Centos

憑證不能被委派 - Alfresco Share

  • October 8, 2013

我在 Redhat 6 上配置 Alfresco 4.0.d 時遇到了困難。

我正在使用 Kerberos 身份驗證,它似乎工作正常,並且單點登錄正在主 alfresco 應用程序本身上工作。我已經完成了配置步驟以使共享應用程序正常工作,但盡我所能,每次瀏覽器訪問時,我都會在 catalina.out 中收到此錯誤http://server:8080/share以及“Windows 安全”密碼框。

WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!

這是我到目前為止所做的:

使用 AD 使用者和電腦,選擇alfrescohttp帳戶,然後選擇“信任此使用者以委託任何服務(僅限 Kerberos)。

共享配置-custom.xml

複製/opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sampleshare-config-custom.xml編輯如下:

  <config evaluator="string-compare" condition="Kerberos" replace="true">
     <kerberos>
        <password>*****</password>
        <realm>MYDOMAIN.CO.UK</realm>
        <endpoint-spn>HTTP/server.mydomain.co.uk@MYDOMAIN.CO.UK</endpoint-spn>
        <config-entry>ShareHTTP</config-entry>
     </kerberos>
  </config>


  <config evaluator="string-compare" condition="Remote">
     <remote>
        <keystore>
            <path>alfresco/web-extension/alfresco-system.p12</path>
            <type>pkcs12</type>
            <password>alfresco-system</password>
        </keystore>

        <connector>
           <id>alfrescoCookie</id>
           <name>Alfresco Connector</name>
           <description>Connects to an Alfresco instance using cookie-based authentication</description>
           <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
        </connector>

        <endpoint>
           <id>alfresco</id>
           <name>Alfresco - user access</name>
           <description>Access to Alfresco Repository WebScripts that require user authentication</description>
           <connector-id>alfrescoCookie</connector-id>
           <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
           <identity>user</identity>
           <external-auth>true</external-auth>
        </endpoint>
     </remote>
  </config>

krb5.conf

像這樣設置/etc/krb5.conf文件:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.CO.UK
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true

[realms]
MYDOMAIN.CO.UK = {
 kdc = mydc.mydomain.co.uk
 admin_server = mydc.mydomain.co.uk
}

[domain_realm]
.mydc.mydomain.co.uk = MYDOMAIN.CO.UK
mydc.mydomain.co.uk = MYDOMAIN.CO.UK

java.login.config

/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config配置如下:

Alfresco {
  com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
  com.sun.security.auth.module.Krb5LoginModule required
  storeKey=true
  useKeyTab=true
  keyTab="/etc/alfrescocifs.keytab"
  principal="cifs/server.mydomain.co.uk";
};

AlfrescoHTTP {
  com.sun.security.auth.module.Krb5LoginModule required
  storeKey=true
  useKeyTab=true
  keyTab="/etc/alfrescohttp.keytab"
  principal="HTTP/server.mydomain.co.uk";
};

com.sun.net.ssl.client {
  com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
  com.sun.security.auth.module.Krb5LoginModule sufficient;
};

ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescohttp.keytab"
principal="HTTP/server.mydomain.co.uk";
};

alfresco-global.conf

最後,以下設置alfresco-global.conf

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.real=MYDOMAIN.CO.UK
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=******
kerberos.authentication.http.password=*****
kerberos.authentication.defaultAdministratorUserNames=administrator

ntlm.authentication.sso.enabled=true

正如我所說,我已經為此碰壁了,我非常感謝你能給我的任何幫助!這個問題也發佈在 Alfresco 論壇上,但我想知道 serverfault 上是否有人遇到過類似的實施挑戰?

從 krb5.conf 中刪除以下行解決了該問題。

forwardable = true
proxiable = true

引用自:https://serverfault.com/questions/399384