Home > Content Management System > Alfresco with CIFS

Alfresco with CIFS

After successfull configuration on Alfresco authenticating in Active Directory.  We will try the hardest part in Alfresco configuration.

Alfresco with CIFS

I tried configuring this for weeks now to no avail.  Search in Google, Yahoo, Bing, etc.  No luck still.

Finally I hit a jackpot!

Let me tell you how I did it.

I only edit the /opt/alfresco/tomcat/shared/classes/alfresco-global.properties and didn’t touch any file other than this.  Remember to put your configuration at the end of the file.

Authentication chain should be alfrescoNtlm, passthru and ldap.

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap

why 3?

Based on Alfresco Wiki – ldap can synchronize with Active Directory (which is what we did in previous blog) while passthru can do authentication for CIFS.  Read carefully the Note, it will save you a head ache.

Alfresco NTLM, passthru and ldap configuration for CIFS

ntlm.authentication.sso.enabled=false
ntlm.authentication.authenticateCIFS=false
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false
passthru.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true
ldap.authentication.active=false
ldap.synchronization.active=true

Authentication domain can be left blank while the authentication server

passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=<NetBIOS.DOMAIN>\\<Your.ActiveDirectory.IP.Address>

I don’t want unknown users to connect into my Alfresco server.

ntlm.authentication.sso.enables=false
ntlm.authentication.mapUnknownUserToGuest=false

I don’t want to use FTP

passthru.authentication.authenticateFTP=false

Define the administrator accounts separated by coma.  In my case, I want my Administrator account.

passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS

Ldap Synchronisation – have to define the authentication type and the authentication server url

ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://<Your.ActiveDirectory.IP.Address>:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false

We need to provide the Active Directory account with Administrator privileges to bind with Active Directory.

ldap.synchronization.java.naming.security.principal=<NetBIOS>\\administrator
ldap.synchronization.java.naming.security.credentials=<Administrator.password>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)

Synchronization for group and user per domain.

ldap.synchronization.groupSearchBase=cn\=users,dc=<your.domain>,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=<your.domain>,dc=com

The query that we want to pass to Active Directory

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=true

CIFS Configuration.

cifs.disableNativeCode=false
cifs.enabled=true
cifs.serverName=<Alfresco.server.name>
cifs.domain=<NetBIOS.Domain>
cifs.hostannounce=true
cifs.sessionTimeout=500
cifs.ipv6.enabled=false
cifs.tcpipSMB.port=1445
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139
cifs.WINS.autoDetectEnabled=true

Save and start Alfresco.

I’m accessing alfresco as alfresco_user.  That means I don’t have privilege to use SMB ports.  IPTables comes in handy.  (whisper:  I got this from Alfresco wiki ;))

# iptables -F
# iptables -t nat -F
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -t nat -A PREROUTING -p tcp –dport 445 -j REDIRECT –to-ports 1445
# iptables -t nat -A PREROUTING -p tcp –dport 139 -j REDIRECT –to-ports 1139
# iptables -t nat -A PREROUTING -p udp –dport 137 -j REDIRECT –to-ports 1137
# iptables -t nat -A PREROUTING -p udp –dport 138 -j REDIRECT –to-ports 1138

In my case I opened three terminal, one is for Alfresco log monitoring in case there’s an error and second is to modify alfresco-global.properties and the third is to start/stop alfresco.

alf_start.sh

Neat eh!  No error.  We’ll try to connect to Alfresco from windows xp.

ERROR [org.alfresco.fileserver] java.lang.IllegalArgumentException: NetworkFile does not implement NetworkFileStateInterface
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.server.filesys.cache.FileStateLockManager.lockFile(FileStateLockManager.java:147)
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.smb.server.NTProtocolHandler.procLockingAndX(NTProtocolHandler.java:2104)
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:299)
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.smb.server.SMBSrvSession.runHandler(SMBSrvSession.java:1366)
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1458)
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:105)
ERROR [org.alfresco.fileserver]    at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
ERROR [org.alfresco.fileserver]    at java.lang.Thread.run(Thread.java:619)

What?!  Error again! (went to pantry and get a coffee)

Troubleshooting:

Checking the iptables rules

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  –  anywhere             anywhere            tcp dpt:microsoft-ds redir ports 1445
REDIRECT   tcp  –  anywhere             anywhere            tcp dpt:netbios-ssn redir ports 1139
REDIRECT   udp  –  anywhere             anywhere            udp dpt:netbios-ns redir ports 1137
REDIRECT   udp  –  anywhere             anywhere            udp dpt:netbios-dgm redir ports 1138

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Everything seems to be in order.

I will try connecting to the ports from my Linux box.

# smbclient -U andy \\\\<Alfresco.server.IP.Address>\\alfresco -p 1139
Enter andy’s password:
Domain=[<NetBIOS.Domain>] OS=[Java] Server=[Alfresco CIFS Server 5.1.0]
smb: \> ls
.                                   D        0  Tue Jul 13 16:06:10 2010
.                                   D        0  Tue Jul 13 16:06:10 2010
__Alfresco.url                      R      134  Tue Jul 20 15:49:37 2010
Data Dictionary                     D        0  Tue Jul 13 16:06:10 2010
Guest Home                          D        0  Tue Jul 13 16:06:11 2010
User Homes                          D        0  Tue Jul 13 16:06:11 2010
Sites                               D        0  Tue Jul 13 16:06:26 2010
Web Projects                        D        0  Tue Jul 13 16:06:52 2010
Web Deployed                        D        0  Tue Jul 13 16:06:53 2010

40000 blocks of size 2097152. 36000 blocks available
smb: \>

That’s good.  Linux box was able to connect to Alfresco.  Port forwarding is working perfectly.  But not Windows XP.  Why?! (Thinking… sipping coffee)

Wait.  I used port 1139 instead of 139, Windows is using port 139 and not 1139.  I’ll try it again, this time I will connect my Linux box to port 139.

# smbclient -U andy \\\\<Alfresco.server.IP.Address>\\alfresco -p 139
Enter andy’s password:
Connection to <Alfresco.server.IP.Address> failed (Error NT_STATUS_CONNECTION_REFUSED)

BAM!  Error!  NT_STATUS_CONNECTION_REFUSED (Thinking… Pulling my hair)

That means port 139 is closed.  If it’s closed we need to open it.

# iptables -A INPUT -p udp -m state –state NEW –dport 137 -j ACCEPT
# iptables -A INPUT -p udp -m state –state NEW –dport 138 -j ACCEPT
# iptables -A INPUT -p tcp -m state –state NEW –dport 139 -j ACCEPT
# iptables -A INPUT -p tcp -m state –state NEW –dport 445 -j ACCEPT

IPTables above will accept new connection on ports 137, 138, 139 and 445 so that redirection will take effect otherwise, IPTables will drop the connection on the said ports.

Try again.  Test Alfresco from windows xp.

Good!  Good! no error.  I was able to connect.

Let’s try to copy file to Alfresco.

Neat!  Accepting ports in 137, 138, 139 and 445 solved the problem.

Ha! Ha! Ha!

Hope you’ll be happy like me ;)

About these ads
  1. dwud31
    July 26, 2010 at 4:20 am | #1

    Hey, thanks. Just what I was looking for. Worked great!

  2. August 24, 2010 at 1:19 pm | #2

    i have been following this blog for some time now, good job by the way

  3. Pragnesh
    August 26, 2010 at 6:59 pm | #3

    I did run the command to open port. (Please note that 2 dashes in command is replaced with a different char and hence copy paste does not work)

    iptables -A INPUT -p tcp -m state –state NEW –dport 139 -j ACCEPT

    However I am still getting while connection to 1139 goes through

    smbclient -U admin \\\\127.0.0.1\\alfresco -p 139
    Error connecting to 127.0.0.1 (Connection refused)
    Connection to 127.0.0.1 failed (Error NT_STATUS_CONNECTION_REFUSED)

    • September 6, 2010 at 8:07 am | #4

      Yes, you’re right, copy and paste will not work. You have to type the iptables to make it work.

      iptables ACCEPT parameters should be:
      iptables -A INPUT -p tcp -m state (2 dash)state NEW (2 dash)dport -j ACCEPT

      You can check your Alfresco server for successfull connection. Here all connection will be redicted to port 1139

      # netstat -an | grep 139
      tcp6 0 0 :::1139 :::* LISTEN
      tcp6 0 0 :1139 :35091 ESTABLISHED

  4. September 6, 2010 at 6:26 am | #5

    Thank you very much.It’s be useful for me but doesn’t work with Windows 7.

  5. Chris Baechle
    October 12, 2010 at 5:47 pm | #9

    Thanks! This was really useful. How would I enforce some sort of group membership? Say I had a group alfrescousers in my active directly. What field contains what group the user needs to be a member of?

  6. Sebastian Wilwerth
    February 1, 2011 at 6:35 pm | #10

    If you have refused connections or NT_STATUS_CONNECTION_REFUSED at smbclient.
    There is a tip when using -j REDIRECT

    If you have changed the ip bind address of alfresco CIFS file server to another IP, or a virtual IP that is not listening on localhost. You cannot use -j REDIRECT –to-port .
    You need to use -j DNAT –to-destination : instead.

    In my case, the bind address of the file server is 192.168.1.204, and the iptables rules looks like:

    #tcp alfresco CIFS
    iptables -t nat -A PREROUTING -d 192.168.1.204 -p tcp –dport 139 -j DNAT –to-destination 192.168.1.204:1139
    iptables -t nat -A PREROUTING -d 192.168.1.204 -p tcp –dport 445 -j DNAT –to-destination 192.168.1.204:1445

    #udp alfresco CIFS
    iptables -t nat -A PREROUTING -d 192.168.1.204 -p udp –dport 137 -j DNAT –to-destination 192.168.1.204:1137

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: