AnsweredAssumed Answered

4.2e kerberos auth error

Question asked by vincent-kali on Nov 19, 2013
Latest reply on Nov 22, 2013 by vincent-kali
[Alfresco CE 4.2e on linux debian, MS2008R2 AD Ctrl]

Hi,
I'm trying to setup kerberos auth with MSAD / SSO for fileserver and HTTP.
I'm always facing the same error when starting alfresco:  
   javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

I did the following:

1) Create AD users on my DC 2008R2:
    AlfrescoCIFS
    AlfrescoHTTP
    (Password never expires, Disable “User must change password at next logon”, Do not require Kerberos preauthentication)


2) Create keytab files on my DC 2008R2:
     ktpass -princ cifs/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL -pass * -mapuser MYDOMAIN\AlfrescoCIFS -crypto RC4-HMAC-NT
     -ptype RB5_NT_PRINCIPAL -out AlfrescoCIFS.keytab -kvno 0

     ktpass -princ HTTP/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL -pass * -mapuser MYDOMAIN\AlfrescoHTTP -crypto RC4-HMAC-NT
     -ptype RB5_NT_PRINCIPAL -out AlfrescoHTTP.keytab -kvno 0

   And copy files to /etc/keys on my Alfresco server (linux debian)

3) Create SPN (and verify)
     setspn -a cifs/alfrescoserver.mydomain.local AlfrescoCIFS   
     setspn -a cifs/alfrescoserver AlfrescoCIFS   
     setspn -a HTTP/alfrescoserver.mydomain.local AlfrescoHTTP   
     setspn -a HTTP/alfrescoserver AlfrescoHTTP   


4) create /etc/krb5.conf on alfresco server
   
    [libdefaults]
     default_realm = MYDOMAIN.LOCAL
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
   
    [realms]
     MYDOMAIN.LOCAL = {
      kdc = mydc.mydomaine.local
      admin_server = mydc.mydomaine.local
     }
   
    [domain_realm]
     mydc.mydomaine.local = MYDOMAIN.LOCAL
    .mydc.mydomaine.local = MYDOMAIN.LOCAL

5) Update JAVA Security config file on alfresco server: /opt/alfresco-4.2.e/java/jre/lib/security/java.security:
   #
   # Default login configuration file
   #
   #login.config.url.1=file:${user.home}/.java.login.config
   login.config.url.1=file:${java.home}/lib/security/java.login.config

6) Create file /opt/alfresco-4.2.e/java/jre/lib/security/java.login.config

   Alfresco {
      com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
   AlfrescoCIFS {
      com.sun.security.auth.module.Krb5LoginModule required
      storeKey=true
      useKeyTab=true
      keyTab="/etc/keys/AlfrescoCIFS.keytab"
      principal="cifs/alfrescoserver.mydomain.local";
   };
   
   AlfrescoHTTP {
      com.sun.security.auth.module.Krb5LoginModule required
      storeKey=true
      useKeyTab=true
      keyTab="/etc/keys/AlfrescoHTTP.keytab"
      principal="HTTP/alfrescoserver.mydomain.local";
   };
   
   com.sun.net.ssl.client {
      com.sun.security.auth.module.Krb5LoginModule sufficient;
   };

   other {
      com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
   
Restart server, with error.

I'm trying from a Windows client to test keytab files, and I get the same error:

>kinit -k -t AlfrescoHTTP.keytab "HTTP/alfrescoserver.mydomain.local"
   Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun
   d in Kerberos database
   KrbException: Client not found in Kerberos database (6)


I understand that my keytab files are wrong/corrupted ? Is this correct ?
Do I miss something ? Anything to test ?

Please help !


Thanks,
Vincent












Outcomes