[Archived] Alfresco Community
  1. [Archived] Alfresco Community
  2. ALFCOM-3616

CIFS Authentication failing if Windows username different from Alfresco username

    Details

    • Type: Bug Bug
    • Status: Open Open
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: JLAN
    • Security Level: external (External user)
    • Labels:
      None
    • Environment:
      Server: Ubuntu Linux 2009.04, Alfresco Enterprise 3.1
      Client: Windows XP Home 2002 Service Pack 3, Internet Explorer 8

      Description

      Hello all,

      My Alfresco server works fine as a shared drive (CIFS/SMB).
      But here is what might be a JLAN problem:

      1) Find a Windows PC and reboot it (to make sure no shares are mounted).
      2) Login as any user who is NOT an Alfresco user (for instance "bob" if your Alfresco does not contain a "bob" user).
      2) Open Alfresco's Web Client as any Alfresco user (for instance "admin").
      3) On any space's details, click on "View in CIFS".
      4) Result: Windows Explorer shows an error. No shared drive gets mounted.

      It is reproducible 90% of the time. What I would expect is a Windows Explorer popup prompting me for a login and password.

      Using Wireshark, I analyzed what is going on on the network.
      I can see that the Windows Explorer client tries to connect via SMB to the Alfresco server using the 3 following credentials:
      [A] Anonymous, no username
      [W] Windows user's account username
      [P] Popup asking for username and password

      When the Windows Explorer client tries to connect using [P], I enter the right credentials and it works. But unfortunately, that only happens rarely. 90% of the time, it just uses [A] and [W] in seemingly random patterns. Here are a few connection attempts I have traced:
      1) [A] [W] [W] [W] [A] [W] [W] [W] [A] [W] failure
      2) [W] [W] [W] [W] [W] [W] [A] [W] failure
      3) [W] [W] [W] [W] [W] [W] [A] [W] [P] success

      This problem is reproducible on different networks with different Windows clients. The problem happens with Internet Explorer 7 and 8, but not with IE6.

      The "View in CIFS" link looks like this: file:///\\NICOA\Alfresco
      If you first manually access file:///\\NICOA then the share gets mounted, and afterwards all "View in CIFS" links work: the Windows Explorer opens the CIFS share as one would expect.

      Cheers,
      Nicolas Raoul

      [A] =
      Session Setup AndX Request, NTLMSSP_NEGOTIATE
      Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
      Session Setup AndX Request, NTLMSSP_CHALLENGE, User: \
      Negotiate Protocol Response
      Tree Connect AndX Request, Path: \\192.168.0.54\IPC$
      Tree Connect AndX response

      [W] =
      Session Setup AndX Request, NTLMSSP_NEGOTIATE
      Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
      Session Setup AndX Request, NTLMSSP_CHALLENGE, User: Voltaire\Nicolas
      Session Setup AndX Response, Error: STATUS_LOGON_FAILURE

        Issue Links

          Activity

          Hide
          Nicolas Raoul added a comment -

          Bug ETHREEOH-778 is a consequence of this bug.

          Show
          Nicolas Raoul added a comment - Bug ETHREEOH-778 is a consequence of this bug.
          Hide
          Nicolas Raoul added a comment -

          Just in case anyone wants to play with it, I attach an edited patch for Alfresco Community SVN.
          This patch makes Alfresco send an SMB NEGOCIATE PROTOCOL RESPONSE that is almost identical to what Samba would send.
          The only remaining difference seems to be Max Raw Buffer.
          Warning: very dirty hack.

          Anyway, IE8 does not like it better.

          Show
          Nicolas Raoul added a comment - Just in case anyone wants to play with it, I attach an edited patch for Alfresco Community SVN. This patch makes Alfresco send an SMB NEGOCIATE PROTOCOL RESPONSE that is almost identical to what Samba would send. The only remaining difference seems to be Max Raw Buffer. Warning: very dirty hack. Anyway, IE8 does not like it better.
          Hide
          Nicolas Raoul added a comment -

          The last version of my patch is here:
          https://issues.alfresco.com/jira/browse/ETHREEOH-778

          It fixes the IE7/IE8-related bug for links top-level folders, but not for links to subfolders.

          Show
          Nicolas Raoul added a comment - The last version of my patch is here: https://issues.alfresco.com/jira/browse/ETHREEOH-778 It fixes the IE7/IE8-related bug for links top-level folders, but not for links to subfolders.

            People

            • Assignee:
              Gary Spencer
              Reporter:
              Nicolas Raoul
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: