AnsweredAssumed Answered

Alfresco 5.0.d - Kerberos HTTP and CIFS Issue

Question asked by tschaaaaaaaaaa on Jun 12, 2015
I have a configuration problem with my alfresco system and Kerberos for HTTP and CIFS.

Failure Output catalina.out:
2015-06-12 10:55:52,104  WARN  [management.subsystems.ChildApplicationContextFactory] [dms.rl.co.at-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'globalAuthenticationFilter' defined in file [/opt/local/conf/tomcat/dms-prd-leasing/webapps/dms.rl.co.at/alfresco/WEB-INF/classes/alfresco/subsyste
ms/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: Configuration Error:
No such file or directory
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1513)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:521)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:633)
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
        at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:809)
        at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1018)
        at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.getState(AbstractPropertyBackedBean.java:301)
        at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:437)
        at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager$ApplicationContextManagerState.getApplicationContext(DefaultChildApplicationContextManager.java:360)
        at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager$ApplicationContextManagerState.start(DefaultChildApplicationContextManager.java:306)
        at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1018)
        at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.getState(AbstractPropertyBackedBean.java:301)
        at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager.getInstanceIds(DefaultChildApplicationContextManager.java:180)
        at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService.refreshBeans(SubsystemChainingAuthenticationService.java:89)
        at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService.getUsableAuthenticationServices(SubsystemChainingAuthenticationService.java:185)
        at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.getDefaultAdministratorUserNames(AbstractChainingAuthenticationService.java:566)
        at org.alfresco.repo.security.authority.AuthorityServiceImpl.getRoleAuthorities(AuthorityServiceImpl.java:260)
        at org.alfresco.repo.security.authority.AuthorityServiceImpl.access$000(AuthorityServiceImpl.java:53)
        at org.alfresco.repo.security.authority.AuthorityServiceImpl$UserAuthoritySet.<init>(AuthorityServiceImpl.java:747)
        at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthoritiesForUser(AuthorityServiceImpl.java:251)
        at org.alfresco.repo.security.authority.AuthorityServiceImpl.isAdminAuthority(AuthorityServiceImpl.java:169)
        at org.alfresco.service.cmr.workflow.WorkflowPermissionInterceptor.invoke(WorkflowPermissionInterceptor.java:52)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
        at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at com.sun.proxy.$Proxy60.isDefinitionDeployed(Unknown Source)
        at org.alfresco.repo.workflow.WorkflowDeployer.init(WorkflowDeployer.java:293)
        at org.alfresco.repo.workflow.WorkflowDeployer$1$1.doWork(WorkflowDeployer.java:506)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
        at org.alfresco.repo.workflow.WorkflowDeployer$1.execute(WorkflowDeployer.java:502)

In other environments every works perfect.
Here my config steps:
dsadd computer "CN=alf_leas_dms_w,OU=memberSrvUnix,DC=wien,DC=rbgat,DC=net"
dsmod computer "CN=alf_leas_dms_w,OU=memberSrvUnix,DC=wien,DC=rbgat,DC=net" -desc "HTTP http://dms.rl.co.at"
ktpass.exe -princ HTTP/dms.rl.co.at@WIEN.RBGAT.NET -pass a7UeCtKR4U -mapuser "CN=alf_leas_dms_w,OU=memberSrvUnix,DC=wien,DC=rbgat,DC=net" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Users\WRZSWS\Desktop\xldmsp100_alf_leasing_dms_w.keytab -kvno 0

dsadd computer "CN=alf_leas_dms_c,OU=memberSrvUnix,DC=wien,DC=rbgat,DC=net"
dsmod computer "CN=alf_leas_dms_c,OU=memberSrvUnix,DC=wien,DC=rbgat,DC=net" -desc "CIFS http://dms-cifs.rl.co.at"
ktpass.exe -princ CIFS/dms-cifs.rl.co.at@WIEN.RBGAT.NET -pass Dp6R51MqnH -mapuser "CN=alf_leas_dms_c,OU=memberSrvUnix,DC=wien,DC=rbgat,DC=net" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Users\WRZSWS\Desktop\xldmsp100_alf_leasing_dms_c.keytab -kvno 0

setspn -a CIFS/dms-cifs.rl.co.at alf_leas_dms_c
setspn -a HTTP/dms.rl.co.at@WIEN.RBGAT.NET alf_leas_dms_w
setspn -a HTTP/dms-sp.rl.co.at alf_leas_dms_w

/usr/bin/ktutil
ktutil:  rkt xldmsp100_alf_leasing_dms_w.keytab
ktutil:  rkt xldmsp100_alf_leasing_dms_c.keytab
ktutil:  l (<- der Buchstabe L)
slot KVNO Principal
—- —- ———————————————————————
   1    2  HTTP/dms.rl.co.at@SERVER
ktutil:  q

## /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SERVER
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
ticket_lifetime = 24h
forwardable = yes

[realms]
SERVER = {
  kdc = server:88
  kdc = server:88
  default_domain = server
}

[domain_realm]
.wien.rbgat.net = SERVER
wien.rbgat.net = SERVER
r-itservices.at = SERVER
.r-itservices.at = SERVER
r-services.at = SERVER
.r-services.at = SERVER
rl.co.at = SERVER
.rl.co.at = SERVER

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

## /opt/local/java/jdk-1.7.0_71/jre/lib/security/java.login.config
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/opt/local/conf/tomcat/dms-prd-leasing/kerberos/xldmsp100_alf_leasing_dms_c.keytab"
   principal="CIFS/dms-cifs.rl.co.at@WIEN.RBGAT.NET";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/opt/local/conf/tomcat/dms-prd-leasing/kerberos/xldmsp100_alf_leasing_dms_w.keytab"
   principal="HTTP/dms.rl.co.at@WIEN.RBGAT.NET";
};

ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/opt/local/conf/tomcat/dms-prd-leasing/kerberos/xldmsp100_alf_leasing_dms_w.keytab"
   principal="HTTP/dms.rl.co.at@WIEN.RBGAT.NET";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

# /opt/local/java/jdk-1.7.0_71/jre/lib/security/java.security
login.config.url.1=file:/opt/local/java/jdk-1.7.0_71/jre/lib/security/java.login.config

# global properties
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.realm=WIEN.RBGAT.NET
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=Dp6R51MqnH
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=a7UeCtKR4U
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco

thanks for help!
greets sascha

Outcomes