Hyland Connect

lme · ‎07-04-2006

We have a problem while trying to authenticate our CIFS users with Kerberos/JAAS.

Context :
- alfresco-community-tomcat-1.3.0
- linux Debian/Sarge
- Java 1.5.0_05

From a fresh alfresco install, I added these 2 files :
- tomcat/shared/classes/alfresco/extension/jaas-authentication-context.xml

<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'><beans>    <!– The authentication component.                                      –>    <!– Jass authentication - most of the config goes somewhere else       –>           <bean id="authenticationComponentImpl"                  class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">        <property name="realm">            <value>MYDOMAIN.PRIV</value>        </property>        <property name="jaasConfigEntryName">            <value>Alfresco</value>        </property>    </bean>      <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">           <property name="proxyInterfaces">                  <value>                      org.alfresco.repo.security.authentication.MutableAuthenticationDao                  </value>           </property>           <property name="transactionManager">                  <ref bean="transactionManager" />           </property>           <property name="target">                  <bean class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />           </property>           <property name="transactionAttributes">                <props>                     <prop key="*">${server.transaction.mode.default}</prop>                </props>           </property>       </bean></beans>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

- tomcat/shared/classes/alfresco/extension/file-servers-custom.xml

<alfresco-config area="file-servers">   <config evaluator="string-compare" condition="CIFS Server">      <host name="${localname}_A" domain="MYDOMAIN"/>   </config>   <config evaluator="string-compare" condition="Filesystem Security">      <authenticator type="enterprise">        <KDC>kdcserver.mydomain.priv</KDC>        <Realm>MYDOMAIN.PRIV</Realm>        <Password>mypassword</Password>      </authenticator>   </config></alfresco-config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The Kerberos server is up and running. I could add some user and authenticate with them in the web interface. I added a special user "cifs/ged2_a" (ged2 is the server name where alfresco is installed). In the Kerberos logfile, I could see that this user is used when alfresco is started.

All authentication works (web client, ftp, web dave), but CIFS fails.

log when trying to log in from a Windows box :

15:37:29,428 DEBUG [alfresco.smb.protocol] TCP-SMB session request received from 192.168.1.65
15:37:29,439 DEBUG [alfresco.smb.protocol] Waiting for TCP-SMB session request …
15:37:29,439 DEBUG [alfresco.smb.protocol] Server session started
15:37:29,441 DEBUG [alfresco.smb.protocol] Negotiated SMB dialect - NT LM 0.12
15:37:29,488 DEBUG [alfresco.smb.protocol] Assigned protocol handler - org.alfresco.filesys.smb.server.NTProtocolHandler
15:37:29,491 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=1488, UID=0, PID=65279
15:37:29,590 DEBUG [smb.protocol.auth] User logged on (type Normal)
15:37:29,592 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=1496, UID=0, PID=65279
15:37:29,596 WARN [smb.protocol.auth] Authentication component does not support MD4 password hashes

log when trying to log in with smbclient :

smbclient //ged2/Alfresco -k‍

I must use 'ged2' instead of 'ged2_a', because smbclient is unable to resolv ged2_a address.

11:37:45,609 DEBUG [alfresco.smb.protocol] TCP-SMB session request received from 192.168.1.206
11:37:45,609 DEBUG [alfresco.smb.protocol] Waiting for TCP-SMB session request …
11:37:45,609 DEBUG [alfresco.smb.protocol] Server session started
11:37:45,621 DEBUG [alfresco.smb.protocol] Negotiated SMB dialect - NT LM 0.12
11:37:45,621 DEBUG [alfresco.smb.protocol] Assigned protocol handler - org.alfresco.filesys.smb.server.NTProtocolHandler
11:37:45,625 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=2, UID=0, PID=2876
GSSException: No valid credentials provided
No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
11:37:45,656 ERROR [alfresco.smb.protocol] Closing session due to exception
java.lang.NullPointerException
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1054)
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:624)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:399)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:213)
        at org.alfresco.filesys.smb.server.SMBSrvSession.run(SMBSrvSession.java:1554)
        at java.lang.Thread.run(Thread.java:595)

Is it possible to configure CIFS to use Kerberos without using NTLM and Active Directory ? Is there something special to configure on the Kerberos server and client ?
Do you have any hint ? This is the only issue we encounter on this project.

hfrank · ‎07-18-2006

Any Comments from Alfresco team?

lme · ‎07-18-2006

Hello,

I solved my problem by using samba with ldap backend.

- webclient, webdav and ftp : ldap authentication
- cifs : passthru to samba server which use ldap as a backend

Hope this help.

Laurent

hfrank · ‎07-24-2006

hi, Laurent
Thanks for your reply.
Could you share your configuration file with us?
Thanks in advance.

Frank

andy · ‎09-15-2006

Hi

This is now fixed for single sign on as CIFS can authenticate Kerberos tickets.

Regards

Andy

dcrossma · ‎01-17-2007

CIFS does not work with kerberos authentication.

We have successfully set up chaining authentication using alfresco and jaas/kerberos authentication. We can log in to the web client as local or Active directory users.

I followed the instructions in the wiki for CIFS/kerberos.
http://wiki.alfresco.com/wiki/Configuring_the_CIFS_server_for_Kerberos/Active_Directory_integration

When a user tries to map to the CIFS server we get the following:

13:41:25,224 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=8, UID=0, PID=6527913:41:25,224 DEBUG [smb.protocol.auth] User  logged on  (type Normal)13:41:25,224 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=16, UID=0, PID=6527913:41:25,240 DEBUG [smb.protocol.auth] Null logon13:41:25,240 DEBUG [smb.protocol.auth] Logged on using NTLMSSP/NTLMv2SessKey13:41:25,240 DEBUG [smb.protocol.auth] User  logged on  (type Null)13:41:25,240 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=32, UID=0, PID=6527913:41:25,240 DEBUG [smb.protocol.auth] User  logged on  (type Normal)13:41:25,240 DEBUG [smb.protocol.auth] NT Session setup SPNEGO, MID=40, UID=0, PID=6527913:41:25,240 WARN  [smb.protocol.auth] User does not exist, dcrossma13:41:29,161 DEBUG [alfresco.smb.protocol] Winsock NetBIOS session request received, caller=[MILKFISH:WorkStation,Unique,]‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

equinoxefr · ‎01-18-2007

Hi

This is now fixed for single sign on as CIFS can authenticate Kerberos tickets.

Regards

Andy

Hello,

I have the same problem with Alfresco Community 1.4, how can i fix it ?

Thank's
Pierre

gcoleman · ‎01-30-2007

(on behalf of dcrossma)

We managed to get it working by getting rid of the chaining authentication and using passthru instead of enterprise.

Hyland Connect

Problem with CIFS authentication and kerberos