AnsweredAssumed Answered

Kerberos / LDAP-AD (Samba 4) and File Service SSO

Question asked by gguillotin on Jan 19, 2017

Hi All !

 

I'm currently working on the setup of an Alfresco Community server. I am running version 5.2.0 on a freshly installed Ubuntu 16.04 64bits server.

 

This server will be used in a network containing a domain (Active Directory type, but managed by Samba 4). I have already setup LDAP and Kerberos auth (web user auth is working correctly), but while startup logs show me everything is alright, I cannot get Kerberos to authenticate my domain users for file service.

 

Here is the error stack I get when trying to login through netbios from a Windows Client :

2017-01-19 09:52:29,760 ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1543)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1427)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$2(EnterpriseCifsAuthenticator.java:1311)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:904)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:1)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:648)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:887)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:689)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy209.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1481)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:149)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Thread.java:745)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 28 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)
... 34 more
2017-01-19 09:52:29,762 ERROR [org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed

Here is what I get when starting Alfresco server :

2017-01-19 09:51:12,316 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-01-19 09:51:12,317 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal http/myserver.mydomain@MYREALM
2017-01-19 09:51:12,394 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-01-19 09:51:12,394 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal http/myserver.mydomain@MYREALM

Here is my alfresco-global.properties :

###############################
## Common Alfresco Properties #
###############################

dir.root=/opt/alfresco/alf_data

dir.contentstore=/home/alfresco/contentstore
dir.contentstore.deleted=/home/alfresco/contentstore.deleted

alfresco.context=alfresco
alfresco.host=alfresco.public
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=alfresco.public
share.port=8080
share.protocol=http

cifs.enabled=true
cifs.serverName=myserver
cifs.domain=DOMAIN
cifs.hostannounce=true
cifs.tcpipSMB.port=1445
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=is2t
db.name=alfresco
db.url=jdbc:postgresql://localhost:5432/${db.name}
db.pool.max=275
db.pool.validate.query=SELECT 1

# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN

### FTP Server Configuration ###
ftp.port=2121

### RMI registry port for JMX ###
alfresco.rmi.services.port=50500

### External executable locations ###
ooo.exe=/opt/alfresco/libreoffice/program/soffice.bin
ooo.enabled=true
ooo.port=8100
img.root=/opt/alfresco/common
img.dyn=${img.root}/lib
img.exe=${img.root}/bin/convert

jodconverter.enabled=false
jodconverter.officeHome=/opt/alfresco/libreoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=verysecret

### E-mail site invitation setting ###
notification.email.siteinvite=false

### License location ###
dir.license.external=/opt/alfresco

### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=localhost
solr.port.ssl=8443

### Allow extended ResultSet processing
security.anyDenyDenies=false

### Smart Folders Config Properties ###
smart.folders.enabled=false

### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false

authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@mydomain
ldap.authentication.java.naming.provider.url=ldap://myserver.mydomain:389
ldap.authentication.defaultAdministratorUserNames=someusers
ldap.synchronization.java.naming.security.principal=alfresco@mydomain
ldap.synchronization.java.naming.security.credentials=verysecret
ldap.synchronization.groupSearchBase=ou=Groups,ou=MyOU,dc=my,dc=domain
ldap.synchronization.userSearchBase=ou=Users,ou=MyOU,dc=my,dc=domain
ldap.synchronization.personQuery=memberOf=CN=Employees,OU=Groups,OU=MyOU,DC=my,DC=domain
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

kerberos.authentication.realm=MYREALM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=alfresco
kerberos.authentication.cifs.configEntryName=cifsalfresco
kerberos.authentication.http.configEntryName=httpalfresco
kerberos.authentication.cifs.password=verysecret
kerberos.authentication.http.password=verysecret
kerberos.authentication.defaultAdministratorUserNames=someusers
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true


mail.host=mymta.domain
mail.port=25
mail.encoding=UTF-8
mail.smtp.auth=false

I have generate my two keytab files using samba-tools (the command is /usr/local/samba/bin/samba-tool domain exportkeytab --principal myserver.mydomain@MYREALM /tmp/cifsalfresco.keytab). Here is the result of a klist -ket :

Keytab name: FILE:/etc/keytables/cifsalfresco.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (arcfour-hmac)
2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (aes256-cts-hmac-sha1-96)
2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (aes128-cts-hmac-sha1-96)
2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (des-cbc-md5)
2 01/18/2017 09:11:58 cifs/myserver.mydomain@MYREALM (des-cbc-crc)

Finally, here is my /etc/krb5.conf file :

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYREALM
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
MYREALM = {
kdc = myadserver.mydomain
kpasswd_server = myadserver.mydomain
admin_server = myadserver.mydomain
}

[domain_realm]
myadserver.mydomain = MYREALM
.myadserver.mydomain = MYREALM

I can't figure what I am missing here. Any help would be greatly appreciated. Please let me know if more information could be usefull.

 

Thanks !

 

Gilles

Outcomes