Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-1499

3.4 new kerberos Share SSO feature does not work from a Linux client (Firefox)

    Details

    • Type: Service Pack Request
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 3.4
    • Fix Version/s: 3.4.5
    • Component/s: Installer
    • Labels:
      None
    • Environment:
      linux+tomcat+mysql from a linux client firefox
    • Bug Priority:
      Category 2
    • ACT Numbers:

      25307

      Description

      3.4 new kerberos Share SSO feature does not work from a Linux client (Firefox)

      How to reproduce?
      ==================
      1) build a linux+tomcat+mysql 3.4b2 alfresco with kerberos auth
      2) activate kerberos in share-config-custom.xml

      cp ./shared/classes/alfresco/web-extension/share-config-custom.xml.sample ./shared/classes/alfresco/web-extension/share-config-custom.xml

      (following the comments)

      3) set kerberos delegation on the alfrescohttp user in AD
      4) in /usr/local/jdk1.6.0_03/jre/lib/security/java.login.config
      add the Share HTTP section:


      Alfresco

      { com.sun.security.auth.module.Krb5LoginModule sufficient; };

      AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescocifs.keytab" principal="cifs/madona.example.foo"; };

      AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

      ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

      com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }

      ;

      other

      { com.sun.security.auth.module.Krb5LoginModule sufficient; }

      ;


      5) boot alfresco
      6) confirm from a XP client that Explorer kerberos SSO and Share kerberos SSO works OK
      7) try from Firfox on Linux

      Results:
      ========
      From a linux client (firefox) HTTP explorer (jsp client) works with SSO kerberos.

      From a linux client (firefox) HTTP Share fails, with error in the logs:

      11:12:07,217 http-8080-2 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!

      Expected result:
      =================
      It works from Firefox on Linux.

      Notes:
      =====
      a) I played with kinit -f option: no success
      b) I tried modifying in about:config:

      network.negotiate-auth.trusted-uris
      network.negotiate-auth.delegation-uris

      No success.

      c) maybe we need to make the client 'join' the AD Domain, but how?
      using samba 'net' command?

      d) documentation is missing.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs (Inactive)
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 2 days, 6 hours
                    2d 6h

                      Structure Helper Panel