WebDav and/or CIFS SSO
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2014 04:01 PM
Okey, I have been fighting with my first Alfresco installation for a week now. I have been trying both Windows and Linux. Right now I'm running Alfresco on an Ubuntu-server behind another Ubuntu-server with Apache and mod-jk (to be able to to access Alfresco on port 443 using a valid certificate).
Right now I'm trying to get CIFS and WebDav working. I'm using LDAP-AD to sync my Active Directory accounts to Alfresco and I have been trying both with and without Passthru to authenticate my users.
I'm able to login via the web interface with my AD account, and it seems like WebDav is working (when i ran Alfresco on Windows WebDav did also worked for about a day or two, then suddenley it stopped working for some users). Right now I'm running with Passthru as authentication and LDAP-AD just for synchronisation, and CIFS is not working at all (I can reach the share, bit not authenticate, get "ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker1] org.alfresco.jlan.smb.SMBException: Invalid parameter" in the log).
What I want is to be able to login via the web interface with my AD account and to map a network drive in Windows, preferably via CIFS, and authenticate with my already logged in credentials (SSO from an AD connected computer).
I have been reading tons of posts in this and on others forums and I have tried LDAP-AD, Passthru, NTLM, Kerberos and so on, but I have not been able to achive my goals.
No I need your help to solve this. I really need to get this working.
Please let me know what you want to know, configuration files, log files etc.
Thanks in advance!
Regards,
Lucas
Right now I'm trying to get CIFS and WebDav working. I'm using LDAP-AD to sync my Active Directory accounts to Alfresco and I have been trying both with and without Passthru to authenticate my users.
I'm able to login via the web interface with my AD account, and it seems like WebDav is working (when i ran Alfresco on Windows WebDav did also worked for about a day or two, then suddenley it stopped working for some users). Right now I'm running with Passthru as authentication and LDAP-AD just for synchronisation, and CIFS is not working at all (I can reach the share, bit not authenticate, get "ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker1] org.alfresco.jlan.smb.SMBException: Invalid parameter" in the log).
What I want is to be able to login via the web interface with my AD account and to map a network drive in Windows, preferably via CIFS, and authenticate with my already logged in credentials (SSO from an AD connected computer).
I have been reading tons of posts in this and on others forums and I have tried LDAP-AD, Passthru, NTLM, Kerberos and so on, but I have not been able to achive my goals.
No I need your help to solve this. I really need to get this working.
Please let me know what you want to know, configuration files, log files etc.
Thanks in advance!
Regards,
Lucas
Labels:
- Labels:
-
Archive
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2014 05:03 AM
Hello,
Could you give your alfresco-global.properties and configuration files for passthru and ldap-ad ?
Is SSO working when trying to access to Alfresco Explorer ?
Could you give your alfresco-global.properties and configuration files for passthru and ldap-ad ?
Is SSO working when trying to access to Alfresco Explorer ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2014 08:44 AM
Hi and thank you for your help!
This is my alfresco-global.proporties (note that I have masked password, servernames etc.):
This is my alfresco-global.proporties (note that I have masked password, servernames etc.):
################################# Common Alfresco Properties ################################dir.root=/opt/alfresco/alf_dataalfresco.context=alfrescoalfresco.host=intranet.domain.comalfresco.port=8080alfresco.protocol=httpshare.context=shareshare.host=intranet.domain.comshare.port=8080share.protocol=http### database connection properties ###db.driver=org.gjt.mm.mysql.Driverdb.username=alfrescodb.password=password123db.url=jdbc:mysql://sql.domain.com:3306/alfresco?useUnicode=yes&characterEncoding=UTF-8### FTP Server Configuration ###ftp.enabled=trueftp.port=21### RMI service ports ###alfresco.rmi.services.port=50500avm.rmi.service.port=0avmsync.rmi.service.port=0attribute.rmi.service.port=0authentication.rmi.service.port=0repo.rmi.service.port=0action.rmi.service.port=0deployment.rmi.service.port=0### External executable locations ###ooo.exe=/opt/alfresco/libreoffice/program/soffice.binooo.enabled=trueooo.port=8100img.root=/opt/alfresco/commonimg.dyn=${img.root}/libimg.exe=${img.root}/bin/convertswf.exe=/opt/alfresco/common/bin/pdf2swfswf.languagedir=/opt/alfresco/common/japanesejodconverter.enabled=falsejodconverter.officeHome=/opt/alfresco/libreofficejodconverter.portNumbers=8100### Initial admin password ###alfresco_user_store.adminpassword=abc123### E-mail site invitation setting ###notification.email.siteinvite=false### License location ###dir.license.external=/opt/alfresco### Solr indexing ###index.subsystem.name=solrdir.keystore=${dir.root}/keystoresolr.port.ssl=8443### BPM Engine ###system.workflow.engine.jbpm.enabled=false### Authentication ####authentication.chain=alfrescoNtlm1:alfrescoNtlm, passthru1:passthru, ldap-ad1:ldap-adauthentication.chain=ldap-ad1:ldap-ad## NTLM ###alfresco.authentication.allowGuestLogin=false#alfresco.authentication.authenticateCIFS=false#ntlm.authentication.sso.enabled=false#ntlm.authentication.mapUnknownUserToGuest=false## PASSTHRU ###passthru.authentication.useLocalServer=false#passthru.authentication.domain=#passthru.authentication.servers=DOMAIN.COM\\ldap.domain.com#passthru.authentication.guestAccess=false#passthru.authentication.defaultAdministratorUserNames=Administrator#passthru.authentication.connectTimeout=5000#passthru.authentication.offlineCheckInterval=300#passthru.authentication.protocolOrder=NetBIOS,TCPIP#passthru.authentication.authenticateCIFS=true#passthru.authentication.authenticateFTP=true## LDAP-AD ###ldap.authentication.active=falseldap.authentication.active=trueldap.authentication.allowGuestLogin=falseldap.authentication.userNameFormat=%sldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389ldap.authentication.defaultAdministratorUserNames=Administratorldap.synchronization.java.naming.security.principal=ldapuser@domain.comldap.synchronization.java.naming.security.credentials=password123ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=comldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=comldap.synchronization.userIdAttributeName=userPrincipalName### Sync AD ###synchronization.synchronizeChangesOnly=falsesynchronization.import.cron=0 40 * * * ?### SMTP ###mail.host=mail.domain.com### SharePoint Protocol ###vti.server.port=7070vti.server.external.host=sharepoint.domain.comvti.server.external.port=443vti.server.external.protocol=https### CIFS ###cifs.enabled=truecifs.serverName=SERVER01cifs.domain=DOMAIN.LOCALcifs.hostannounce=truecifs.ipv6.enabled=false
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2014 12:20 PM
A couple of things here…
On your Apache config did you define a virtual host for your Sharepoint to work? Also I have a similar setup. Need to make sure your SSL.conf is listening to port 7070.
Are you mapping your drive to https://intranet.domain.com/alfresco/webdav
Take a look at this POST and see if you need to change any steps in your apache setup.
Also…The vanilla install of Alfresco does a auto creation of users if no users exists. You can find posts on how to disable this as well. Hope this helps.
Also for my ldap config I had to put.
These are just some suggestions.
On your Apache config did you define a virtual host for your Sharepoint to work? Also I have a similar setup. Need to make sure your SSL.conf is listening to port 7070.
Are you mapping your drive to https://intranet.domain.com/alfresco/webdav
Take a look at this POST and see if you need to change any steps in your apache setup.
Also…The vanilla install of Alfresco does a auto creation of users if no users exists. You can find posts on how to disable this as well. Hope this helps.
Also for my ldap config I had to put.
ldap.authentication.userNameFormat=domainname\\%sThese are just some suggestions.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2014 05:58 PM
I have now understand that LDAP-AD is not supported in CIFS authentication. I will therefore try using KERBEROS.
I have followed this guide in order to set up KERBEROS: http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-...
I have also installed krb5-clients and krb5-users with the following commands:
I have made the following changes to my config files:
<strong>alfresco-global.proporties</strong>
<strong>java.login.config</strong>
<strong>java.security</strong>
<strong>/etc/krb5.conf</strong>
Now I'm unable to login at all (Share, Alfresco, CIFS).
If I run <strong>kinit -V -k -t /etc/keytables/alfrescohttp.keytab HTTP/server1.domain.com@DOMAIN.COM</strong> I get the following result:
Any suggestions?
I have followed this guide in order to set up KERBEROS: http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-...
I have also installed krb5-clients and krb5-users with the following commands:
apt-get install krb5-clientsapt-get install krb5-userI have made the following changes to my config files:
<strong>alfresco-global.proporties</strong>
### Authentication ###authentication.chain=kerberos1:kerberos, ldap1:ldap-ad## ALFRESCO ##alfresco.authentication.allowGuestLogin=falsealfresco.authentication.authenticateCIFS=false## KERBEROS ##kerberos.authentication.realm=DOMAIN.COMkerberos.authentication.sso.enabled=truekerberos.authentication.authenticateCIFS=truekerberos.authentication.user.configEntryName=Alfrescokerberos.authentication.cifs.configEntryName=AlfrescoCIFSkerberos.authentication.http.configEntryName=AlfrescoHTTPkerberos.authentication.cifs.password=Password123kerberos.authentication.http.password=Password123kerberos.authentication.defaultAdministratorUserNames=Administratorkerberos.authentication.cifs.enableTicketCracking=falsekerberos.authentication.stripUsernameSuffix=true## LDAP-AD ##ldap.authentication.active=falseldap.authentication.allowGuestLogin=falseldap.authentication.userNameFormat=DOMAIN\\%sldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389ldap.authentication.defaultAdministratorUserNames=Administratorldap.synchronization.java.naming.security.principal=ldapuser@domain.comldap.synchronization.java.naming.security.credentials=Password123ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=comldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=comldap.synchronization.userIdAttributeName=sAMAccountName### Sync AD ###ldap.synchronization.active=truesynchronization.synchronizeChangesOnly=falsesynchronization.import.cron=0 15 * * * ?### SharePoint Protocol ###vti.server.port=7070vti.server.external.host=sharepoint.domain.comvti.server.external.port=443vti.server.external.protocol=https### CIFS ###cifs.enabled=truecifs.serverName=server1cifs.domain=domain.comcifs.hostannounce=truecifs.ipv6.enabled=false<strong>java.login.config</strong>
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient;};AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keytables/alfrescocifs.keytab" principal="cifs/server1.domain.com";};AlfrescoHTTP{ com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keytables/alfrescohttp.keytab" principal="HTTP/server1.domain.com";};ShareHTTP{ com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keytables/alfrescohttp.keytab" principal="HTTP/server1.domain.com";};com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient;};other { com.sun.security.auth.module.Krb5LoginModule sufficient;};<strong>java.security</strong>
login.config.url.1=file:${java.home}/lib/security/java.login.config<strong>/etc/krb5.conf</strong>
[libdefaults] default_realm = DOMAIN.COM[realms] DOAIN.COM = { kdc = ldap.domain.com admin_server = ldap.domain.com }[domain_realm] ldap.domain.com = DOMAIN.COM .ldap.domain.com = DOAIN.COMNow I'm unable to login at all (Share, Alfresco, CIFS).
If I run <strong>kinit -V -k -t /etc/keytables/alfrescohttp.keytab HTTP/server1.domain.com@DOMAIN.COM</strong> I get the following result:
Using default cache: /tmp/krb5cc_0Using principal: HTTP/server1.domain.com@DOMAIN.COMUsing keytab: /etc/keytables/alfrescohttp.keytabkinit: Key table entry not found while getting initial credentialsAny suggestions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2014 06:30 PM
Have you created the accounts in ad?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2014 02:17 PM
Yes. I have followed the guide I mentioned in my previous post.
I found out that the reason I was unable to login was that the KERBEROS subsystem didn't start up because of some error (don't remember what the log did say exactly).
If I disabled KERBEROS SSO and CIFS, I was able to login. However, I want CIFS to work.
<strong>EDIT:</strong> After I installed ldapsearch on the Ubuntu server I do no longer get error when I run kinit (not sure if it really was ldapsearch that fixed the problem).
This is now the result of running <strong>kinit -V -k -t /etc/keytables/alfrescocifs.keytab cifs/server1.domain.com@DOMAIN.COM</strong>
So I now tried to enable KERBEROS CIFS again in my alfresco-global.properties:
But when I start Alfresco service, KERBEROS substystem is not started and it gives me the following error:
I have been struggling with this for over two weeks now and really need to get it working. Could it really be that hard? =(
I found out that the reason I was unable to login was that the KERBEROS subsystem didn't start up because of some error (don't remember what the log did say exactly).
If I disabled KERBEROS SSO and CIFS, I was able to login. However, I want CIFS to work.
<strong>EDIT:</strong> After I installed ldapsearch on the Ubuntu server I do no longer get error when I run kinit (not sure if it really was ldapsearch that fixed the problem).
This is now the result of running <strong>kinit -V -k -t /etc/keytables/alfrescocifs.keytab cifs/server1.domain.com@DOMAIN.COM</strong>
Using default cache: /tmp/krb5cc_0Using principal: cifs/server1.domain.com@DOAIN.COMUsing keytab: /etc/keytables/alfrescocifs.keytabAuthenticated to Kerberos v5So I now tried to enable KERBEROS CIFS again in my alfresco-global.properties:
## KERBEROS ##kerberos.authentication.realm=DOAIN.COMkerberos.authentication.sso.enabled=falsekerberos.authentication.authenticateCIFS=true#kerberos.authentication.user.configEntryName=Alfrescokerberos.authentication.cifs.configEntryName=alfrescocifs#kerberos.authentication.http.configEntryName=alfrescohttpkerberos.authentication.cifs.password=Password123#kerberos.authentication.http.password=Password123kerberos.authentication.defaultAdministratorUserNames=Administratorkerberos.authentication.cifs.enableTicketCracking=falsekerberos.authentication.stripUsernameSuffix=trueBut when I start Alfresco service, KERBEROS substystem is not started and it gives me the following error:
20:04:23,718 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:353) at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278) at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:364) at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)22:10:21,029 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator errorjavax.security.auth.login.LoginException: Client not found in Kerberos database (6)……Caused by: KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721) … 82 moreCaused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) at sun.security.krb5.internal.ASRep.init(ASRep.java:65) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) … 85 moreERROR [20:27:51,343 WARN [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failedorg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service] CIFS Kerberos authenticator errorI have been struggling with this for over two weeks now and really need to get it working. Could it really be that hard? =(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2014 09:37 AM
Okey, just to clarify a little bit.
If i run <strong>kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/server1.domain.com</strong> I get the following result:
And if I run <strong>kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/badserver.domain.com</strong> I get the following result:
Everything seems to work on my Domain Controller, right?
And my <strong>java.login.config</strong> contains this:
And the output of <strong>alfresco.log</strong> is this:
It looks like that KERBEROS is working properly between server1 and my Domain Controller, but Alfresco is for some reason not using cifs/server1.domain.com as principal, despite that I have configured that in java.login.config.
Does anyone has a clue? Thanks in advance!
<strong>EDIT: </strong>Ahhhhhhh…… I just read the documentation and it all turned out it was a "typo" in <strong>alfresco-global.proporties</strong>. I thought that <strong>kerberos.authentication.cifs.configEntryName</strong> was supposed to be the username… But that was not the case. It's supposed to be the name of the config entry in <strong>java.login.config</strong>, which in my case is the default; <strong>AlfrescoCIFS</strong>. Sorry 😃
Now Alfresco is starting correctly without any errors and I have enabled both KERBEROS SSO and KERBEROS CIFS authentication. I can now login to the Alfresco Share.
I can also reach Alfresco CIFS from a domain connected computer without any problem, how ever I can't login throught CIFS from a non domain connected computer. I get no errors in alfresco.log or catalina.out. Windows just saying "Undefined error".
Any suggestions?
If i run <strong>kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/server1.domain.com</strong> I get the following result:
Using default cache: /tmp/krb5cc_0Using principal: cifs/server1.domain.com@DOMAIN.COMUsing keytab: /etc/keytabs/alfrescocifs.keytabAuthenticated to Kerberos v5And if I run <strong>kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/badserver.domain.com</strong> I get the following result:
Using default cache: /tmp/krb5cc_0Using principal: cifs/badserver.domain.com@DOAIN.COMUsing keytab: /etc/keytabs/alfrescocifs.keytabkinit: Client not found in Kerberos database while getting initial credentialsEverything seems to work on my Domain Controller, right?
And my <strong>java.login.config</strong> contains this:
AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keytabs/alfrescocifs.keytab" principal="cifs/server1.domain.com";};And the output of <strong>alfresco.log</strong> is this:
15:21:07,667 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator errorjavax.security.auth.login.LoginException: Client not found in Kerberos database (6)It looks like that KERBEROS is working properly between server1 and my Domain Controller, but Alfresco is for some reason not using cifs/server1.domain.com as principal, despite that I have configured that in java.login.config.
Does anyone has a clue? Thanks in advance!
<strong>EDIT: </strong>Ahhhhhhh…… I just read the documentation and it all turned out it was a "typo" in <strong>alfresco-global.proporties</strong>. I thought that <strong>kerberos.authentication.cifs.configEntryName</strong> was supposed to be the username… But that was not the case. It's supposed to be the name of the config entry in <strong>java.login.config</strong>, which in my case is the default; <strong>AlfrescoCIFS</strong>. Sorry 😃
Now Alfresco is starting correctly without any errors and I have enabled both KERBEROS SSO and KERBEROS CIFS authentication. I can now login to the Alfresco Share.
I can also reach Alfresco CIFS from a domain connected computer without any problem, how ever I can't login throught CIFS from a non domain connected computer. I get no errors in alfresco.log or catalina.out. Windows just saying "Undefined error".
Any suggestions?
