AnsweredAssumed Answered

Configuring CIFS for Kerberos/AD integration PROBLEM!!

Question asked by hnulty on Nov 7, 2007
Latest reply on Jan 13, 2009 by meansartin14
Setting the scene:
  We have Alfresco Community 2.1.0 installed on RHEL4 with apache-tomcat 5.5.25
  we have deployed alfresco.war from
alfresco-community-war-2.2.0dev.zip dated 10/30/2007 - hoping for the fix for AR-1727

CIFS authentication via Kerberos/AD is NOT working.

We have customized file-servers-custom.xml in the extension folder as so:

file-servers-custom.xml:

   <!– authenticate to ADS server –>
   <config evaluator="string-compare" condition="Filesystem Security">
      <authenticator type="enterprise">
      <KDC>ourdc.doma.domb.domc</KDC>
      <Realm>DOMA.DOMB.DOMC</realm>
      <LoginEntry>alfrescocifs</LoginEntry>
      <Password>——–</Password>
      </authenticator>
   </config>


java.security:
from java.security:

#
# Default login configuration file
#
login.config.url.1=file:${java.home}/lib/security/java.login.config

java.login.config:
alfrescocifs {
  com.sun.security.auth.module.Krb5LoginModule required
  storeKey=true
  useKeyTab=true
  keyTab="/etc/krb5.keytab"
  principal="cifs/ourrel4.doma.domb.domc";
};


klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
—- ————————————————————————–
   5 cifs/ourrel4.doma.domb.domc@DOMA.DOMB.DOMC (DES cbc mode with RSA-MD5)

krb5.conf
krb5.conf:
[libdefaults]
        default_realm = DOMA.DOMB.DOMC
               
[realms]       
        DOMA.DOMB.DOMC = {
                kdc = ourdc.doma.domb.domc
                admin_server = ourdc.doma.domb.domc
        }
       
[domain_realms]
        .kerberos.server = DOMA.DOMB.DOMC

setspn -l alfrescocifs
Registered ServicePrincipalNames for CN=Alfresco CIFS,OU=Users,OU=Server Group,O
U=IIS,DC=doma,DC=domb,DC=domc:
    cifs/ourrel4.doma.domb.domc

For the web interface we have users defined in Alfresco and passwords set for them.  These userids match AD userids.  If passwords are set to match AD passwords, CIFS authentication works … it uses cached credentials.  If passwords do not match we get errors as below.  Can we expect to configure Alfresco to use AD/Kerberos for CIFS authentication and Alfresco user database for web?

Please advise, suggest, help, correct!!    –hnulty

from catalina.out
12:08:30,902  ERROR [smb.protocol.auth] Kerberos logon error
Logon failure
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1283)
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1113)
        at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:673)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:407)
        at org.alfresco.filesys.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:221)
        at org.alfresco.filesys.smb.server.SMBSrvSession.run(SMBSrvSession.java:1381)
        at java.lang.Thread.run(Thread.java:595)
GSSException: No valid credentials provided
  No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

Outcomes