AnsweredAssumed Answered

[Résolu] Prb CIFS + AD sous 3.0b (marche bien sous 2.1)

Question asked by bugger404 on Oct 8, 2008
Latest reply on Jan 22, 2009 by bugger404
Arggg !!!
Je suis + ou - dans le même cas que le post précédent (mais sans l'emploi de Kerberos).
En 2.1 tout passe tranquillement (la connexion CIFS via un client XP est OK et j'ai couplé cela avec Ad + synchro grp/compte)
En 3.0a, 3.0b, 3.0b du 01-10 j'arrive à me connecter sur l'interface Web, ma synchro avec AD marche parfaitement bien mais c'est au niveau du CIFS que j'ai un problème  :
Lorsque que je veux me connecter au partage CIFS ,il me demande un nom et mot de passe, j'ai beau passer en revue toutes les possibilités, il me remet à chaque fois cette boite de dialogue.
Dans mes logs j'ai toujours cette ligne à chaque tentative de connexion :
Null CIFS logon allowed
Authenticated user lambda sts=Disallow via Passthru

Autre bizarrerie : Avec la 2.1, sous XP lorsque je parcours l'arbre des postes inscrits dans mon domaine je vois bien le serveur CIFS (monserveur_a), avec la 3.0 rien n'apparait

C'est donc après avoir écumer les forums francais & anglophone, après quelques cheveux arrachés et avant que je devienne chauve que je m'adresse à vous me dépatouiller.

Voici mes fichiers de conf (alfresco est l'utilsateur permettant la synchro AD):
authority-services-context.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<!– ========================================================= –>
<!– The configuration of the Authority Service Implementation –>
<!– ========================================================= –>

<!–                                                                          –>
<!– This implementation supports the identification of users as admin users. –>
<!– It also supports groups and allows groups and users to be arranged into  –>
<!– hierarchies.                                                             –>
<!–                                                                          –>
<beans>

    <bean id="authorityService" class="org.alfresco.repo.security.authority.AuthorityServiceImpl">
        <property name="authenticationComponent">
            <ref bean="authenticationComponent" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="tenantService">
            <ref bean="tenantService"/>
        </property>
        <property name="authorityDAO">
            <ref bean="authorityDAO" />
        </property>
        <property name="permissionServiceSPI">
            <ref bean="permissionServiceImpl" />
        </property>
        <!–                                                                  –>
        <!– A list of users with admin rights.                               –>
        <!–                                                                  –>
        <!– If the security framework is case sensitive these values should  –>
        <!– be case sensitive user names. If the security framework is not   –>
        <!– case sensitive these values should be the lower-case user names. –>
        <!–                                                                  –>
        <!– By default this includes:                                        –>
        <!–    admin (the user name of default alfresco admin user)          –>
        <!–    administrator (the windows default admin user)                –>
        <!–                                                                  –>
        <!– This assumes that user names are not case sensitive.             –>
        <!–                                                                  –>
        <property name="adminUsers">
            <set>
             <value>alfresco</value>

          </set>
        </property>
    </bean>

    <!– Authority DAO that stores group information along with user information, –>
    <!– in the repository.                                                       –>
    <!–                                                                          –>
    <!– This bean uses the userToAuthorityCache configured in cache-context.xml  –>
    <!–                                                                          –>
    <bean id="authorityDAO" class="org.alfresco.repo.security.authority.AuthorityDAOImpl">
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService" />
        </property>
        <property name="searchService">
            <ref bean="admSearchService" />
        </property>
        <property name="dictionaryService">
            <ref bean="dictionaryService" />
        </property>
        <property name="userToAuthorityCache">
            <ref bean="userToAuthorityCache" />
        </property>
    </bean>

</beans>

file-servers.properties :

cifs.localname=${localname}
cifs.domain=mondomaine.fr
cifs.broadcast=255.255.255.255
file-servers.xml

<alfresco-config area="file-servers">

   <config evaluator="string-compare" condition="CIFS Server">
     <serverEnable enabled="true"/>
      <host name="${cifs.localname}A" domain="${cifs.domain}"/>
      <comment>Alfresco CIFS Server</comment>

      <!– Set to the broadcast mask for the subnet –>
      <broadcast>${cifs.broadcast}</broadcast>

      <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
      <tcpipSMB platforms="linux,solaris,macosx"/>
      <netBIOSSMB platforms="linux,solaris,macosx"/>

      <!– Can be mapped to non-privileged ports, then use firewall rules to forward
          requests from the standard ports –>
     <!–      
      <tcpipSMB port="1445" platforms="linux,solaris,macosx"/>
      <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/>
     –>
      
      <hostAnnounce interval="5"/>

      <!– Use Win32 NetBIOS interface on Windows –>
      <Win32NetBIOS/>
      <Win32Announce interval="5"/>

      <!– CIFS authentication –>
      <authenticator type="alfresco">
      </authenticator>
     
<!–
      <WINS>
         <primary>1.2.3.4</primary>
         <secondary>5.6.7.8</secondary>
      </WINS>
–>
      <sessionDebug flags="Negotiate,Socket"/>
   </config>

   <config evaluator="string-compare" condition="FTP Server">
     <serverEnable enabled="true"/>
    
     <!– Run on a non-privileged port –>
     <!–
     <port>1121</port>
     –>

      <!– FTP authentication –>
      <authenticator type="alfresco"/>
          
<!–      <debug flags="File,Search,Error,Directory,Info,DataPort"/> –>
   </config>
  
   <config evaluator="string-compare" condition="NFS Server">
     <serverEnable enabled="false"/>
   </config>
   
   <config evaluator="string-compare" condition="Filesystems">
     <filesystems>
       
       <!– Alfresco repository access shared filesystem –>
         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

         <!– Add a URL file to each folder that links back to the web client –>
         <urlFile>
               <filename>__AlfrescoClient.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>

         <!– Mark locked files as offline –>
          <offlineFiles/>

         <!– Desktop actions –>
         <!– Uses a client-side application to trigger a server-side action                         –>
         <!–   Echo - displays a message echoed from the server                                     –>
         <!–   URL  - launches a URL via the Windows shell                                          –>
         <!–   CmdLine - launches the Notepad application                                           –>
         <!–   CheckInOut - checks files in/out, drag and drop files onto the application           –>
         <!–   JavaScript - run a server-side script                                                –>
         <!–   JavaScriptURL - server-side script that generates a URL to the folder using a ticket –>
         <!–                   to avoid having to logon                                             –>

<!–
         <desktopActions>
            <global>
                    <path>alfresco/desktop/Alfresco.exe</path>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </global>
            <action>
               <class>org.alfresco.filesys.repo.desk.EchoDesktopAction</class>
               <name>Echo</name>
                 <filename>__AlfrescoEcho.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.URLDesktopAction</class>
               <name>URL</name>
                 <filename>__AlfrescoURL.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.CmdLineDesktopAction</class>
               <name>CmdLine</name>
                 <filename>__AlfrescoCmd.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.CheckInOutDesktopAction</class>
               <name>CheckInOut</name>
                 <filename>__AlfrescoCheckInOut.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.JavaScriptDesktopAction</class>
               <name>JavaScript</name>
               <filename>__AlfrescoScript.exe</filename>
               <script>alfresco/desktop/dumpRequest.js</script>
               <attributes>anyFiles, multiplePaths , allowNoParams</attributes>
               <preprocess>confirm, copyToTarget</preprocess>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.JavaScriptDesktopAction</class>
               <name>JavaScriptURL</name>
               <filename>__AlfrescoDetails.exe</filename>
               <script>alfresco/desktop/showDetails.js</script>
               <attributes>anyFiles</attributes>
               <preprocess>copyToTarget</preprocess>
            </action>

         </desktopActions>
–>         
                   
<!–
            <accessControl default="Write">
               <user name="admin" access="Write"/>
               <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
            </accessControl>
–>
         </filesystem>
        
         <!– AVM virtualization view of all stores/versions for WCM –>
         <!– virtual view can be any of the following: normal, site, staging, author, preview –>
         <avmfilesystem name="AVM">
            <virtualView stores="site,staging,author" />
         </avmfilesystem>
        
      </filesystems>
   </config>

   <config evaluator="string-compare" condition="Filesystem Security">
      <!– Domain mappings used for passthri authentication routing –>
      <!–
      <DomainMappings>
         <Domain name="ALFRESCO" subnet="192.168.1.0" mask="192.168.1.255"/>
      </DomainMappings>
      –>
     
      <!– Custom share mapper when multi-tenancy is enabled –>
      <!–
     <shareMapper type="multi-tenant">
       <debug/>
     </shareMapper>
      –>
     
<!–
      <globalAccessControl default="None">
         <user name="admin" access="Write"/>
         <address ip="90.1.0.90" access="Write"/>
      </globalAccessControl>
–>
   </config>


</alfresco-config>

file-servers-custom.xml

<alfresco-config area="file-servers">

   <!– To override the default Alfresco filesystem use replace="true", to –>
   <!– add additional filesystems remove the replace="true" attribute     –>
  
   <config evaluator="string-compare" condition="Filesystems" replace="true">
      <filesystems>

         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

            <!– Add a URL file to each folder that links back to the web client –>
            <urlFile>
               <filename>__Alfresco.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>

            <!– Mark locked files as offline –>
            <offlineFiles/>

            <!– Desktop actions –>

            <desktopActions>
               <global>
                  <path>alfresco/desktop/Alfresco.exe</path>
                  <webpath>http://${localname}:8080/alfresco/</webpath>
               </global>
               <action>
                  <class>org.alfresco.filesys.repo.desk.CheckInOutDesktopAction</class>
                  <name>CheckInOut</name>
                  <filename>__CheckInOut.exe</filename>
               </action>
               <action>
                  <class>org.alfresco.filesys.repo.desk.JavaScriptDesktopAction</class>
                  <name>JavaScriptURL</name>
                  <filename>__ShowDetails.exe</filename>
                  <script>alfresco/desktop/showDetails.js</script>
                  <attributes>anyFiles</attributes>
                  <preprocess>copyToTarget</preprocess>
               </action>

            </desktopActions>

<!–
            <accessControl default="Write">
               <user name="admin" access="Write"/>
               <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
            </accessControl>
–>
         </filesystem>
       
       <!– AVM virtualization view of all stores/versions for WCM –>
         <avmfilesystem name="AVM">
            <virtualView/>
         </avmfilesystem>
       
      </filesystems>
   </config>

</alfresco-config>




ldap-authentication.properties
# 
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://monad.mondomaine.fr:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=alfresco

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=passwdalfresco

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false


ldap-synchronisation.properties
# 
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=user)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=dc=mondomaine,dc=fr

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=name

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=group)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=dc=mondomaine,dc=fr

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=group

# The person type in LDAP
ldap.synchronisation.personType=user

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 10 * * * ?

# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=true






ntlm-authentication-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

    <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />

    <!– The authentication component.                                      –>

    <!– Use the passthru authentication component to authenticate using    –>
    <!– user accounts on one or more Windows servers.                      –>
  
    <!– Properties that specify the server(s) to use for passthru          –>
    <!– authentication :-                                                  –>
    <!–   useLocalServer   use the local server for authentication         –>
    <!–   domain           use domain controllers from the specified domain–>
    <!–   servers          comma delimted list of server addresses or      –>
    <!–                    names                                           –>
      
    <bean id="authenticationComponent"
          class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"
          parent="authenticationComponentBase">
<property name="servers">
            <value>monad</value>
        </property>
      
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent" />
        </property>
        <property name="guestAccess">
            <value>true</value>
        </property>
    </bean>
  
</beans>

PS : 2.1 & 3.0 testées sous le même "serveur" (XP SP2), Ad sous Win2003, client XP

Outcomes