Doborgo of the day!
Faced with the problem of setting up (more precisely, restoring performance) authorization when mounting a Alfresco disk in AD through kerberos. Background (short): the task was to move the servers to a separate subnet. The task was completed, respectively, ip-addresses, gateways and the like changed. From that moment, problems started with Alfresco - I could not access the Alfresco network drive, I was asked for a login / password.
Since the configs there are quite extensive, I'll post only what I think is relevant. And if necessary, I will provide any information.
So, I'll start.
Baseline: 1. Server - Ubuntu 12.04.5 LTS 2. Alfresco 4.2.f 3. Domain Controllers - WinServer 2012R2
In Active Directory, service users (cifs and http) are created for Alfresco, their settings are made in accordance with the manuals and wiki.
On the Ubuntu server, I set up kerberos, checked the kinit utility both on a regular user, and on Alfresco service users using keytab's - it works without errors. From this I conclude that the settings in krb5.conf are correct.
Next, Alfresco configs related to Kerberos and CIFS.
alfresco-global.properties
authentication.chain=kerberos1:kerberos,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm ### Kerberos and CIFS properties ### kerberos.authentication.sso.enabled=true kerberos.authentication.defaultAdministratorUserNames=<username> kerberos.authentication.user.configEntryName=Alfresco kerberos.authentication.cifs.configEntryName=AlfrescoCIFS kerberos.authentication.cifs.password=************ kerberos.authentication.http.configEntryName=AlfrescoHTTP kerberos.authentication.http.password=************ kerberos.authentication.authenticateCIFS=true kerberos.authentication.realm=MY.DOMAIN.COM kerberos.authentication.stripUsernameSuffix=true kerberos-authentication.properties
kerberos.authentication.realm=MY.DOMAIN.COM kerberos.authentication.user.configEntryName=Alfresco kerberos.authentication.cifs.configEntryName=AlfrescoCIFS kerberos.authentication.cifs.password=************ kerberos.authentication.authenticateCIFS=true kerberos-filter.properties
kerberos.authentication.sso.enabled=true kerberos.authentication.http.configEntryName=AlfrescoHTTP kerberos.authentication.http.password=************ kerberos.authentication.browser.ticketLogons=true java.login.config
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/opt/alfresco-4.2.f/server1cifs.keytab" principal="cifs/server1.my.domain.com"; }; AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/opt/alfresco-4.2.f/server1http.keytab" principal="HTTP/server1.my.domain.com.com"; }; com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }; other { com.sun.security.auth.module.Krb5LoginModule sufficient; }; When Alfresco starts, I see the following in the log:
12: 06: 38,688 WARN [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem ID: [Authentication, managed, kerberos1] failed org.springframework.beans.factory.BeanCreationException: Error create bean with name 'cifsAuthenticator' defined in file [/opt/alfresco-4.2.f/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: Configuration Error: Can not specify multiple entries for Alfresco
The contents of the kerberos-authentication-context.xml to which the link in the error:
<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'> <beans> <!-- The authentication component. --> <!-- Jass authentication - most of the config goes somewhere else --> <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent" parent="authenticationComponentBase"> <property name="realm"> <value>${kerberos.authentication.realm}</value> </property> <property name="jaasConfigEntryName"> <value>${kerberos.authentication.user.configEntryName}</value> </property> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="personService"> <ref bean="personService" /> </property> <property name="transactionService"> <ref bean="transactionService" /> </property> <property name="defaultAdministratorUserNameList"> <value>${kerberos.authentication.defaultAdministratorUserNames}</value> </property> </bean> <!-- Wrapped version to be used within subsystem --> <bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="proxyInterfaces"> <value>org.alfresco.repo.security.authentication.AuthenticationComponent</value> </property> <property name="transactionManager"> <ref bean="transactionManager" /> </property> <property name="target"> <ref bean="authenticationComponent" /> </property> <property name="transactionAttributes"> <props> <prop key="*">${server.transaction.mode.default}</prop> </props> </property> </bean> <!-- Authenticaton service for chaining --> <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl"> <property name="ticketComponent"> <ref bean="ticketComponent" /> </property> <property name="authenticationComponent"> <ref bean="authenticationComponent" /> </property> <property name="sysAdminParams"> <ref bean="sysAdminParams" /> </property> </bean> <!-- CIFS authentication --> <bean id="cifsAuthenticator" class="org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator" parent="cifsAuthenticatorBase"> <property name="active"> <value>${kerberos.authentication.authenticateCIFS}</value> </property> <property name="realm"> <value>${kerberos.authentication.realm}</value> </property> <property name="password"> <value>${kerberos.authentication.cifs.password}</value> </property> <property name="jaasConfigEntryName"> <value>${kerberos.authentication.cifs.configEntryName}</value> </property> <property name="disableNTLM"> <value>true</value> </property> <property name="enableTicketCracking"> <value>${kerberos.authentication.cifs.enableTicketCracking}</value> </property> <property name="stripKerberosUsernameSuffix"> <value>${kerberos.authentication.stripUsernameSuffix}</value> </property> </bean> </beans> Here is such a zagulina ... Considering that nothing has changed except the ip-addresses of the servers, I wondered what went wrong.
By the way, domain controllers are pinging from the Alfresco server both by ip and by NETBIOS name, and by FQDN.
