Home

WebDav and/or CIFS SSO

You are here

8 posts / 0 new
Last post
WebDav and/or CIFS SSO

Okey, I have been fighting with my first Alfresco installation for a week now. I have been trying both Windows and Linux. Right now I'm running Alfresco on an Ubuntu-server behind another Ubuntu-server with Apache and mod-jk (to be able to to access Alfresco on port 443 using a valid certificate).

Right now I'm trying to get CIFS and WebDav working. I'm using LDAP-AD to sync my Active Directory accounts to Alfresco and I have been trying both with and without Passthru to authenticate my users.

I'm able to login via the web interface with my AD account, and it seems like WebDav is working (when i ran Alfresco on Windows WebDav did also worked for about a day or two, then suddenley it stopped working for some users). Right now I'm running with Passthru as authentication and LDAP-AD just for synchronisation, and CIFS is not working at all (I can reach the share, bit not authenticate, get "ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker1] org.alfresco.jlan.smb.SMBException: Invalid parameter" in the log).

What I want is to be able to login via the web interface with my AD account and to map a network drive in Windows, preferably via CIFS, and authenticate with my already logged in credentials (SSO from an AD connected computer).

I have been reading tons of posts in this and on others forums and I have tried LDAP-AD, Passthru, NTLM, Kerberos and so on, but I have not been able to achive my goals.

No I need your help to solve this. I really need to get this working.
Please let me know what you want to know, configuration files, log files etc.

Thanks in advance!

Regards,
Lucas

WebDav and/or CIFS SSO

Hello,

Could you give your alfresco-global.properties and configuration files for passthru and ldap-ad ?
Is SSO working when trying to access to Alfresco Explorer ?

Hi and thank you for your

Hi and thank you for your help!

This is my alfresco-global.proporties (note that I have masked password, servernames etc.):

###############################
## Common Alfresco Properties #
###############################
 
dir.root=/opt/alfresco/alf_data
 
alfresco.context=alfresco
alfresco.host=intranet.domain.com
alfresco.port=8080
alfresco.protocol=http
 
share.context=share
share.host=intranet.domain.com
share.port=8080
share.protocol=http
 
### database connection properties ###
db.driver=org.gjt.mm.mysql.Driver
db.username=alfresco
db.password=password123
db.url=jdbc:mysql://sql.domain.com:3306/alfresco?useUnicode=yes&characterEncoding=UTF-8
 
### FTP Server Configuration ###
ftp.enabled=true
ftp.port=21
 
### RMI service ports ###
alfresco.rmi.services.port=50500
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0
 
### External executable locations ###
ooo.exe=/opt/alfresco/libreoffice/program/soffice.bin
ooo.enabled=true
ooo.port=8100
img.root=/opt/alfresco/common
img.dyn=${img.root}/lib
img.exe=${img.root}/bin/convert
swf.exe=/opt/alfresco/common/bin/pdf2swf
swf.languagedir=/opt/alfresco/common/japanese
 
jodconverter.enabled=false
jodconverter.officeHome=/opt/alfresco/libreoffice
jodconverter.portNumbers=8100
 
### Initial admin password ###
alfresco_user_store.adminpassword=abc123
 
### E-mail site invitation setting ###
notification.email.siteinvite=false
 
### License location ###
dir.license.external=/opt/alfresco
 
### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8443
 
### BPM Engine ###
system.workflow.engine.jbpm.enabled=false
 
### Authentication ###
#authentication.chain=alfrescoNtlm1:alfrescoNtlm, passthru1:passthru, ldap-ad1:ldap-ad
authentication.chain=ldap-ad1:ldap-ad
 
## NTLM ##
#alfresco.authentication.allowGuestLogin=false
#alfresco.authentication.authenticateCIFS=false
#ntlm.authentication.sso.enabled=false
#ntlm.authentication.mapUnknownUserToGuest=false
 
## PASSTHRU ##
#passthru.authentication.useLocalServer=false
#passthru.authentication.domain=
#passthru.authentication.servers=DOMAIN.COM\\ldap.domain.com
#passthru.authentication.guestAccess=false
#passthru.authentication.defaultAdministratorUserNames=Administrator
#passthru.authentication.connectTimeout=5000
#passthru.authentication.offlineCheckInterval=300
#passthru.authentication.protocolOrder=NetBIOS,TCPIP
#passthru.authentication.authenticateCIFS=true
#passthru.authentication.authenticateFTP=true
 
## LDAP-AD ##
#ldap.authentication.active=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldapuser@domain.com
ldap.synchronization.java.naming.security.credentials=password123
ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userIdAttributeName=userPrincipalName
 
### Sync AD ###
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 40 * * * ?
 
### SMTP ###
mail.host=mail.domain.com
 
### SharePoint Protocol ###
vti.server.port=7070
vti.server.external.host=sharepoint.domain.com
vti.server.external.port=443
vti.server.external.protocol=https
 
### CIFS ###
cifs.enabled=true
cifs.serverName=SERVER01
cifs.domain=DOMAIN.LOCAL
cifs.hostannounce=true
cifs.ipv6.enabled=false

A couple of things here...

A couple of things here...

On your Apache config did you define a virtual host for your Sharepoint to work? Also I have a similar setup. Need to make sure your SSL.conf is listening to port 7070.

Are you mapping your drive to https://intranet.domain.com/alfresco/webdav

Take a look at this POST and see if you need to change any steps in your apache setup.

Also...The vanilla install of Alfresco does a auto creation of users if no users exists. You can find posts on how to disable this as well. Hope this helps.

Also for my ldap config I had to put.

ldap.authentication.userNameFormat=domainname\\%s

These are just some suggestions.

I have now understand that

I have now understand that LDAP-AD is not supported in CIFS authentication. I will therefore try using KERBEROS.

I have followed this guide in order to set up KERBEROS: http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-ADconfig.html

I have also installed krb5-clients and krb5-users with the following commands:

apt-get install krb5-clients
apt-get install krb5-user

I have made the following changes to my config files:

alfresco-global.proporties

### Authentication ###
authentication.chain=kerberos1:kerberos, ldap1:ldap-ad
 
## ALFRESCO ##
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
 
## KERBEROS ##
kerberos.authentication.realm=DOMAIN.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=Password123
kerberos.authentication.http.password=Password123
kerberos.authentication.defaultAdministratorUserNames=Administrator
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true
 
## LDAP-AD ##
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=DOMAIN\\%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldapuser@domain.com
ldap.synchronization.java.naming.security.credentials=Password123
ldap.synchronization.groupSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=Company,dc=domain,dc=com
ldap.synchronization.userIdAttributeName=sAMAccountName
 
### Sync AD ###
ldap.synchronization.active=true
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 15 * * * ?
 
### SharePoint Protocol ###
vti.server.port=7070
vti.server.external.host=sharepoint.domain.com
vti.server.external.port=443
vti.server.external.protocol=https
 
### CIFS ###
cifs.enabled=true
cifs.serverName=server1
cifs.domain=domain.com
cifs.hostannounce=true
cifs.ipv6.enabled=false

java.login.config

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};
 
AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescocifs.keytab"
   principal="cifs/server1.domain.com";
};
 
AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescohttp.keytab"
   principal="HTTP/server1.domain.com";
};
 
ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keytables/alfrescohttp.keytab"
   principal="HTTP/server1.domain.com";
};
 
com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};
 
other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

java.security login.config.url.1=file:${java.home}/lib/security/java.login.config

/etc/krb5.conf

[libdefaults]
        default_realm = DOMAIN.COM
 
[realms]
        DOAIN.COM = {
                kdc = ldap.domain.com
                admin_server = ldap.domain.com
        }
 
[domain_realm]
        ldap.domain.com = DOMAIN.COM
        .ldap.domain.com = DOAIN.COM

Now I'm unable to login at all (Share, Alfresco, CIFS).

If I run kinit -V -k -t /etc/keytables/alfrescohttp.keytab HTTP/server1.domain.com@DOMAIN.COM I get the following result:

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/server1.domain.com@DOMAIN.COM
Using keytab: /etc/keytables/alfrescohttp.keytab
kinit: Key table entry not found while getting initial credentials

Any suggestions?

Have you created the accounts

Have you created the accounts in ad?

Senior Software Engineer
Alfresco

Yes. I have followed the

Yes. I have followed the guide I mentioned in my previous post.

I found out that the reason I was unable to login was that the KERBEROS subsystem didn't start up because of some error (don't remember what the log did say exactly).

If I disabled KERBEROS SSO and CIFS, I was able to login. However, I want CIFS to work.

EDIT: After I installed ldapsearch on the Ubuntu server I do no longer get error when I run kinit (not sure if it really was ldapsearch that fixed the problem).

This is now the result of running kinit -V -k -t /etc/keytables/alfrescocifs.keytab cifs/server1.domain.com@DOMAIN.COM

Using default cache: /tmp/krb5cc_0
Using principal: cifs/server1.domain.com@DOAIN.COM
Using keytab: /etc/keytables/alfrescocifs.keytab
Authenticated to Kerberos v5

So I now tried to enable KERBEROS CIFS again in my alfresco-global.properties:

## KERBEROS ##
kerberos.authentication.realm=DOAIN.COM
kerberos.authentication.sso.enabled=false
kerberos.authentication.authenticateCIFS=true
#kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=alfrescocifs
#kerberos.authentication.http.configEntryName=alfrescohttp
kerberos.authentication.cifs.password=Password123
#kerberos.authentication.http.password=Password123
kerberos.authentication.defaultAdministratorUserNames=Administrator
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true

But when I start Alfresco service, KERBEROS substystem is not started and it gives me the following error:

20:04:23,718 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:353)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:364)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.afterPropertiesSet(CifsAuthenticatorBase.java:278)

22:10:21,029 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
...
...
Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)
        ... 82 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        ... 85 more

ERROR [20:27:51,343 WARN  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service] CIFS Kerberos authenticator error
 

I have been struggling with this for over two weeks now and really need to get it working. Could it really be that hard? =(

Okey, just to clarify a

Okey, just to clarify a little bit.

If i run kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/server1.domain.com I get the following result:

Using default cache: /tmp/krb5cc_0
Using principal: cifs/server1.domain.com@DOMAIN.COM
Using keytab: /etc/keytabs/alfrescocifs.keytab
Authenticated to Kerberos v5

And if I run kinit -V -v -k -t /etc/keytabs/alfrescocifs.keytab cifs/badserver.domain.com I get the following result:

Using default cache: /tmp/krb5cc_0
Using principal: cifs/badserver.domain.com@DOAIN.COM
Using keytab: /etc/keytabs/alfrescocifs.keytab
kinit: Client not found in Kerberos database while getting initial credentials

Everything seems to work on my Domain Controller, right?

And my java.login.config contains this:

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keytabs/alfrescocifs.keytab"
principal="cifs/server1.domain.com";
};

And the output of alfresco.log is this:

15:21:07,667 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

It looks like that KERBEROS is working properly between server1 and my Domain Controller, but Alfresco is for some reason not using cifs/server1.domain.com as principal, despite that I have configured that in java.login.config.

Does anyone has a clue? Thanks in advance!

EDIT: Ahhhhhhh...... I just read the documentation and it all turned out it was a "typo" in alfresco-global.proporties. I thought that kerberos.authentication.cifs.configEntryName was supposed to be the username... But that was not the case. It's supposed to be the name of the config entry in java.login.config, which in my case is the default; AlfrescoCIFS. Sorry =)

Now Alfresco is starting correctly without any errors and I have enabled both KERBEROS SSO and KERBEROS CIFS authentication. I can now login to the Alfresco Share.

I can also reach Alfresco CIFS from a domain connected computer without any problem, how ever I can't login throught CIFS from a non domain connected computer. I get no errors in alfresco.log or catalina.out. Windows just saying "Undefined error".
Any suggestions?

forums index