AnsweredAssumed Answered

CIFS login with MIT Kerberos

Question asked by okelet on Feb 23, 2012
Latest reply on Aug 26, 2013 by nicolasraoul
Hi

We are trying to configure Alfresco Community 4.0c to authenticate using MIT Kerberos. We already have a test Kerberos server, using a LDAP backend; the Kerberos server works fine, as I can login in the machine with SSH using kerberos credentials, and the ticket is created. This is krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = PRUEBAS.COMPANY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
krb4_convert = false

[realms]
PRUEBAS.COMPANY = {
  kdc = kerberos.pruebas.local
  admin_server = kerberos.pruebas.local
  kpasswd_server = kerberos.pruebas.local
  default_domain = kerberos.pruebas.local
}

[domain_realm]
.pruebas.local = PRUEBAS.COMPANY
pruebas.local = PRUEBAS.COMPANY

Then, I have generated some principals for the Alfresco server, and created the keytabs in it; from the Kerberos server:


kadmin.local "-q addprinc -randkey host/alfresco.pruebas.local"
kadmin.local "-q addprinc -randkey HTTP/alfresco.pruebas.local"
kadmin.local "-q addprinc -randkey cifs/alfresco.pruebas.local"
kadmin.local "-q addprinc -randkey cifs/alfrescoa"

From the alfresco server:


kadmin -p root/admin "-q ktadd -k /etc/krb5.keytab host/alfresco.pruebas.local"
kadmin -p root/admin "-q ktadd -k /etc/krb5.alfresco.http.keytab HTTP/alfresco.pruebas.local"
kadmin -p root/admin "-q ktadd -k /etc/krb5.alfresco.cifs.keytab cifs/alfresco.pruebas.local"
kadmin -p root/admin "-q ktadd -k /etc/krb5.alfresco.cifs.keytab cifs/alfrescoa"

Then, I created JAAS file (/opt/alfresco/java/jre/lib/security/java.login.config):


Alfresco {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    debug=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.cifs.keytab"
    isInitiator=false
    principal="cifs/alfresco.pruebas.local";
};

AlfrescoHTTP {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    debug=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.http.keytab"
    isInitiator=false
    principal="HTTP/alfresco.pruebas.local";
};

ShareHTTP {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.http.keytab"
    isInitiator=false
    principal="HTTP/alfresco.pruebas.local";
};

com.sun.net.ssl.client {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

I created a new propfile for Kerberos authentication subsystem (/opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/kerberos/kerberos1/kerberos-authentication.properties); I have commented the properties about secrets because the principals were created with randkey:


kerberos.authentication.realm=PRUEBAS.MYCOMPANY
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=Alfresco
# kerberos.authentication.cifs.password=secret
# kerberos.authentication.http.password=secret
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.browser.ticketLogons=true

Finally, I configured the authentication chain in /opt/alfresco/tomcat/shared/classes/alfresco-global.properties (ldap1 is a authentication profile with LDAP, working fine):


authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap

Now (after restart Alfresco), I login in a machine by SSH, so the Kerberos ticket is generated; then, I try to smbclient to the kerberos server, using kerberos authentication, but i get an error:


[myuser@kerberos ~]$ smbclient -k -L ALFRESCOA -I XXX.XXX.XXX.XXX
session setup failed: NT_STATUS_LOGON_FAILURE

In the Alfresco / Tomcat (Catalina) LOG I get this:


2012-02-23 10:09:27,235  DEBUG [smb.protocol.auth] [AlfJLANWorker4] NT Session setup NTLMSSP, MID=2, UID=0, PID=8822
2012-02-23 10:09:27,242  DEBUG [smb.protocol.auth] [AlfJLANWorker4] Using Write transaction
2012-02-23 10:09:27,271  DEBUG [smb.protocol.auth] [AlfJLANWorker4] NT Session setup NTLMSSP, MID=3, UID=0, PID=8822
2012-02-23 10:09:27,271  DEBUG [smb.protocol.auth] [AlfJLANWorker4] Using Write transaction
2012-02-23 10:09:27,278  WARN  [smb.protocol.auth] [AlfJLANWorker4] User does not exist, myuser

So I think that alfrescoNtlm1 is trying to authenticate my Kerberos user, and as it fails, but does not continue with kerberos1 profile. If I change the order of the authentication chain to this:


authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

With this configuration, when Tomcat is started, this message appears:


Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kerberos.pruebas.local UDP:88, timeout=30000, number of retries =3, #bytes=150
>>> KDCCommunication: kdc=kerberos.pruebas.local UDP:88, timeout=30000,Attempt =1, #bytes=150
>>> KrbKdcReq send: #bytes read=177
>>> KrbKdcReq send: #bytes read=177
>>> KdcAccessibility: remove kerberos.pruebas.local
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
    cTime is Thu Feb 23 10:14:38 CET 2012 1329988478000
    sTime is Thu Feb 23 10:14:38 CET 2012 1329988478000
    suSec is 241378
    error code is 6
    error Message is Client not found in Kerberos database
    crealm is PRUEBAS.MYCOMPANY
    cname is admin
    realm is PRUEBAS.MYCOMPANY
    sname is krbtgt/PRUEBAS.MYCOMPANY
    msgType is 30
KRBError received: CLIENT_NOT_FOUND

I Think this is because Alfresco is trying to authenticate the admin user against Kerberos, as it is the first now in the authentication chain. If I ignore that message, and do again the smbclient I get this in Alfresco log:


2012-02-23 10:17:03,976  DEBUG [smb.protocol.auth] [AlfJLANWorker16] NT Session setup SPNEGO, MID=2, UID=0, PID=8918
2012-02-23 10:17:03,983  DEBUG [smb.protocol.auth] [AlfJLANWorker16] Using Write transaction
2012-02-23 10:17:03,991  DEBUG [smb.protocol.auth] [AlfJLANWorker16] Kerberos AP-REQ - [AP-REQ:APOptions=,Ticket=Len=280,Authenticator=EncType=1,Kvno=-1,Len=144]
Search Subject for Kerberos V5 ACCEPT cred (cifs/alfresco.pruebas.local@PRUEBAS.MYCOMPANY, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for cifs/alfresco.pruebas.local@PRUEBAS.MYCOMPANY(1)
Found key for cifs/alfresco.pruebas.local@PRUEBAS.MYCOMPANY(16)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
2012-02-23 10:17:04,023  ERROR [org.alfresco.fileserver] [AlfJLANWorker16] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
   at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:337)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1409)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1289)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:86)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:798)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:782)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:388)
   at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:594)
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:781)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy217.processSessionSetup(Unknown Source)
   at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:416)
   at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:222)
   at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1439)
   at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:138)
   at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
   at java.lang.Thread.run(Thread.java:662)
Caused by: KrbException: Checksum failed
   at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:77)
   at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:69)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
   at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268)
   at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
   at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
   … 27 more
Caused by: java.security.GeneralSecurityException: Checksum failed
   at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:365)
   at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:56)
   at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:75)
   … 33 more
2012-02-23 10:17:04,026  DEBUG [smb.protocol.auth] [AlfJLANWorker16] No SPNEGO response, Kerberos logon failed
2012-02-23 10:17:04,029  ERROR [smb.protocol.auth] [AlfJLANWorker16] Kerberos logon error
2012-02-23 10:17:04,029  ERROR [smb.protocol.auth] [AlfJLANWorker16] org.alfresco.jlan.smb.server.SMBSrvException: Access denied

Also tried from a Windows Account, with the same results. Even with local admin account using password authentication (no kerberos), the access is denied:


2012-02-23 11:01:27,601  DEBUG [smb.protocol.auth] [AlfJLANWorker3] NT Session setup SPNEGO, MID=2, UID=0, PID=9190
2012-02-23 11:01:27,601  DEBUG [smb.protocol.auth] [AlfJLANWorker3] Using Write transaction
2012-02-23 11:01:27,605  DEBUG [smb.protocol.auth] [AlfJLANWorker4] NT Session setup SPNEGO, MID=3, UID=0, PID=9190
2012-02-23 11:01:27,608  DEBUG [smb.protocol.auth] [AlfJLANWorker4] Using Write transaction

HTTP form (using the browser) and kerberos (using curl, it shows the wellcome page, not the login form) authentication works fine:


curl –location –negotiate -u : http://alfresco.pruebas.local:8080/alfresco/

I have read lot of documentation about Alfresco, but the most of them is regarding to integration with Active Directory, not MIT Kerberos we are using. Now I am stuck; I have changed encryption types for generating the principals and keytabs, changed isInitiator attribute in JAAS, etc. without success:

Any idea what more can I test?

Regards and thanks in advance.

Outcomes