AnsweredAssumed Answered

Kerberors auth against MS AD

Question asked by patsch on Mar 26, 2015
Latest reply on Mar 30, 2015 by patsch
Hello Everyone,

I'm new to Alfresco. First of all everything is working fine with my configuration.
The Authentication over LDAP to the Active Directory works fine.

Now I want activate CIFS and authentification with Kerberos.
I finished all steps succesfully from here: http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
But If I start Alfresco, in the log comes the following failures:

2015-03-26 13:13:18,612 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] [localhost-startStop-1] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
   Caused by: KrbException: Client not found in Kerberos database (6)
   Caused by: KrbException: Identifier doesn't match expected value (906)

2015-03-26 13:13:18,617 WARN  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in URL [jar:file:/opt/alfresco-5.0.d/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-5.0.d.jar!/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
   Caused by: org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service

I have installed Alfresco 5.0.d (and with Alfresco 5.0.c I have the same Problem).
The Authentication works against a Windows Server 2012 R2 Active Directory.
If I execute the command 'kinit -V -k -t /etc/keys/AlfrescoCIFS.keytab "cifs/sles-alfresco.my.domain"' everything works fine -

Using existing cache: :/run/user/0/krb5cc/tkt
Using principal: cifs/sles-alfresco.my.domain@MY.DOMAIN
Using keytab: /etc/keys/AlfrescoCIFS.keytab
Authenticated to Kerberos v5

Here are some examples from my configs:

krb5.conf
[libdefaults]
#       default_realm = EXAMPLE.COM
        default_realm = my.domain
        default_keytab_name = FILE:/etc/keys/AlfrescoCIFS.keytab
        default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
        permitted_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
        dns_lookup_kdc = true
        dns_lookup_realm = false

[realms]
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }
        CONSENSO.LOCAL = {
                kdc = dc01.my.domain
                admin_server = dc01.my.domain
        }

[domain_realm]
        dc01.my.domain = MY.DOMAIN
        .dc01.my.domain = MY.DOMAIN

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON



alfresco-global.properties:
## cifs
filesystem.name=Alfresco
cifs.enabled=true
cifs.serverName=sles-alfresco
cifs.domain=my.domain
cifs.hostannounce=false
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false



java.login.config:
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/keys/AlfrescoCIFS.keytab"
   principal="cifs/sles-alfresco.my.domain";
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/keys/AlfrescoHTTP.keytab"
   principal="HTTP/sles-alfresco.my.domain";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


Hope you can help me.
Thanks

Patrick


Outcomes