AnsweredAssumed Answered

Kerberos and CIFS

Question asked by eddies on Sep 20, 2016
Latest reply on Sep 23, 2016 by eddies

Hello, 

I am trying to get Kerberos authentication working against AD for CIFS support. I am currently running community 201605.

Kerberos on the OS, (CentoOS 7) works fine. kinit will grab a key.  But it does not work in Alfresco. 

No matter what I set the principal to be, a packet capture shows Alfresco trying to use the principle "root". 

I have spent weeks reading and trying different configs with no luck. 

Here is the error I get. 

2016-09-20 15:06:32,431 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] [localhost-startStop-1] No changes were made to the schema.
2016-09-20 15:06:33,268 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2016-09-20 15:06:33,366 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
<------>at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
<------>at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
<------>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<------>at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
<------>at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
<------>at java.lang.reflect.Method.invoke(Method.java:497)
<------>at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
<------>at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
<------>at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
<------>at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
<------>at java.security.AccessController.doPrivileged(Native Method)
<------>at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
<------>at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

 

Below are my config files. 

 

/opt/alfresco-community-201605/java/lib/security/java.login.config

Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
debug=true
useKeyTab=true
doNotPrompt=true
keyTab="/data/alfresco-community-201605/java/lib/security/svc_alfresco.keytab"
principal="cifs/vm604.xxxDOMAIN";

};


com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

 

/opt/alfresco-community-201605/java/lib/security/java.security

login.config.url.1=file:/opt/alfresco-community-201605/java/lib/security/java.login.config

 

/opt/alfresco-community-201605/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/kerberos/kerberos1/kerberos-authentication.properties

kerberos.authentication.active=true
kerberos.authentication.realm=xxxDOMAIN
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxxxxxxx
kerberos.authentication.defaultAdministratorUserNames=
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.stripUsernameSuffix=true

 

/opt/alfresco-community-201605/tomcat/shared/classes/alfresco-global.properties

### CIFS/SMB Server Configuration ###
cifs.enabled=true
cifs.serverName="vm604"
cifs.hostannounce=false
cifs.domain=xxxDOMAIN

kerberos.authentication.active=true

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad1:ldap-ad

 

Thanks for any help. 

-Eddie

Outcomes