Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NTLM and CIFS configuration

stastsarevsky
Champ in-the-making
Champ in-the-making

‎07-27-2007 07:03 AM

Hi,

i'm fully confused with configuring ntlm authentication and CIFS. Version of Alfresco is 2.1 Community Edition on Windows 2003 server/Tomcat. So far I tried 2 ways:

1) Configuring NTLM for webaccess. As described in "Configuring NTLM" in Wiki. Work perfectly fine. I was able access http://servername:8080/alfresco with domain user. IE automatically log me in. For cifs i've tried to follow "Configuring the CIFS server for Kerberos/Active Directory integration" but i can't access my server. I don't have any exceptions in tomcat log. I have successfull logon in security event viewer both on computer alfresco installed and on domain controller. But still when i'm trying to access servername_a it shows login dialog and said login failed.


2) Tried to configure jaas authentication for CIFS. At the end i'm getting same results as in previous example.

My question is what exactly need to be configured if i'm using NTLM authentication for web access and like to use AD users to access CIFS.
Labels:
0 Kudos
49 REPLIES 49

duxtinto
Champ in-the-making
Champ in-the-making

‎04-07-2008 09:37 PM

Thanks for this post.
It's really useful.

On the version 2.9b is a little bit different, but i got it working.
0 Kudos

ostein
Champ in-the-making
Champ in-the-making

‎04-10-2008 06:43 AM

On 2.9C, we get the following log file entries when enabling NTLM passthru for CIFS. Is this a known issue?

07:06:15,811  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB0

07:06:15,826  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB0

07:06:15,826  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB0

07:06:15,826  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB0

07:06:18,967  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB1

07:06:18,967  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB1

07:06:27,045  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB0

07:08:54,402  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:54,496  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:58,668  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:58,699  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:58,715  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:58,840  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:58,887  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2

07:08:58,918  DEBUG [smb.protocol.auth]   No PassthruDetails for WSNB2
0 Kudos

mindthegab
Champ in-the-making
Champ in-the-making

‎04-10-2008 06:57 AM

Being a DEBUG line, I don't think this is a issue. You can stop it from logging by lowering the appropriate log category.
Unless you have functional issues related to that one.

Ciao!
0 Kudos

ostein
Champ in-the-making
Champ in-the-making

‎04-10-2008 08:18 AM

sorry for the confusion - the log file entries are not the problem per se, it's the fact that the passthrough is not working for CIFS…

Can anybody post a working configuration with AD authentification for 2.9C please?
0 Kudos

ostein
Champ in-the-making
Champ in-the-making

‎04-14-2008 02:42 AM

[size=150]Anybody please?[/size]
0 Kudos

aniruddh
Champ in-the-making
Champ in-the-making

‎05-13-2008 01:39 AM

This is a very good post. For Alfresco 2.2 Enterprise and additional step is required to disable Tomcats session persistence. Please look at this post for details http://forums.alfresco.com/viewtopic.php?f=9&t=12156&p=40893#p40656.
0 Kudos

samuel_penn
Champ in-the-making
Champ in-the-making

‎05-20-2008 12:19 PM

I'm seeing similar warnings to ostein, running 2.9C on Windows.

If I use the configuration suggested by mindthegab, then I get the following errors on startup:


16:57:26,265 User:System ERROR [smb.protocol.auth] No valid CIFS authentication combination available
16:57:26,265 User:System ERROR [smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
16:57:26,265 User:System ERROR [alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration
        at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:351)
        at org.alfresco.jlan.smb.server.CIFSConfigSection.setAuthenticator(CIFSConfigSection.java:556)


If I add the following to file-servers-custom.xml in the "CIFS Server" configuration:


<authenticator type="passthru">
  <Server>172.31.31.18</Server>
</authenticator>

Then Alfresco starts up without any errors, but when I try to login to CIFS I get "DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2" logs in the console sometimes (possibly every dozen or so login attempts). Login fails, and defaults to "AXCELIA\admin". If I try to login as me, changing the user login to "AXCELIA\sam" I get an error dialog stating:

"The user name you typed is the same as the user name you logged in with. That user name has already been tried. A domain controller cannot be found to verify that user name."

I've also tried setting the <Server/> field to be "AXCELIA\172.31.31.18". Our domain is AXCELIA, and 172.31.31.18 is our domain controller. I can login to the web interface using SSO from Firefox with no problem (my IE gives a DNS error, but other people's IE works fine - I think there's something wacky with IE on my machine).

Do I really need to configure Kerberos? I've seen the wiki page for this, and it looks like a lot of work, but since SSO for the web interface works fine I'm not convinced it's needed, and that it's really complaining about lack of hashed password support.

Anyone have any ideas?

Thanks,
Sam.
0 Kudos

mindthegab
Champ in-the-making
Champ in-the-making

‎05-21-2008 03:59 AM

I used to work it around with chaining, e.g. configure a chaining auth with LDAP simple and internal alfresco authentication service in chain.
This way the 2 authentication will be tried in sequence (and they have "quasi" the same users, e.g. only newly added/removed from last LDAP synchronization can be non consistent), so that web client will authenticate directly against LDAP (or whatever SSO) and CIFS goes to the synced copy on the local alfresco.

As I said, it's a workaround as it's not 100% safe (imagine a user deleted because of company infringements and he's still able to login and delete CIFS stuff before new LDAP sync occurs) but it's the best I could got to work for LDAP simple + CIFS.

HTH,
Gab
0 Kudos

samuel_penn
Champ in-the-making
Champ in-the-making

‎05-21-2008 12:44 PM

Well, I moved back to 2.2, and your original instructions worked eventually. By forcing lots of attempts to login (actually whilst trying to get some debug out of it), it finally got the authentication information and allowed me to use CIFS using my domain account. It may have had something cached, or just had a dead connection (though Alfresco had been restarted many times). Anyway, it's working now.

Thanks,

Sam.
0 Kudos

karakartal
Champ in-the-making
Champ in-the-making

‎07-04-2008 04:50 AM

As of version 3.0 I am still having the problem:
No PassthruDetails for WSNB1

I am trying to use Active Directory + NTLM + CIFS

Any comments?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC