Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem with CIFS authentication and kerberos

lme
Champ in-the-making
Champ in-the-making

‎07-04-2006 05:42 AM

We have a problem while trying to authenticate our CIFS users with Kerberos/JAAS.

Context :
- alfresco-community-tomcat-1.3.0
- linux Debian/Sarge
- Java 1.5.0_05

From a fresh alfresco install, I added these 2 files :
- tomcat/shared/classes/alfresco/extension/jaas-authentication-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!– The authentication component.                                      –>

    <!– Jass authentication - most of the config goes somewhere else       –>
       
    <bean id="authenticationComponentImpl" 
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>MYDOMAIN.PRIV</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean>

      <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
           <property name="proxyInterfaces">
                  <value>
                      org.alfresco.repo.security.authentication.MutableAuthenticationDao
                  </value>
           </property>
           <property name="transactionManager">
                  <ref bean="transactionManager" />
           </property>
           <property name="target">
                  <bean class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />
           </property>
           <property name="transactionAttributes">
                <props>
                     <prop key="*">${server.transaction.mode.default}</prop>
                </props>
           </property>
       </bean>

</beans>

- tomcat/shared/classes/alfresco/extension/file-servers-custom.xml
<alfresco-config area="file-servers">

   <config evaluator="string-compare" condition="CIFS Server">
      <host name="${localname}_A" domain="MYDOMAIN"/>
   </config>

   <config evaluator="string-compare" condition="Filesystem Security">
      <authenticator type="enterprise">
        <KDC>kdcserver.mydomain.priv</KDC>
        <Realm>MYDOMAIN.PRIV</Realm>
        <Password>mypassword</Password>
      </authenticator>
   </config>

</alfresco-config>

The Kerberos server is up and running. I could add some user and authenticate with them in the web interface. I added a special user "cifs/ged2_a" (ged2 is the server name where alfresco is installed). In the Kerberos logfile, I could see that this user is used when alfresco is started.

All authentication works (web client, ftp, web dave), but CIFS fails.

log when trying to log in from a Windows box :
15:37:29,428 DEBUG [alfresco.smb.protocol] TCP-SMB session request received from 192.168.1.65
15:37:29,439 DEBUG [alfresco.smb.protocol] Waiting for TCP-SMB session request …
15:37:29,439 DEBUG [alfresco.smb.protocol] Server session started
15:37:29,441 DEBUG [alfresco.smb.protocol] Negotiated SMB dialect - NT LM 0.12
15:37:29,488 DEBUG [alfresco.smb.protocol] Assigned protocol handler - org.alfresco.filesys.smb.server.NTProtocolHandler
15:37:29,491 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=1488, UID=0, PID=65279
15:37:29,590 DEBUG [smb.protocol.auth] User  logged on  (type Normal)
15:37:29,592 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=1496, UID=0, PID=65279
15:37:29,596 WARN  [smb.protocol.auth] Authentication component does not support MD4 password hashes

log when trying to log in with smbclient :
smbclient //ged2/Alfresco -k
I must use 'ged2' instead of 'ged2_a', because smbclient is unable to resolv ged2_a address.
11:37:45,609 DEBUG [alfresco.smb.protocol] TCP-SMB session request received from 192.168.1.206
11:37:45,609 DEBUG [alfresco.smb.protocol] Waiting for TCP-SMB session request …
11:37:45,609 DEBUG [alfresco.smb.protocol] Server session started
11:37:45,621 DEBUG [alfresco.smb.protocol] Negotiated SMB dialect - NT LM 0.12
11:37:45,621 DEBUG [alfresco.smb.protocol] Assigned protocol handler - org.alfresco.filesys.smb.server.NTProtocolHandler
11:37:45,625 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=2, UID=0, PID=2876
GSSException: No valid credentials provided
  No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
11:37:45,656 ERROR [alfresco.smb.protocol] Closing session due to exception
java.lang.NullPointerException
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1054)
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:624)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:399)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:213)
        at org.alfresco.filesys.smb.server.SMBSrvSession.run(SMBSrvSession.java:1554)
        at java.lang.Thread.run(Thread.java:595)
Is it possible to configure CIFS to use Kerberos without using NTLM and Active Directory ? Is there something special to configure on the Kerberos server and client ?
Do you have any hint ? This is the only issue we encounter on this project.
Labels:
0 Kudos
7 REPLIES 7

hfrank
Champ in-the-making
Champ in-the-making

‎07-18-2006 03:10 AM

Any Comments from Alfresco team?
0 Kudos

lme
Champ in-the-making
Champ in-the-making

‎07-18-2006 10:36 AM

Hello,

I solved my problem by using samba with ldap backend.

- webclient, webdav and ftp : ldap authentication
- cifs : passthru to samba server which use ldap as a backend

Hope this help.


Laurent
0 Kudos

hfrank
Champ in-the-making
Champ in-the-making

‎07-24-2006 09:40 PM

hi, Laurent
Thanks for your reply.
Could you share your configuration file with us?
Thanks in advance.

Frank
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎09-15-2006 04:58 AM

Hi

This is now fixed for single sign on as CIFS can authenticate Kerberos tickets.

Regards

Andy
0 Kudos

dcrossma
Champ in-the-making
Champ in-the-making

‎01-17-2007 11:04 PM

CIFS does not work with kerberos authentication.

We have successfully set up chaining authentication using alfresco and jaas/kerberos authentication. We can log in to the web client as local or Active directory users.

I followed the instructions in the wiki for CIFS/kerberos.
http://wiki.alfresco.com/wiki/Configuring_the_CIFS_server_for_Kerberos/Active_Directory_integration

When a user tries to map to the CIFS server we get the following:


13:41:25,224 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=8, UID=0, PI
D=65279
13:41:25,224 DEBUG [smb.protocol.auth] User  logged on  (type Normal)
13:41:25,224 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=16, UID=0, P
ID=65279
13:41:25,240 DEBUG [smb.protocol.auth] Null logon
13:41:25,240 DEBUG [smb.protocol.auth] Logged on using NTLMSSP/NTLMv2SessKey
13:41:25,240 DEBUG [smb.protocol.auth] User  logged on  (type Null)
13:41:25,240 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=32, UID=0, P
ID=65279
13:41:25,240 DEBUG [smb.protocol.auth] User  logged on  (type Normal)
13:41:25,240 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=40, UID=0, P
ID=65279
13:41:25,240 WARN  [smb.protocol.auth] User does not exist, dcrossma
13:41:29,161 DEBUG [alfresco.smb.protocol] Winsock NetBIOS session request recei
ved, caller=[MILKFISH:WorkStation,Unique,]
0 Kudos

equinoxefr
Champ in-the-making
Champ in-the-making

‎01-18-2007 06:13 AM

Hi

This is now fixed for single sign on as CIFS can authenticate Kerberos tickets.

Regards

Andy


Hello,

I have the same problem with Alfresco Community 1.4, how can i fix it ?

Thank's
Pierre
0 Kudos

gcoleman
Champ in-the-making
Champ in-the-making

‎01-30-2007 12:17 AM

(on behalf of dcrossma)

We managed to get it working by getting rid of the chaining authentication and using passthru instead of enterprise.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC