[MNT-1499] 3.4 new kerberos Share SSO feature does not work from a Linux client (Firefox) Created: 21-Dec-10  Updated: 22-Mar-13  Resolved: 24-Aug-11

Status: Closed
Project: Service Packs and Hot Fixes
Component/s: Installer
Affects Version/s: 3.4
Fix Version/s: 3.4.5

Type: Service Pack Request
Reporter: Alex Madon [X] (Inactive) Assignee: Closed Bugs (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0 minutes
Time Spent: 2 days, 6 hours
Original Estimate: Not Specified
Environment:

linux+tomcat+mysql from a linux client firefox


Issue Links:
Related
relates to MNT-1607 3.4 new kerberos Share SSO feature do... Closed
is related to by MNT-7128 when using Share Kerberos SSO new fea... Closed
Bug Priority:
Category 2
ACT Numbers:

25307


 Description   

3.4 new kerberos Share SSO feature does not work from a Linux client (Firefox)

How to reproduce?
==================
1) build a linux+tomcat+mysql 3.4b2 alfresco with kerberos auth
2) activate kerberos in share-config-custom.xml

cp ./shared/classes/alfresco/web-extension/share-config-custom.xml.sample ./shared/classes/alfresco/web-extension/share-config-custom.xml

(following the comments)

3) set kerberos delegation on the alfrescohttp user in AD
4) in /usr/local/jdk1.6.0_03/jre/lib/security/java.login.config
add the Share HTTP section:


Alfresco

{ com.sun.security.auth.module.Krb5LoginModule sufficient; };

AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescocifs.keytab" principal="cifs/madona.example.foo"; };

AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }

;

other

{ com.sun.security.auth.module.Krb5LoginModule sufficient; }

;


5) boot alfresco
6) confirm from a XP client that Explorer kerberos SSO and Share kerberos SSO works OK
7) try from Firfox on Linux

Results:
========
From a linux client (firefox) HTTP explorer (jsp client) works with SSO kerberos.

From a linux client (firefox) HTTP Share fails, with error in the logs:

11:12:07,217 http-8080-2 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!

Expected result:
=================
It works from Firefox on Linux.

Notes:
=====
a) I played with kinit -f option: no success
b) I tried modifying in about:config:

network.negotiate-auth.trusted-uris
network.negotiate-auth.delegation-uris

No success.

c) maybe we need to make the client 'join' the AD Domain, but how?
using samba 'net' command?

d) documentation is missing.



 Comments   
Comment by Yves Martin (Inactive) [ 21-Dec-10 ]

The warning comes from a lacking "forwardable" flag in your TGT.

Edit /etc/krb5.conf and add the following line in [libdefaults] section
forwardable = true

Then the warning will disappear and Share SSO now fails silently:
16:21:09,170 DEBUG [org.alfresco.web.site.servlet.SSOAuthenticationFilter] Processing request /share/page/site-index SID:4A70244B16EE616F1D08CBFD7FD2E8B9
16:21:10,591 DEBUG [org.alfresco.web.site.servlet.SSOAuthenticationFilter] New auth request from 10.10.113.23 (10.10.113.23:45007)
16:21:10,609 DEBUG [org.alfresco.web.site.servlet.SSOAuthenticationFilter] Repository session timed out - restarting auth process...

And so Explorer SSO no longer works with Sun Java.
With 3.3, I received a stack trace from Sun Kerberos stack with something like "invalid check sum" for RC4-HMAC but it seems 3.4 no longer throw it in log files.

My guess: the "TGS+forwarded TGT" is not properly build by Linux MIT Kerberos libraries (current version 1.8.1)

A work-around exists in IBM Java.
If you switch JVM to IBM Java 6 and adapt java.login.config, then the Explorer SSO works again, even with "forwardable=true".

Comment by Yves Martin (Inactive) [ 21-Dec-10 ]

Just forgot to say than a new kinit is required after changes in /etc/krb5.conf
With klist -ef, you should see "Flags: FRIA" on your TGT and "Flags: FRAO" on your TGS to expect Kerberos delegation between Share and Explorer to work.

Comment by Alex Madon [X] (Inactive) [ 22-Dec-10 ]

I just called Yes:

The word "work around" related to the logs line. It means that to remove the warning you can use forwardable tickets with IBM java.

HOWEVER, it does NOT mean this is a workaround for this issue. To clarify,
we know nobody up to now who found a set of parameters (JVN, kerberos, encoding, ticket options) that can make Share kerberos SSO work from a Linux client.

It may be however that the fix of ALF-6284 also fixes this jira

Comment by Pavel Yurkevich (Inactive) [ 24-Aug-11 ]

Unable to reproduce problem using alfresco 3.4.5 build from V3.4-BUG-FIX svn branch. I was able successfully login into Share app using kerberos from linux client (used RHEL 5.5 FF 3.0.18). Also login was successful when alfresco/share was deployed on Websphere (required changes from ALF-6284).

Comment by Monica Basandrai [X] (Inactive) [ 01-Sep-11 ]

Retest with build 328

Comment by Alfresco QA Team (Inactive) [ 07-Oct-11 ]

Successfully validated using Alfresco Enterprise - v3.4.5 (498), Centos, Tomcat, musql, Java 6 (all installer deployed) AndreiMa, AlexeyBu

Generated at Mon Jun 21 20:34:48 BST 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.