AnsweredAssumed Answered

alfresco 5.0c and kerberos

Question asked by vincent-kali on Feb 6, 2015
Latest reply on Apr 29, 2015 by vincent-kali
Hi,
I'm facing issues to setup kerberos authentication against 2008R2 AD
domain controller on an Alfresco Community 5c platform (on linux debian 7).
I followed the procedure that we applied on alf 4.2, which was working fine.

I made the following:
- create services accounts on AD (alfrescoCIFS & alfrescoHTTP), with correct settings (SPN, UPN, disable Kerberos preauth)
- create keytab files and put it on alfresco server
- create krb5.conf on alfresco server with correct settings
- test kerberos auth from alfresco server (using krb5-user MIT tools)
   >  kinit cifs/myhostname.mydomain.loc@MYDOMAIN.LOC -k -t /etc/keys/keytab
-> success. It should confirm that AD, keytab and krb5.conf configurations are correct. Am'I correct ?

Configure auth chain, CIFS, Kerberos auth in alfresco-global.properties
   
        ### auth chain
   authentication.chain=kerberos1:kerberos,myDomain:ldap-ad,alfrescoNtlm1:alfrescoNtlm
   
   ### ldap auth
   ldap.authentication.active=true
   ldap.authentication.allowGuestLogin=false
   ldap.authentication.userNameFormat=%s@mydomain.loc
   ldap.authentication.java.naming.provider.url=ldap://x.x.x.x
   ldap.authentication.java.naming.security.authentication=simple
   ldap.authentication.defaultAdministratorUserNames=admin
   
   ### KERBEROS auth
   kerberos.authentication.realm=MYDOMAIN.LOC
   kerberos.authentication.authenticateCIFS=true
   kerberos.authentication.sso.enabled=false
   kerberos.authentication.user.configEntryName=Alfresco
   kerberos.authentication.defaultAdministratorUserNames=admin
   kerberos.authentication.cifs.configEntryName=alfrescoCIFS
   kerberos.authentication.cifs.password=****************
   kerberos.authentication.http.configEntryName=alfrescoHTTP
   kerberos.authentication.http.password=****************
   kerberos.authentication.browser.ticketLogons=true
   kerberos.authentication.stripUsernameSuffix=true
   
   ### ldap sync
   ldap.synchronization.active=true
   ldap.synchronization.java.naming.security.authentication=simple
   ldap.synchronization.java.naming.security.principal=svc-ldapsync@mydomain.loc
   ldap.synchronization.java.naming.security.credentials=****************
   ldap.synchronization.groupSearchBase=ou\=Groups,dc\=MYDOMAIN,dc=loc
   ldap.synchronization.userSearchBase=ou\=Users,dc\=MYDOMAIN,dc=loc
   ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
   
   ### CIFS-NFS-FTP
   filesystem.name=WCM
   cifs.enabled=true
   cifs.serverName=myhostname
   cifs.domain=mydomain.loc
   cifs.hostannounce=false
   cifs.pseudoFiles.enabled=false
   cifs.pseudoFiles.explorerURL.enabled=false
   cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
   cifs.pseudoFiles.shareURL.enabled=false
   cifs.pseudoFiles.shareURL.fileName=__Share.url
   ftp.enabled=false
   nfs.enabled=false

   
Now the JAAS config :
- update the /opt/alfresco-5.0.c/java/lib/security/java.security file and add following line:
   login.config.url.1=file:${java.home}/lib/security/java.login.config
- create java.login.config file
      
   Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
   alfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/keys/keytab"
   principal="cifs/myhostname.mydomain.loc";
   };

   alfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/keys/keytab"
   principal="HTTP/myhostname.mydomain.loc";
   };

   com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
   other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
   
Restart Alfresco
-> seems to be OK:  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]

The problem:
When trying to access to alfresco using CIFS, I get a 'logon failure' on my windows client, and following output in catalina.out:

      2015-02-06 15:14:48,630  ERROR [org.alfresco.fileserver] [AlfJLANWorker18] Error from JLAN
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
         at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAs(Unknown Source)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
         at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
         at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
         at java.lang.reflect.Method.invoke(Unknown Source)
         at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
         at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
         at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
         at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
         at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
         at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
         at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
         at java.lang.Thread.run(Unknown Source)
   Caused by: KrbException: Specified version of key is not available (44)
         at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
         at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
         at sun.security.krb5.KrbApReq.<init>(Unknown Source)
         at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
         … 29 more
   2015-02-06 15:14:48,633  ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker18] No SPNEGO response, Kerberos logon failed
    2015-02-06 15:14:48,834  ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
         at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAs(Unknown Source)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
         at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
         at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
         at java.lang.reflect.Method.invoke(Unknown Source)
         at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
         at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
         at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
         at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
         at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
         at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
         at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
         at java.lang.Thread.run(Unknown Source)
   Caused by: KrbException: Specified version of key is not available (44)
         at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
         at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
         at sun.security.krb5.KrbApReq.<init>(Unknown Source)
         at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
         … 29 more
   2015-02-06 15:14:48,837  ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed
    2015-02-06 15:14:48,854  ERROR [org.alfresco.fileserver] [AlfJLANWorker20] Error from JLAN
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
         at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAs(Unknown Source)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
         at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
         at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
         at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
         at java.lang.reflect.Method.invoke(Unknown Source)
         at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
         at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
         at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
         at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
         at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
         at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
         at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
         at java.lang.Thread.run(Unknown Source)
   Caused by: KrbException: Specified version of key is not available (44)
         at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
         at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
         at sun.security.krb5.KrbApReq.<init>(Unknown Source)
         at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
         … 29 more
   2015-02-06 15:14:48,857  ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker20] No SPNEGO response, Kerberos logon failed

I dont't understand the cause of this error "Specified version of key is not available", as kvno between AD and keytab are matching, and kerberos
auth has been tested successfully using kinit. Could somebody help me ?


Thanks,
Vincent




Outcomes