AnsweredAssumed Answered

[ERROR]Alfresco Engineers: CIFS auth does not work. Sugg?

Question asked by meansartin14 on Jan 13, 2009
Latest reply on Jun 1, 2009 by rrb_2
[size=125]Purpose:[/size]
This thread is an attempt to resolve an issue that appears to plague many of us: CIFS server authentication configuration. Hopefully, this thread will come in handy to all of those who have posted about their various CIFS configurations not working. If possible, I would also like to create a wiki from this thread. To accomplish this goal, I will provide as much detail as I can because, regardless of significant efforts, I have been unable to configure CIFS to function properly in my environment at all.

[size=125]Platform:[/size]
Alfresco Server
Operating System: Red Hat Enterprise Linux 5.2
Database: MySQL 5.0.45-community (NOTE: Came w/ RHEL 5.2 installation)
Java: JDK 1.6.0 Update 11
Open Office: OpenOffice.org 2.3
Alfresco
Current Version: Labs 3c
Versions Tried: Community 2.9.0B, Enterprise 2.1 (trial), Enterprise 3.0.0 (trial)
NOTE: Alfresco will be installed by and run under a NON-ROOT account. Configuration has been applied to forward requests on standard root-privileged ports to non-root ports, per the Running SMB/CIFS from a normal user account wiki.
Client PCs
Operating System(s): Windows XP Professional SP3(80% of client PCs), Windows XP Professional x64 SP2 (20% of client PCs)
Login Authentication: Windows Server 2003 Active Directory server
Web Browser: Firefox 3.0.5

[size=125]Objective:[/size]
I would simply like to configure Alfresco Labs 3c to do the following:
   a) Authenticate against Active Directory server and allow single sign-on (SSO) for the Alfresco Web Interface
   b) Authenticate against Active Directory server and allow "Map Network Drive" on client PCs to the Alfresco CIFS server (see below picture)
   [img]http://www.ece.uwaterloo.ca/Computing/Research/Software/Samba/images/map_network_drive.jpg[/img]


[size=125]Scenario 1: Issue, Output, and Configuration - Base Install CIFS Mapping Attempt:[/size]
For the purposes of this thread, I have freshly installed Alfresco Labs 3c. I then applied some general configuration to get Alfresco up and running without errors (e.g. set ALF_HOME, JAVA_HOME, running db_setup.sql on MySQL database, forcing db.url and dialect to use MySQL, setting OpenOffice location, etc).

Even at this early stage, I can not "Map Network Drive" to the Alfresco CIFS server (\\alfserver\alfresco) successfully. Also, it is worth noting is that issuing the command "alfresco.sh stop" DOES NOT stop all running Alfresco processes (a kill -9 <pid> command must be executed).

Output to alfresco.log (NOTE: log4j.properties org.alfresco.smb.protocol.auth=debug is ACTIVE)
"Map Network Drive" (Drive: Z: ; Folder: \\alfserver\alfresco), click Finish
12:52:43,303 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=8, UID=0, PID=65279
12:52:43,303 DEBUG [org.alfresco.smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=985,Authenticator=EncType=23,Kvno=-1,Len=181]
12:52:43,303 DEBUG [org.alfresco.smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
12:52:43,303 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
12:52:43,303 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
12:52:43,306 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=16, UID=0, PID=65279
12:52:43,306 DEBUG [org.alfresco.smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=1020,Authenticator=EncType=23,Kvno=-1,Len=176]
12:52:43,306 DEBUG [org.alfresco.smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
12:52:43,306 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
12:52:43,306 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException

"Map Network Drive" (Drive: Z: ; Folder: \\alfserver\alfresco), click "Connect using a different user name" (User name: Alfresco\<user>); Note that <user> has already been added via Alfresco Web Interface AND that <user> is the same value entered when logging into the client PC.
12:54:37,200 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=8, UID=0, PID=65279
12:54:37,201 DEBUG [org.alfresco.smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=985,Authenticator=EncType=23,Kvno=-1,Len=181]
12:54:37,201 DEBUG [org.alfresco.smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
12:54:37,201 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
12:54:37,201 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
12:54:39,466 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=16, UID=0, PID=65279
12:54:39,476 DEBUG [org.alfresco.smb.protocol.auth] User  logged on  (type Normal)
12:54:39,478 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=24, UID=0, PID=65279
12:54:39,631 DEBUG [org.alfresco.smb.protocol.auth] Logged on using NTLMSSP/NTLMv2
12:54:39,633 DEBUG [org.alfresco.smb.protocol.auth] User <user> logged on  (type Normal)
12:54:39,634 DEBUG [org.alfresco.smb.protocol.auth] Allocated UID=0 for VC=[0:0,[<user>:null,Windows XP 3790 Service Pack 2,,<client pc ip>],Tree=0,Searches=0]

The following are ALL of the configuration files I have changed since freshly installing Alfresco Labs 3c:
/opt/alfresco/alfresco.sh
#!/bin/sh
ALF_HOME=/opt/alfresco
cd "$ALF_HOME"
APPSERVER="${ALF_HOME}/tomcat"
export JAVA_HOME="/usr/local/java/jdk1.6.0_11"
export JAVA_OPTS='-Xms128m -Xmx1024m -XX:MaxPermSize=128m -server'
if [ "$1" = "start" ]; then
  "${APPSERVER}/bin/startup.sh"
elif [ "$1" = "stop" ]; then
  "${APPSERVER}/bin/shutdown.sh"
fi
/opt/alfresco/tomcat/shared/classes/alfresco/extension/custom-repository.properties
#########################################
# Override Alfresco Repository Settings #
#########################################
# Force fully-qualified path
dir.root=/opt/alfresco/alf_data
# Set MySQL database attributes
db.username=alfresco
db.password=alfresco
db.pool.initial=10
db.pool.max=100
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://localhost/alfresco
# Set email attributes
mail.host=popserver.my.domain.com
mail.port=25
mail.username=
mail.password=
mail.encoding=UTF-8
mail.header=
mail.from.default=alfresco-admin@alfserver
/opt/alfresco/tomcat/shared/classes/alfresco/extension/custom-hibernate-dialect.properties
######################################
# Override Hibernate dialiect config #
######################################
# MySQL dialect (default)
hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
/opt/alfresco/tomcat/shared/classes/alfresco/extension/bootstrap/openoffice-startup-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   <bean id="openOfficeStartupBootstrap" class="org.alfresco.util.exec.RuntimeExecBootstrapBean" >
      <property name="startupCommands">
         <list><ref bean="openOfficeStartupCommand" /></list>
      </property>
      <property name="failOnError">
         <value>false</value>
      </property>
   </bean>

   <bean id="openOfficeStartupCommand" class="org.alfresco.util.exec.RuntimeExec">
      <property name="commandMap">
         <map>
            <entry key=".*">
               <value><![CDATA[soffice -accept=socket,host=localhost,port=8100;urp;StarOffice.ServiceManager -env:UserInstallation=file://oouser -nologo -headless -nofirststartwizard -nocrashrep -norestore]]></value>
            </entry>
         </map>
      </property>
      <property name="waitForCompletion">
         <value>false</value>
      </property>
      <property name="errorCodes">
         <value>2</value>
      </property>
   </bean>
</beans>
/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/authentication-services-context.xml (NOTE: Set "allowGuestLogin" to "false")
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
   <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
      <property name="providers"> <list> <ref bean="authenticatedAuthenticationPassthroughProvider" /> <ref bean="daoAuthenticationProvider" /> </list> </property>
   </bean>

   <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="authenticationDao"> <ref bean="authenticationDao" /> </property>
      <property name="saltSource">        <ref bean="saltSource" /> </property>
      <property name="passwordEncoder">   <ref bean="passwordEncoder" /> </property>
   </bean>

   <bean id="authenticatedAuthenticationPassthroughProvider" class="org.alfresco.repo.security.authentication.AuthenticatedAuthenticationPassthroughProvider" />

   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
      <property name="nodeService">       <ref bean="nodeService" /> </property>
      <property name="tenantService">     <ref bean="tenantService"/> </property>
      <property name="dictionaryService"> <ref bean="dictionaryService" /> </property>
      <property name="namespaceService">  <ref bean="namespaceService" /> </property>
      <property name="searchService">     <ref bean="admSearchService" /> </property>
      <property name="retryingTransactionHelper"> <ref bean="retryingTransactionHelper"/> </property>
      <property name="userNamesAreCaseSensitive"> <value>${user.name.caseSensitive}</value> </property>
      <property name="passwordEncoder">   <ref bean="passwordEncoder" /> </property>
   </bean>

   <alias alias="saltSource" name="authenticationDao"/>

   <bean id="passwordEncoder" class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"></bean>

   <bean id="authenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
      <property name="authenticationDao"> <ref bean="authenticationDao" /> </property>
      <property name="ticketComponent">   <ref bean="ticketComponent" /> </property>
      <property name="authenticationComponent"> <ref bean="authenticationComponent" /> </property>
      <property name="sysAdminCache">     <ref bean="sysAdminCache"/> </property>
   </bean>

   <bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
      <property name="proxyInterfaces">    <value>org.alfresco.repo.security.authentication.AuthenticationComponent</value> </property>
      <property name="transactionManager"> <ref bean="transactionManager" /> </property>
      <property name="target">             <ref bean="authenticationComponent" /> </property>
      <property name="transactionAttributes"> <props> <prop key="*">${server.transaction.mode.default}</prop> </props> </property>
   </bean>

   <bean id="authenticationComponentBase" abstract="true">
      <property name="tenantService"> <ref bean="tenantService"/> </property>
   </bean>
  
   <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl" parent="authenticationComponentBase">
      <property name="authenticationDao">     <ref bean="authenticationDao" /> </property>
      <property name="authenticationManager"> <ref bean="authenticationManager" /> </property>
      <property name="allowGuestLogin">       <value>false</value> </property>
      <property name="nodeService">           <ref bean="nodeService" /> </property>
      <property name="personService">         <ref bean="personService" /> </property>
      <property name="transactionService">    <ref bean="transactionService" /> </property>
   </bean>

   <bean id="personDaoImpl" class="org.alfresco.repo.security.person.PersonDaoImpl">
      <property name="sessionFactory"> <ref bean="sessionFactory" /> </property>
      <property name="localeDAO">      <ref bean="localeDAO" /> </property>
      <property name="qnameDAO">       <ref bean="qnameDAO" /> </property>
      <property name="dictionaryService"> <ref bean="dictionaryService" /> </property>
   </bean>

   <bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl" init-method="init">
      <property name="transactionService"> <ref bean="transactionService" /> </property>
      <property name="nodeService"> <ref bean="nodeService" /> </property>
      <property name="tenantService"> <ref bean="tenantService"/> </property>
      <property name="searchService"> <ref bean="admSearchService" /> </property>
      <property name="permissionServiceSPI"> <ref bean="permissionServiceImpl" /> </property>
      <property name="authorityService"> <ref bean="authorityService" /> </property>
      <property name="dictionaryService"> <ref bean="dictionaryService" /> </property>
      <property name="namespacePrefixResolver"> <ref bean="namespaceService" /> </property>
      <property name="policyComponent"> <ref bean="policyComponent"/> </property>
      <property name="personCache"> <ref bean="personCache" /> </property>
      <property name="personDao"> <ref bean="personDaoImpl" /> </property>
      <property name="storeUrl"> <value>${spaces.store}</value> </property>
      <property name="createMissingPeople"> <value>${server.transaction.allow-writes}</value> </property>
      <property name="userNamesAreCaseSensitive"> <value>${user.name.caseSensitive}</value> </property>
      <property name="processDuplicates"> <value>true</value> </property>
      <property name="duplicateMode"> <value>SPLIT</value> </property>
      <property name="lastIsBest"> <value>true</value> </property>
      <property name="includeAutoCreated"> <value>false</value> </property>
   </bean>

   <bean name="homeFolderManager" class="org.alfresco.repo.security.person.HomeFolderManager">
      <property name="nodeService"> <ref bean="nodeService" /> </property>
      <property name="policyComponent"> <ref bean="policyComponent" /> </property>
      <property name="defaultProvider"> <ref bean="userHomesHomeFolderProvider" /> </property>
   </bean>

   <bean name="companyHomeFolderProvider" class="org.alfresco.repo.security.person.ExistingPathBasedHomeFolderProvider">
      <property name="serviceRegistry"> <ref bean="ServiceRegistry" /> </property>
      <property name="path"> <value>/${spaces.company_home.childname}</value> </property>
      <property name="storeUrl"> <value>${spaces.store}</value> </property>
      <property name="homeFolderManager"> <ref bean="homeFolderManager" /> </property>
   </bean>

   <bean name="guestHomeFolderProvider" class="org.alfresco.repo.security.person.ExistingPathBasedHomeFolderProvider">
      <property name="serviceRegistry"> <ref bean="ServiceRegistry" /> </property>
      <property name="path"> <value>/${spaces.company_home.childname}/${spaces.guest_home.childname}</value> </property>
      <property name="storeUrl"> <value>${spaces.store}</value> </property>
      <property name="homeFolderManager"> <ref bean="homeFolderManager" /> </property>
      <property name="userPermissions"> <set> <value>Consumer</value> </set> </property>
   </bean>

   <bean name="bootstrapHomeFolderProvider" class="org.alfresco.repo.security.person.BootstrapHomeFolderProvider">
      <property name="homeFolderManager"> <ref bean="homeFolderManager" /> </property>
   </bean>

   <bean name="personalHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider">
      <property name="serviceRegistry"> <ref bean="ServiceRegistry" /> </property>
      <property name="path"> <value>/${spaces.company_home.childname}</value> </property>
      <property name="storeUrl"> <value>${spaces.store}</value> </property>
      <property name="homeFolderManager"> <ref bean="homeFolderManager" /> </property>
      <property name="inheritsPermissionsOnCreate"> <value>false</value> </property>
      <property name="ownerPermissionsToSetOnCreate"> <set> <value>All</value> </set> </property>
      <property name="userPermissions"> <set> <value>All</value> </set> </property>
   </bean>

   <bean name="userHomesHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider">
      <property name="serviceRegistry"> <ref bean="ServiceRegistry" /> </property>
      <property name="path"> <value>/${spaces.company_home.childname}/${spaces.user_homes.childname}</value> </property>
      <property name="storeUrl"> <value>${spaces.store}</value> </property>
      <property name="homeFolderManager"> <ref bean="homeFolderManager" /> </property>
      <property name="inheritsPermissionsOnCreate"> <value>false</value> </property>
      <property name="ownerPermissionsToSetOnCreate"> <set> <value>All</value> </set> </property>
      <property name="userPermissions"> <set> <value>All</value> </set> </property>
   </bean>

   <bean id="ticketComponent" class="org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl">
      <property name="ticketsCache"> <ref bean="ticketsCache"/> </property>
      <property name="validDuration"> <value>PT1H</value> </property>
      <property name="ticketsExpire"> <value>false</value> </property>
      <property name="oneOff"> <value>false</value> </property>
      <property name="expiryMode"> <value>AFTER_FIXED_TIME</value> </property>
   </bean>

   <bean id="userNameGenerator" class="org.alfresco.repo.security.authentication.BasicUserNameGenerator">
      <property name="userNameLength"> <value>6</value> </property>
   </bean>

   <bean id="passwordGenerator" class="org.alfresco.repo.security.authentication.BasicPasswordGenerator">
      <property name="passwordLength"> <value>8</value> </property>
   </bean>
</beans>

/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/file-servers.properties (NOTE: These are dummy values; my values are different)
cifs.localname=alfserver
cifs.domain=my.domain.com
cifs.broadcast=123.234.123.234

/opt/alfresco/tomcat/shared/classes/alfresco/extension/web-client-config-custom.xml
<alfresco-config>
   <config>
      <client>
         <initial-location>userhome</initial-location>
         <from-email-address>alfresco-admin@alfserver</from-email-address>
      </client>
   </config>

   <config evaluator="string-compare" condition="Views">
      <views>
         <view-defaults>
            <browse>
               <sort-direction>descending</sort-direction>
               <view>details</view>
               <page-size>
                  <list>30</list>
                  <details>30</details>
                  <icons>30</icons>
               </page-size>
            </browse>
         </view-defaults>
      </views>
   </config>
</alfresco-config>

/opt/alfresco/tomcat/shared/classes/alfresco/extension/file-servers-custom.xml
<alfresco-config area="file-servers">
   <config evaluator="string-compare" condition="Filesystems" replace="true">
      <filesystems>
         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>
            <urlFile>
               <filename>__Alfresco.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>
            <offlineFiles/>
            <desktopActions>
               <global>
                  <path>alfresco/desktop/Alfresco.exe</path>
                  <webpath>http://${localname}:8080/alfresco/</webpath>
               </global>
               <action>
                  <class>org.alfresco.filesys.repo.desk.CheckInOutDesktopAction</class>
                  <name>CheckInOut</name>
                  <filename>__CheckInOut.exe</filename>
               </action>
               <action>
                  <class>org.alfresco.filesys.repo.desk.JavaScriptDesktopAction</class>
                  <name>JavaScriptURL</name>
                  <filename>__ShowDetails.exe</filename>
                  <script>alfresco/desktop/showDetails.js</script>
                  <attributes>anyFiles</attributes>
                  <preprocess>copyToTarget</preprocess>
               </action>
            </desktopActions>
         </filesystem>
         <avmfilesystem name="AVM">
            <virtualView/>
         </avmfilesystem>
      </filesystems>
   </config>

   <config evaluator="string-compare" condition="CIFS Server" replace="true">
      <serverEnable enabled="true"/>
      <host name="${cifs.localname}" domain="${cifs.domain}"/>
      <comment>Alfresco CIFS Server</comment>
      <broadcast>${cifs.broadcast}</broadcast>
      <tcpipSMB port="1445" platforms="linux,solaris,macosx"/>
      <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/>
      <hostAnnounce interval="5"/>
      <Win32NetBIOS/>
      <Win32Announce interval="5"/>
      <authenticator type="enterprise">
      </authenticator>
      <sessionDebug flags="Negotiate,Socket"/>
   </config>

</alfresco-config>

The above config produces the following output in alfresco.log when the "alfresco.sh start" command is issued:
12:17:10,456 INFO  [org.alfresco.config.xml.XMLConfigService$PropertyConfigurer] Loading properties file from class path resource [alfresco/file-servers.properties]
12:17:11,102 DEBUG [org.alfresco.smb.protocol.auth] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@18438d57, name=log4j:logger=org.alfresco.smb.protocol.auth
12:17:14,939 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.MySQLInnoDBDialect.
12:17:15,297 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
12:17:16,419 INFO  [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: /opt/alfresco/alf_data
12:17:16,441 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Checking for patches to apply …
12:17:16,586 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] No patches were required.
12:17:16,589 INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
12:17:16,961 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_11-b03; maximum heap size 910.250MB
12:17:16,961 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Labs): Current version 3.0.0 (c 1342) schema 1000 - Installed version 3.0.0 (c 1342) schema 1000
12:17:17,068 WARN  [org.alfresco.linkvalidation.LinkValidationServiceImpl] LinkValidationService Update is not running (virtualization server not registered or started)
12:17:26,249 INFO  [org.alfresco.web.scripts.DeclarativeRegistry] Registered 21 Web Scripts (+0 failed), 23 URLs
12:17:26,250 INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised Presentation Web Script Container (in 65.977ms)
12:17:26,417 INFO  [org.alfresco.web.scripts.DeclarativeRegistry] Registered 134 Web Scripts (+0 failed), 136 URLs
12:17:26,417 INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised WebFramework Web Script Container (in 164.794ms)
12:17:26,436 INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework
12:17:57,744 INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework

Again, the result of the above configuration is that no user can use the Windows XP "Map Network Drive…" function to map the CIFS server as a shared drive.

Where is the error in this out-of-the-box configuration?

Outcomes