[MNT-1087] CIFS kerberos authentification does not work with Websphere Created: 13-Oct-10  Updated: 19-Mar-13  Resolved: 04-Apr-11

Status: Closed
Project: Service Packs and Hot Fixes
Component/s: Repository Authentication and SSO
Affects Version/s: 3.3.2
Fix Version/s: 3.4.2

Type: Service Pack Request
Reporter: Alex Madon [X] (Inactive) Assignee: Closed Bugs (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

linux+websphere+mysql


Attachments: Text File alfresco_logs_alex.txt    
Issue Links:
Related
is related to by MNT-1607 3.4 new kerberos Share SSO feature do... Closed
Bug Priority:
Category 2
ACT Numbers:

22236 25311


 Description   

CIFS kerberos authentification does not work with IBM java
This may be just a documentation bug but is probably a genuine bug.

How to reproduce?
==================
1) build a 3.3.2 system (linux+tomcat+mysql) with kerberos auth and Websphere

The documentation documents only the Sun JVM setup.
Research on the Internet shows that the configuration steps should probably be like (please have engineering validate this):

In JRE\lib\security\java.security. In file:

Add the following line

login.config.url.1=file:${java.home}/lib/security/java.login.config

In jre/lib/security

create a file:
java.login.config
------------------------
Alfresco

{ com.ibm.security.auth.module.Krb5LoginModule sufficient; };

AlfrescoCIFS { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeyTab="file:///etc/keys/alfrescocifs.keytab" principal="cifs/madona.example.foo"; };

AlfrescoHTTP { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab="file:///etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

com.sun.net.ssl.client { com.ibm.security.auth.module.Krb5LoginModule sufficient; }

;

other

{ com.ibm.security.auth.module.Krb5LoginModule sufficient; }

;
--------------

2) boot alfresco

Result:
======
Only HTTP kerberos works.
CIFS kerberos fails with:

16:02:04,834 ERROR [smb.protocol.auth] CIFS Kerberos authenticator error
javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized o
ption: useKeyTab

full stack attached as alfresco_logs_alex.txt

Expected result:
================
Kerberos CIFS works with IBM java as it is in the supported stacks.



 Comments   
Comment by Alessandro Canovi (Inactive) [ 27-Oct-10 ]

I think your error is caused by misspelled useKeyTab, it should be useKeytab.

Anyway it doesn't work also for me on Jboss 5.1.0 using:

java version "1.6.0"
Java(TM) SE Runtime Environment (build pxi3260sr8fp1-20100624_01(SR8 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux x86-32 jvmxi3260sr8ifx-20100609_59383 (JIT enabled, AOT enabled)
J9VM - 20100609_059383
JIT - r9_20100401_15339ifx2
GC - 20100308_AA)
JCL - 20100624_01

Comment by Steve Rigby [X] (Inactive) [ 13-Dec-10 ]

Please reinvestigate

Comment by Alex Madon [X] (Inactive) [ 14-Dec-10 ]

another customer is affected by this: act 25311

Comment by Alfresco QA Team (Inactive) [ 10-Jan-11 ]

Investigation complete.

Summary: we've been able to perform Kerberos-only auth (authentication.chain=kerb:kerberos) on tomcat, jboss eap 5.1 and WAS 7.0.0.13 http and cifs authentication successfully.

IBM JDK used for all 3 application servers:

java version "1.6.0"
Java(TM) SE Runtime Environment (build pxi3260sr9-20101125_01(SR9))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux x86-32 jvmxi3260sr9-20101124_69295 (JIT enabled, AOT enabled)
J9VM - 20101124_069295
JIT - r9_20101028_17488ifx2
GC - 20101027_AA)
JCL - 20101119_01

Sample Tomcat configuration:

1. Set login.config.url.1 property to point to java.login.config file

sample contents of java.login.config:

Alfresco

{ com.ibm.security.auth.module.Krb5LoginModule sufficient; };

AlfrescoCIFS { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab="file:///etc/keytab/alfrescocifs.keytab" principal="cifs/alf-72ka.kb.alfresco.org"; };

AlfrescoHTTP { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab="file:///etc/keytab/alfrescohttp.keytab" principal="HTTP/alf-72k.kb.alfresco.org"; };

com.sun.net.ssl.client { com.ibm.security.auth.module.Krb5LoginModule sufficient; }

;

other

{ com.ibm.security.auth.module.Krb5LoginModule sufficient; }

;

2. Sample JBoss configuration (Alessandro, we've tested it and it works)

Add following to server/default/conf/login-config.xml

<application-policy name="Alfresco">
<authentication>
<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="sufficient"/>
</authentication>
</application-policy>

<application-policy name="AlfrescoCIFS">
<authentication>
<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="debug">true</module-option>
<module-option name="credsType">acceptor</module-option>
<module-option name="useKeytab">file:///etc/keytab/alfrescocifs.keytab</module-option>
<module-option name="principal">cifs/alf-72ka.kb.alfresco.org</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy name="AlfrescoHTTP">
<authentication>
<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="debug">true</module-option>
<module-option name="credsType">acceptor</module-option>
<module-option name="useKeytab">file:///etc/keytab/alfrescohttp.keytab</module-option>
<module-option name="principal">HTTP/alf-72k.kb.alfresco.org</module-option>
</login-module>
</authentication>
</application-policy>

NOTE: JBOSS 5 and IBM JDK has an issue with security domains. If you see following:

Bad JAAS configuration: unrecognized option: jboss.security.security_domain

in logs, add next lines to server/default/deploy/properties-service.xml

<attribute name="Properties">
jboss.security.disable.secdomain.option=true
</attribute>

we consider info above worth of being added to wiki

3. Websphere issue: seems to occur due to mispelled property. Successfully logged into http and cifs.

Comment by Steve Rigby [X] (Inactive) [ 04-Apr-11 ]

Marked as resolved, appears information indicates it was a misconfiguration.

Comment by Yves Martin (Inactive) [ 04-Apr-11 ]

Hello,

I (client bug reporter) still do not understand what was wrong in my own setup in which HTTP works properly but not CIFS with IBM Java.
In that setup (3.3 SP2), I switch from Sun/Oracle (in that case both CIFS and HTTP work) to IBM only changing the java.login.config.

In fact, you points the mispell "useKeyTab" in java.login but that error comes from M. Alex Madon. My configuration was correct.

Please update Authentication subsystem documentation with specific IBM Java and WebSphere details:
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos

Then, I will deploy the latest version again to validate, maybe a code fix has been included since my report and your tests done on 3.4.3.

Comment by Steve Rigby [X] (Inactive) [ 19-Apr-11 ]

For retest in 3.4.2

Comment by Alfresco QA Team (Inactive) [ 21-Apr-11 ]

Validated against 3.4.2.333

Generated at Mon Jun 21 20:48:32 BST 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.