Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WebDav and/or CIFS SSO

zakire
Champ in-the-making
Champ in-the-making

‎04-08-2014 04:01 PM

Okey, I have been fighting with my first Alfresco installation for a week now. I have been trying both Windows and Linux. Right now I'm running Alfresco on an Ubuntu-server behind another Ubuntu-server with Apache and mod-jk (to be able to to access Alfresco on port 443 using a valid certificate).

Right now I'm trying to get CIFS and WebDav working. I'm using LDAP-AD to sync my Active Directory accounts to Alfresco and I have been trying both with and without Passthru to authenticate my users.

I'm able to login via the web interface with my AD account, and it seems like WebDav is working (when i ran Alfresco on Windows WebDav did also worked for about a day or two, then suddenley it stopped working for some users). Right now I'm running with Passthru as authentication and LDAP-AD just for synchronisation, and CIFS is not working at all (I can reach the share, bit not authenticate, get "ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker1] org.alfresco.jlan.smb.SMBException: Invalid parameter" in the log).

What I want is to be able to login via the web interface with my AD account and to map a network drive in Windows, preferably via CIFS, and authenticate with my already logged in credentials (SSO from an AD connected computer).

I have been reading tons of posts in this and on others forums and I have tried LDAP-AD, Passthru, NTLM, Kerberos and so on, but I have not been able to achive my goals.

No I need your help to solve this. I really need to get this working.
Please let me know what you want to know, configuration files, log files etc.

Thanks in advance!

Regards,
Lucas
Labels:
0 Kudos
7 REPLIES 7

mlagneaux
Champ on-the-rise
Champ on-the-rise

‎04-09-2014 05:03 AM

Hello,

Could you give your alfresco-global.properties and configuration files for passthru and ldap-ad ?
Is SSO working when trying to access to Alfresco Explorer ?
0 Kudos

zakire
Champ in-the-making
Champ in-the-making
In response to mlagneaux

‎04-09-2014 08:44 AM

Hi and thank you for your help!

This is my alfresco-global.proporties (note that I have masked password, servernames etc.):


###############################
## Common Alfresco Properties #
###############################

dir.root=/opt/alfresco/alf_data

alfresco.context=alfresco
alfresco.host=intranet.domain.com
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=intranet.domain.com
share.port=8080
share.protocol=http

### database connection properties ###
db.driver=org.gjt.mm.mysql.Driver
db.username=alfresco
db.password=password123
db.url=jdbc:mysql://sql.domain.com:3306/alfresco?useUnicode=yes&characterEncoding=UTF-8

### FTP Server Configuration ###
ftp.enabled=true
ftp.port=21

### RMI service ports ###
alfresco.rmi.services.port=50500
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0

### External executable locations ###
ooo.exe=/opt/alfresco/libreoffice/program/soffice.bin
ooo.enabled=true
ooo.port=8100
img.root=/opt/alfresco/common
img.dyn=${img.root}/lib
img.exe=${img.root}/bin/convert
swf.exe=/opt/alfresco/common/bin/pdf2swf
swf.languagedir=/opt/alfresco/common/japanese

jodconverter.enabled=false
jodconverter.officeHome=/opt/alfresco/libreoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=abc123

### E-mail site invitation setting ###
notification.email.siteinvite=false

### License location ###
dir.license.external=/opt/alfresco

### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8443

### BPM Engine ###
system.workflow.engine.jbpm.enabled=false

### Authentication ###
#authentication.chain=alfrescoNtlm1:alfrescoNtlm, passthru1:passthru, ldap-ad1:ldap-ad
authentication.chain=ldap-ad1:ldap-ad

## NTLM ##
#alfresco.authentication.allowGuestLogin=false
#alfresco.authentication.authenticateCIFS=false
#ntlm.authentication.sso.enabled=false
#ntlm.authentication.mapUnknownUserToGuest=false

## PASSTHRU ##
#passthru.authentication.useLocalServer=false
#passthru.authentication.domain=
#passthru.authentication.servers=DOMAIN.COM\\ldap.domain.com
#passthru.authentication.guestAccess=false
#passthru.authentication.defaultAdministratorUserNames=Administrator
#passthru.authentication.connectTimeout=5000
#passthru.authentication.offlineCheckInterval=300
#passthru.authentication.protocolOrder=NetBIOS,TCPIP
#passthru.authentication.authenticateCIFS=true
#passthru.authentication.authenticateFTP=true

## LDAP-AD ##
#ldap.authentication.active=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldapuser@domain.com
ldap.synchronization.java.naming.security.credentials=password123
ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userIdAttributeName=userPrincipalName

### Sync AD ###
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 40 * * * ?

### SMTP ###
mail.host=mail.domain.com

### SharePoint Protocol ###
vti.server.port=7070
vti.server.external.host=sharepoint.domain.com
vti.server.external.port=443
vti.server.external.protocol=https

### CIFS ###
cifs.enabled=true
cifs.serverName=SERVER01
cifs.domain=DOMAIN.LOCAL
cifs.hostannounce=true
cifs.ipv6.enabled=false
0 Kudos

eswbitto
Confirmed Champ
Confirmed Champ

‎04-10-2014 12:20 PM

A couple of things here…

On your Apache config did you define a virtual host for your Sharepoint to work? Also I have a similar setup. Need to make sure your SSL.conf is listening to port 7070.

Are you mapping your drive to https://intranet.domain.com/alfresco/webdav

Take a look at this POST and see if you need to change any steps in your apache setup.

Also…The vanilla install of Alfresco does a auto creation of users if no users exists. You can find posts on how to disable this as well. Hope this helps.

Also for my ldap config I had to put.

ldap.authentication.userNameFormat=domainname\\%s


These are just some suggestions.
0 Kudos

zakire
Champ in-the-making
Champ in-the-making

‎04-18-2014 05:58 PM

I have now understand that LDAP-AD is not supported in CIFS authentication. I will therefore try using KERBEROS.

I have followed this guide in order to set up KERBEROS: http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-...

I have also installed krb5-clients and krb5-users with the following commands:
apt-get install krb5-clients
apt-get install krb5-user


I have made the following changes to my config files:

<strong>alfresco-global.proporties</strong>
### Authentication ###
authentication.chain=kerberos1:kerberos, ldap1:ldap-ad

## ALFRESCO ##
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false

## KERBEROS ##
kerberos.authentication.realm=DOMAIN.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=Password123
kerberos.authentication.http.password=Password123
kerberos.authentication.defaultAdministratorUserNames=Administrator
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true

## LDAP-AD ##
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=DOMAIN\\%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldapuser@domain.com
ldap.synchronization.java.naming.security.credentials=Password123
ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userIdAttributeName=sAMAccountName

### Sync AD ###
ldap.synchronization.active=true
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 15 * * * ?

### SharePoint Protocol ###
vti.server.port=7070
vti.server.external.host=sharepoint.domain.com
vti.server.external.port=443
vti.server.external.protocol=https

### CIFS ###
cifs.enabled=true
cifs.serverName=server1
cifs.domain=domain.com
cifs.hostannounce=true
cifs.ipv6.enabled=false


<strong>java.login.config</strong>
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescocifs.keytab"
   principal="cifs/server1.domain.com";
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescohttp.keytab"
   principal="HTTP/server1.domain.com";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescohttp.keytab"
   principal="HTTP/server1.domain.com";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


<strong>java.security</strong>
login.config.url.1=file:${java.home}/lib/security/java.login.config


<strong>/etc/krb5.conf</strong>
[libdefaults]
        default_realm = DOMAIN.COM

[realms]
        DOAIN.COM = {
                kdc = ldap.domain.com
                admin_server = ldap.domain.com
        }

[domain_realm]
        ldap.domain.com = DOMAIN.COM
        .ldap.domain.com = DOAIN.COM


Now I'm unable to login at all (Share, Alfresco, CIFS).

If I run <strong>kinit -V -k -t /etc/keytables/alfrescohttp.keytab HTTP/server1.domain.com@DOMAIN.COM</strong> I get the following result:
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/server1.domain.com@DOMAIN.COM
Using keytab: /etc/keytables/alfrescohttp.keytab
kinit: Key table entry not found while getting initial credentials


Any suggestions?
0 Kudos

mrogers
Star Contributor
Star Contributor

‎04-19-2014 06:30 PM

Have you created the accounts in ad?
0 Kudos

zakire
Champ in-the-making
Champ in-the-making
In response to mrogers

‎04-20-2014 02:17 PM

Yes. I have followed the guide I mentioned in my previous post.

I found out that the reason I was unable to login was that the KERBEROS subsystem didn't start up because of some error (don't remember what the log did say exactly).

If I disabled KERBEROS SSO and CIFS, I was able to login. However, I want CIFS to work.

<strong>EDIT:</strong> After I installed ldapsearch on the Ubuntu server I do no longer get error when I run kinit (not sure if it really was ldapsearch that fixed the problem).

This is now the result of running <strong>kinit -V -k -t /etc/keytables/alfrescocifs.keytab cifs/server1.domain.com@DOMAIN.COM</strong>
Using default cache: /tmp/krb5cc_0
Using principal: cifs/server1.domain.com@DOAIN.COM
Using keytab: /etc/keytables/alfrescocifs.keytab
Authenticated to Kerberos v5


So I now tried to enable KERBEROS CIFS again in my alfresco-global.properties:
## KERBEROS ##
kerberos.authentication.realm=DOAIN.COM
kerberos.authentication.sso.enabled=false
kerberos.authentication.authenticateCIFS=true
#kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=alfrescocifs
#kerberos.authentication.http.configEntryName=alfrescohttp
kerberos.authentication.cifs.password=Password123
#kerberos.authentication.http.password=Password123
kerberos.authentication.defaultAdministratorUserNames=Administrator
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true


But when I start Alfresco service, KERBEROS substystem is not started and it gives me the following error:
20:04:23,718 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
        at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:353)
        at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)
        at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:364)
        at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)


22:10:21,029 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)


Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)
        … 82 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        … 85 more


ERROR [20:27:51,343 WARN  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service] CIFS Kerberos authenticator error



I have been struggling with this for over two weeks now and really need to get it working. Could it really be that hard? =(
0 Kudos

zakire
Champ in-the-making
Champ in-the-making

‎04-21-2014 09:37 AM

Okey, just to clarify a little bit.

If i run <strong>kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/server1.domain.com</strong> I get the following result:
Using default cache: /tmp/krb5cc_0
Using principal: cifs/server1.domain.com@DOMAIN.COM
Using keytab: /etc/keytabs/alfrescocifs.keytab
Authenticated to Kerberos v5


And if I run <strong>kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/badserver.domain.com</strong> I get the following result:
Using default cache: /tmp/krb5cc_0
Using principal: cifs/badserver.domain.com@DOAIN.COM
Using keytab: /etc/keytabs/alfrescocifs.keytab
kinit: Client not found in Kerberos database while getting initial credentials


Everything seems to work on my Domain Controller, right?

And my <strong>java.login.config</strong> contains this:
AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytabs/alfrescocifs.keytab"
   principal="cifs/server1.domain.com";
};


And the output of <strong>alfresco.log</strong> is this:
15:21:07,667 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)


It looks like that KERBEROS is working properly between server1 and my Domain Controller, but Alfresco is for some reason not using cifs/server1.domain.com as principal, despite that I have configured that in java.login.config.

Does anyone has a clue? Thanks in advance!

<strong>EDIT: </strong>Ahhhhhhh…… I just read the documentation and it all turned out it was a "typo" in <strong>alfresco-global.proporties</strong>. I thought that <strong>kerberos.authentication.cifs.configEntryName</strong> was supposed to be the username… But that was not the case. It's supposed to be the name of the config entry in <strong>java.login.config</strong>, which in my case is the default; <strong>AlfrescoCIFS</strong>. Sorry 😃

Now Alfresco is starting correctly without any errors and I have enabled both KERBEROS SSO and KERBEROS CIFS authentication. I can now login to the Alfresco Share.

I can also reach Alfresco CIFS from a domain connected computer without any problem, how ever I can't login throught CIFS from a non domain connected computer. I get no errors in alfresco.log or catalina.out. Windows just saying "Undefined error".
Any suggestions?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC