Hi All!
I have a RHEL7 server with Alfresco 5.2. The web gui work well with Windows 2016 AD users. But CIFS isn't working with AD users. CIFS is working with admin (local) user.
I need for two funcionality. Web gui, and CIFS with AD authentication.
Does anyone have a live sample configuration? Or... What is the error in this configuration?
Please help me! Thank You!
My configuration:
alfresco-global.properties
###############################
## Common Alfresco Properties #
###############################
dir.root=/opt/alfresco-community/alf_data
alfresco.context=alfresco
alfresco.host=alfresco.domain.co
alfresco.port=80
alfresco.protocol=http
share.context=share
share.host=alfresco.domain.co
share.port=80
share.protocol=http
### database connection properties ###
db.driver=org.postgresql.Driver
db.username=dbuser
db.password=dbsecret
db.name=alfresco
db.url=jdbc:postgresql://localhost:5432/${db.name}
# Note: your database must also be able to accept at least this many connections. Please see your database documentation for instructions on how to configure this.
db.pool.max=275
db.pool.validate.query=SELECT 1
# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN
### FTP Server Configuration ###
ftp.port=21
### RMI registry port for JMX ###
alfresco.rmi.services.port=50500
### External executable locations ###
ooo.exe=/opt/alfresco-community/libreoffice/program/soffice.bin
ooo.enabled=true
ooo.port=8100
img.root=/opt/alfresco-community/common
img.dyn=${img.root}/lib
img.exe=${img.root}/bin/convert
jodconverter.enabled=false
jodconverter.officeHome=/opt/alfresco-community/libreoffice
jodconverter.portNumbers=8100
### Initial admin password ###
alfresco_user_store.adminpassword=26dd7d431f43245466578ad4f3cbd73b
### E-mail site invitation setting ###
notification.email.siteinvite=false
### License location ###
dir.license.external=/opt/alfresco-community
### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=localhost
solr.port.ssl=443
### Allow extended ResultSet processing
security.anyDenyDenies=false
### Smart Folders Config Properties ###
smart.folders.enabled=false
### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false
# Outbound Email Configuration
mail.host=x.x.x.x #relayhost
mail.port=25
#mail.username=anonymous
#mail.password=
mail.encoding=UTF-8
mail.from.default=alfresco@domain.co
mail.smtp.auth=false
###################
########## LDAP integracio ##########
#CHAIN
#authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad
#AUTH
ldap.authentication.authenticateCIFS=true
passthru.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false
ntlm.authentication.sso.enabled=true
ntlm.authentication.authenticateCIFS=false
#FTP
#passthru.authentication.authenticateFTP=false
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.loc
ldap.authentication.java.naming.provider.url=ldap://domaindc1.domain.loc:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=alfrescouser,cn\=users,dc\=domain,dc\=loc
ldap.synchronization.java.naming.security.credentials=alfrescousersecret
ldap.synchronization.groupSearchBase=cn\=users,dc\=domain,dc\=loc
ldap.synchronization.userSearchBase=cn\=users,dc\=domain,dc\=loc
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc\=domain,dc\=loc
ldap.synchronization.userSearchBase=cn\=users,dc\=domain,dc\=loc
synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=true
ldap.synchronization.java.naming.security.authentication=simple
passthru.authentication.useLocalServer=false
passthru.authentication.domain=domain.loc
passthru.authentication.servers=x.x.x.x #server ip
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=alfrescoldap
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
###### CIFS konfiguracio ########
cifs.disableNativeCode=false
cifs.enabled=true
cifs.serverName=alfresco
cifs.domain=
cifs.hostannounce=true
cifs.disableNativeCode=false
cifs.serverName=alfresco.domain.co
cifs.sessionTimeout=500
cifs.ipv6.enabled=false
cifs.WINS.autoDetectEnabled=true
cifs.tcpipSMB.port=445
cifs.netBIOSSMB.namePort=137
cifs.netBIOSSMB.datagramPort=138
cifs.netBIOSSMB.sessionPort=139
I use in a similar setup:
passthru.authentication.servers=domain\\domaindc1.domain.loc
ldap.authentication.authenticateCIFS=false
IP for the server should work, but CIFS auth should be handled by passthru only
Thank You for response!
I tried it. Unfortunately, it does not work for me. I set up this:
ldap.authentication.authenticateCIFS=false
passthru.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.authenticateCIFS=false
2017-05-31 14:48:01,216 ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker14] org.alfresco.jlan.smb.SMBException: Invalid parameter
Just asking: You already tweaked the clients registry for use of SMBv1? - Alfresco is only able to offer SMBv1 not SMBv2
Hmm. Thank You for idea. I will check it soon.
I have an Ubuntu 16.04 LTS client, and a Windows 10 client. Admin user cifs share login ok on Linux and Windows, but AD user not working.
Did you ever find a fix for connecting Windows clients via AD?
I gave up on Samba and went to WebDAV... that is working well for all tested Windows clients. Just need to set the 'HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\BasicAuthLevel' value to '2'.
Using passthru relies on NTLMv1, which as far as I know has been disabled / removed from the most recent Windows 10 versions / updates. Using kerberos instead of passthru might still work - as long as you can still reactivate SMBv1, which also is disabled by default in the most recent Windows versions, and probably going to not be reactivateable in the next version(s). Using WebDAV + SSL is the (Alfresco) recommended alternative for mapping Alfresco as a file system. That can be combined with Kerberos for SSO when using Active Directory.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.