 WARN  [DescriptorService] Alfresco license: Failed to verify license - Invalid License!
13:16:54,081 WARN  [DescriptorService] Alfresco license: Restricted Alfresco Repository to read-only capability
13:16:54,082 INFO  [RAMJobStore] RAMJobStore initialized.
13:16:54,082 INFO  [StdSchedulerFactory] Quartz scheduler 'LicenseVerifier' initialized from an externally provided properties instance.
13:16:54,082 INFO  [StdSchedulerFactory] Quartz scheduler version: 1.4.5
13:16:54,087 INFO  [QuartzScheduler] Scheduler LicenseVerifier_$_NON_CLUSTERED started.
13:16:54,397 INFO  [PatchExecuter] Checking for patches to apply …
13:16:54,454 INFO  [PatchExecuter] No patches were required.
13:16:54,541 INFO  [ContentDiskDriver] Locked files will be marked as offline
13:16:54,578 ERROR [protocol] Failed to get local domain/workgroup name, using default of WORKGROUP
13:16:54,578 ERROR [protocol] (This may be due to firewall settings or incorrect <broadcast> setting)
13:16:54,588 ERROR [org.alfresco.smb.protocol] File server configuration error, Wrong authentication setup for alfresco authenticator
0 Kudos

hansasi
Champ in-the-making
Champ in-the-making

‎10-02-2006 05:32 PM

I was wondering if anyone at Alfresco (or other) could comment on the status of these proposed authentication changes.  We are having the same issue with trying to enable CIFS server when using LDAP for authenticator.

Are these new proposed changes supported by the upcoming 1.4?

Thanks-
Hans
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎10-03-2006 05:56 AM

Hi

CIFS can now authenticate direct to active deirectoty using kerberos.

You could use LDAP, or Kerberos to authenticate against the same AD server.

Regards

Andy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC