Hyland Connect

stastsarevsky · ‎07-27-2007

Hi,

i'm fully confused with configuring ntlm authentication and CIFS. Version of Alfresco is 2.1 Community Edition on Windows 2003 server/Tomcat. So far I tried 2 ways:

1) Configuring NTLM for webaccess. As described in "Configuring NTLM" in Wiki. Work perfectly fine. I was able access http://servername:8080/alfresco with domain user. IE automatically log me in. For cifs i've tried to follow "Configuring the CIFS server for Kerberos/Active Directory integration" but i can't access my server. I don't have any exceptions in tomcat log. I have successfull logon in security event viewer both on computer alfresco installed and on domain controller. But still when i'm trying to access servername_a it shows login dialog and said login failed.

2) Tried to configure jaas authentication for CIFS. At the end i'm getting same results as in previous example.

My question is what exactly need to be configured if i'm using NTLM authentication for web access and like to use AD users to access CIFS.

stastsarevsky · ‎07-30-2007

Still was not able to configure any access via CIFS using either patthru or Kerberos authentication. Here is my configuration files:

java.login.config


Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
‍‍‍‍‍‍‍‍‍‍‍‍‍

java.security


login.config.url.1=file:${java.home}/lib/security/java.login.config
‍‍‍

C:\WINNT\kb5.ini


[libdefaults]
 default_realm = TEST

[realms]
 TEST = {
  kdc = w2k3dc1.test.virtec
  admin_server = w2k3dc1.test.virtec
 }


[domain_realm]
 w2k3dc1.test.virtec = TEST
 .w2k3dc1.test.virtec = TEST
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

file-servers.xml


<alfresco-config area="file-servers">

   <config evaluator="string-compare" condition="CIFS Server">
     <serverEnable enabled="true"/>
      <host name="W3KSERVER_A" domain="TEST"/>
      <comment>Alfresco CIFS Server</comment>

      <!– Set to the broadcast mask for the subnet –>
      <broadcast>255.255.255.255</broadcast>

      <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
      <tcpipSMB platforms="linux,solaris,macosx"/>
      <netBIOSSMB platforms="linux,solaris,macosx"/>

       
      <hostAnnounce interval="5"/>

      <!– Use Win32 NetBIOS interface on Windows –>
      <Win32NetBIOS/>
      <Win32Announce interval="5"/>

      <sessionDebug flags="Negotiate,Socket,Tree,Errors,State"/>
   </config>

   <config evaluator="string-compare" condition="FTP Server">
     <serverEnable enabled="true"/>

   </config>
   
   <config evaluator="string-compare" condition="NFS Server">
     <serverEnable enabled="false"/>
   </config>
   
   <config evaluator="string-compare" condition="Filesystems">
     <filesystems>
     
       <!– Alfresco repository access shared filesystem –>
         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

         <!– Add a URL file to each folder that links back to the web client –>
         <urlFile>
               <filename>__AlfrescoClient.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>

         <!– Mark locked files as offline –> 
          <offlineFiles/>

         <!– Desktop actions –>
         <!– Uses a client-side application to trigger a server-side action                         –>
         <!–   Echo - displays a message echoed from the server                                     –>
         <!–   URL  - launches a URL via the Windows shell                                          –>
         <!–   CmdLine - launches the Notepad application                                           –>
         <!–   CheckInOut - checks files in/out, drag and drop files onto the application           –>
         <!–   JavaScript - run a server-side script                                                –>
         <!–   JavaScriptURL - server-side script that generates a URL to the folder using a ticket –>
         <!–                   to avoid having to logon                                             –>

<!–
         <desktopActions>
            <global>
                    <path>alfresco/desktop/Alfresco.exe</path>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </global>
            <action>
               <class>org.alfresco.filesys.smb.server.repo.desk.EchoDesktopAction</class>
               <name>Echo</name>
                 <filename>__AlfrescoEcho.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.smb.server.repo.desk.URLDesktopAction</class>
               <name>URL</name>
                 <filename>__AlfrescoURL.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.smb.server.repo.desk.CmdLineDesktopAction</class>
               <name>CmdLine</name>
                 <filename>__AlfrescoCmd.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class>
               <name>CheckInOut</name>
                 <filename>__AlfrescoCheckInOut.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
               <name>JavaScript</name>
               <filename>__AlfrescoScript.exe</filename>
               <script>alfresco/desktop/dumpRequest.js</script>
               <attributes>anyFiles, multiplePaths , allowNoParams</attributes>
               <preprocess>confirm, copyToTarget</preprocess>
            </action>
            <action>
               <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
               <name>JavaScriptURL</name>
               <filename>__AlfrescoDetails.exe</filename>
               <script>alfresco/desktop/showDetails.js</script>
               <attributes>anyFiles</attributes>
               <preprocess>copyToTarget</preprocess>
            </action>

         </desktopActions>
–>          
                    
<!–
            <accessControl default="Write">
               <user name="admin" access="Write"/>
               <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
            </accessControl>
–>
         </filesystem>
        
       <!– AVM virtualization view of all stores/versions for WCM –>
         <avmfilesystem name="AVM">
            <virtualView/>
         </avmfilesystem>
        
      </filesystems>
   </config>


<config evaluator="string-compare" condition="Filesystem Security">
<authenticator type="passthru">
<LocalDomain/>
</authenticator>
 </config>


</alfresco-config>

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

jaas-authentication-context.xml


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!– The authentication component.                                      –>

    <!– Jass authentication - most of the config goes somewhere else       –>
       
    <bean id="authenticationComponent" 
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>TEST</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean>

      <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
           <property name="proxyInterfaces">
                  <value>
                      org.alfresco.repo.security.authentication.MutableAuthenticationDao
                  </value>
           </property>
           <property name="transactionManager">
                  <ref bean="transactionManager" />
           </property>
           <property name="target">
                  <bean class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />
           </property>
           <property name="transactionAttributes">
                <props>
                     <prop key="*">${server.transaction.mode.default}</prop>
                </props>
           </property>
       </bean>

</beans>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

alfresco.log


14:40:09,533 DEBUG [org.alfresco.smb.protocol.auth] Passthru finding domain controller for TEST …
14:40:09,877 DEBUG [org.alfresco.smb.protocol.auth]   Found 1 domain controller(s)
14:40:09,877 DEBUG [org.alfresco.smb.protocol.auth] Added passthru server [TEST\W2K3DC1:192.168.0.235:Offline:0,0]
14:40:09,986 DEBUG [org.alfresco.smb.protocol.auth] New auth session from w3kserver_1 to \\192.168.0.235\IPC$\
14:40:09,986 DEBUG [org.alfresco.smb.protocol.auth] Trying address 192.168.0.235
14:40:09,986 DEBUG [org.alfresco.smb.protocol.auth] Connected to address 192.168.0.235
14:40:09,986 DEBUG [org.alfresco.smb.protocol.auth] Connected session, protocol : TCP/IP NetBIOS
14:40:09,986 DEBUG [org.alfresco.smb.protocol.auth] SessionFactory: Negotiated SMB dialect NT LM 0.12
14:40:10,002 DEBUG [org.alfresco.smb.protocol.auth] Passthru server online, [TEST\W2K3DC1:192.168.0.235:Online:0,0]
14:40:15,205 WARN  [org.springframework.remoting.rmi.RmiRegistryFactoryBean] Could not detect RMI registry - creating new one
14:40:26,846 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
14:40:29,252 INFO  [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: C:\Alfresco\alf_data
14:40:29,533 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Checking for patches to apply …
14:40:29,643 INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
14:40:29,830 DEBUG [org.alfresco.smb.protocol] Added desktop action CheckInOut
14:40:29,830 DEBUG [org.alfresco.smb.protocol] Added desktop action JavaScriptURL
14:40:29,986 DEBUG [org.alfresco.smb.protocol] Local domain name is TEST (via JNI)
14:40:29,986 DEBUG [org.alfresco.smb.protocol.auth] Passthru finding domain controller for TEST …
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth]   Found 1 domain controller(s)
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] Added passthru server [TEST\W2K3DC1:192.168.0.235:Offline:0,0]
14:40:30,002 INFO  [org.alfresco.smb.protocol] CIFS server started
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] New auth session from w3kserver_2 to \\192.168.0.235\IPC$\
14:40:30,002 INFO  [org.alfresco.smb.protocol] FTP server started
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] Trying address 192.168.0.235
14:40:30,002 INFO  [org.alfresco.smb.protocol] NFS server NOT started
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] Connected to address 192.168.0.235
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] Connected session, protocol : TCP/IP NetBIOS
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] SessionFactory: Negotiated SMB dialect NT LM 0.12
14:40:30,002 DEBUG [org.alfresco.smb.protocol.auth] Passthru server online, [TEST\W2K3DC1:192.168.0.235:Online:0,0]
14:40:30,018 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.5.0_08-b03; maximum heap size 506,313MB
14:40:30,018 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Community Network): Current version 2.1.0 (R1 443) schema 62 - Installed version 2.1.0 (R1 443) schema 62
14:40:30,111 INFO  [org.alfresco.smb.protocol] SMB Server W3KSERVER_A starting
14:40:30,111 INFO  [org.alfresco.smb.protocol] GUID 8f6645ae-1766-3622-bdfc-420fe6990391
14:40:30,111 INFO  [org.alfresco.smb.protocol] Using authenticator org.alfresco.filesys.server.auth.passthru.PassthruAuthenticator
14:40:30,111 INFO  [org.alfresco.smb.protocol] Server timezone Europe/Berlin, offset from UTC = -1hrs
14:40:30,111 INFO  [org.alfresco.smb.protocol] Shares:
14:40:30,127 INFO  [org.alfresco.smb.protocol]  [Alfresco,DISK,,[Alfresco,workspace://SpacesStore/bb81fb57-3a73-11dc-bc20-21e3719ab596]] [Alfresco,workspace://SpacesStore/bb81fb57-3a73-11dc-bc20-21e3719ab596]
14:40:30,127 INFO  [org.alfresco.smb.protocol]  [AVM,DISK,,[AVM,VirtualView]] [AVM,VirtualView]
14:40:30,127 INFO  [org.alfresco.smb.protocol] Add Share [IPC$,IPC$,,Admin,Hidden] : true
14:40:30,596 DEBUG [org.alfresco.smb.protocol] Win32 NetBIOS Available LANAs: 0 
14:40:30,611 DEBUG [org.alfresco.smb.protocol] Win32 NetBIOS server W3KSERVER_A (using Winsock)
14:40:36,658 DEBUG [org.alfresco.smb.protocol] Win32 NetBIOS created session handler on LANA 0
14:40:36,674 DEBUG [org.alfresco.smb.protocol] Win32 NetBIOS host announcer enabled on LANA 0
14:40:36,674 DEBUG [org.alfresco.smb.protocol] Waiting for Win32 NetBIOS session request (Winsock) …
14:40:36,690 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A
14:40:36,690 DEBUG [org.alfresco.smb.protocol] Win32 NetBIOS register listener for LANA 0
14:40:41,690 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A
14:40:51,690 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A
14:41:11,690 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A
14:41:51,690 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A
14:43:11,705 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A
14:45:51,705 DEBUG [org.alfresco.smb.protocol.mailslot] HostAnnouncer: Announced host W3KSERVER_A

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

savs · ‎07-31-2007

Can anyone at Alfresco comment on this? We've also got NTLM authentication working, but cannot make CIFS work in conjunction with it. (We're not using LDAP or JAAS, as we're not sure that they are also required.)

When using enterprise authenticator we get:

14:18:41,829 ERROR [smb.protocol.auth] No valid CIFS authentication combination available
14:18:41,829 ERROR [smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
14:18:41,833 ERROR [alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:348)‍‍‍‍‍

When using passthru authenticator we see no errors, but on trying to connect with e.g. smbclient we see:


smbclient -d10 -U foo \\\\10.1.100.100\\alfresco
… snip …
server didn't supply a full spnego negprot
… snip …
SPNEGO login failed: Unexpected information received
session setup failed: NT_STATUS_INVALID_PARAMETER‍‍‍‍‍‍‍

We've reviewed http://forums.alfresco.com/viewtopic.php?t=5169 and http://forums.alfresco.com/viewtopic.php?t=3777 and http://forums.alfresco.com/viewtopic.php?t=6887 and http://wiki.alfresco.com/wiki/CIFS_linux and http://wiki.alfresco.com/wiki/CIFS and http://wiki.alfresco.com/wiki/CIFS_Server_Authentication, but apart from providing conflicting advice, none of those resources help.

So - what's the definitive way of configuring CIFS and NTLM together?

mindthegab · ‎07-31-2007

With respect to the previous post (we're working together) after raising a little bit the log level we get some more info when using enterprise authentication:

14:37:20,370 DEBUG [smb.protocol.auth] Added passthru server [myname.server.org:10.1.1.33:Offline:0,0]
14:37:20,399 DEBUG [smb.protocol.auth] New auth session from alfresco-test_1 to \\10.1.1.33\IPC$\
14:37:20,422 DEBUG [smb.protocol.auth] Trying address 10.1.1.33
14:37:20,425 DEBUG [smb.protocol.auth] Connected to address 10.1.1.33
14:37:20,426 DEBUG [smb.protocol.auth] Connected session, protocol : TCP/IP NetBIOS
14:37:20,438 DEBUG [smb.protocol.auth] SessionFactory: Negotiated SMB dialect NT LM 0.12
14:37:20,445 DEBUG [smb.protocol.auth] Passthru server online, [myname.server.org:10.1.1.33:Online:0,0]
‍‍‍‍‍‍‍‍

After this (quite positive) message we still get the error mentioned by savs.

Help lovely appreciated

savs · ‎07-31-2007

It seems that CIFS only works with NTLM authentication when you use the 'alfresco' authenticator. See http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Which_authenticat...F for details

mikef · ‎07-31-2007

Just to confirm. You have sso working via IE and not CIFS, correct?

What is your authenticator type set to in file-servers?

savs · ‎08-01-2007

Just to confirm. You have sso working via IE and not CIFS, correct?

That's correct. We can connect to the alfresco network share using smbclient, but Windows / Mac native clients fail to connect.

What is your authenticator type set to in file-servers?

It's set to 'alfresco'.

<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="alfresco"/>
</config>
‍‍‍‍

We've tried passthru, enterprise etc. but they don't seem to work.

mindthegab · ‎08-01-2007

Just FYI,
we got it working (both IE and CIFS) after having checked AD user permissions.
So now we're able to have NTLM SSO in both environments, which is cool indeed 😉

Gab

PS.
It still fails on macosx, but well, it's not our first priority..

mikef · ‎08-01-2007

Good to hear you got it working.

It would be useful for other readers to provide some details on the '..checked AD user permissions'

stastsarevsky · ‎08-01-2007

Just FYI,
we got it working (both IE and CIFS) after having checked AD user permissions.
So now we're able to have NTLM SSO in both environments, which is cool indeed 😉

Gab

Could you describe step-by-step what exactly was done on Alfresco machine to make CIFS using NTLM SSO? Also is it running on linux or on Windows?

What changes done in:
1) file-servers.xml
2) ntlm-authentication-context.xml
3) kb5.ini if it's created
4) java.login.config if it's created
5) jaas-authentication-context.xml if it's created

Also what AD user permissions were set for users and is any special done on domain server (like creating alfrescocifs user, registering service principals and so on).

Hyland Connect

NTLM and CIFS configuration