Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

passthru with 2 different domains works every other time

gnyce
Champ in-the-making
Champ in-the-making

‎09-25-2015 07:02 AM

According to http://docs.alfresco.com/community/concepts/auth-passthru-domainprops.html I can have two different domains with two different domain-controllers doing the authentication (for CIFS).  So let's say I have:

  passthru.authentication.servers=WINDOM.COM\\master.domain.com,SMBDOM\\samba4.anotherdomain.com

If I then test CIFS authentication, with an account in WINDOM.COM, it is successful every other time (and every other time, it fails).

  smbclient //alfresco.anotherdomain.com/alfresco -UWINDOM.COM\\user1

In this instance, "user1" does not exist in the SMBDOM… which is ok, I'm specifying WINDOM.COM.  And yet, the auth request for "user1" works every other time - as if Alfresco is merely bouncing between the two servers for authentication.

Is anyone else using two different domains with success?  NOTE: my need is temporary but possible long-term, as we move from an older Windows AD to a Samba4 AD implementation.  Both work individually, but when you combine them, as you are seemingly allowed to do, I get these results.
Labels:
0 Kudos
2 REPLIES 2

mrogers
Star Contributor
Star Contributor

‎09-25-2015 08:53 AM

SMB authentication is generally an oddity and needs to be described separately.   I don't see anything on that page talking about how passthrough applies to the different authentication methods so perhaps that should be added.  You can't chain NTLM authentication.   If it is indeed load balancing between the two domain controllers then your behaviour is exactly what I'd expect.

I think there needs to be a little more investigation and clarification of that page since it may be misleading, unfortunately I don't have the answers off the top of my head so some investigation is required.
0 Kudos

gnyce
Champ in-the-making
Champ in-the-making
In response to mrogers

‎09-25-2015 09:06 AM

OK, thank you mrogers.  I'll add some detail, in case that helps.  I am taking that page at face value, so if that is not quite the case, that might make a difference.  Specifically the parts to which I refer are:

- "If the client specifies a domain name in its login request, then the appropriate server will be used for the authentication.
- Domain mappings can also be specified to route authentication requests to the appropriate server.
- If a server handles authentication for multiple domains then multiple entries can be added in the server list prefixed with each domain name."
__________________

My auth chain is:  alfrescoNTLM, passthru, ldap.  My ./tomcat/shared/classes/alfresco-global.properties has these lines:

  authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1Smiley Tongueassthru,ldap1:ldap
  alfresco.authentication.authenticateCIFS=false
  ntlm.authentication.sso.enabled=false
  ntlm.authentication.authenticateCIFS=false
  passthru.authentication.authenticateCIFS=true
  ldap.authentication.active=yes
  ldap.authentication.authenticateCIFS=false

which I think means that CIFS should only apply to the passthru subsystem.  So I don't think what I'm doing is "different authentication methods" for CIFS, but rather, wholly within the passthru subsystem, using multiple (distinct) domains.

Re-reading the doc page, I notice that I am missing one thing in my config… "There must be at least one entry in the server list that does not have a domain prefix. This is the catch all entry that will be used if the client domain cannot be determined from the NTLM request or using domain mapping."  I will try that when I get some downtime scheduled. 
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC