background image

  <authenticator>

    <class>

      org.alfresco.jlan.server.auth.passthru.PassthruAuthenticator

    </class>

    <mode>USER</mode>

    <Domain>STARLASOFT</Domain>

  </authenticator>

</security>

2.4.8.3 Enterprise Authenticator

The 

org.alfresco.jlan.server.auth.EnterpriseCifsAuthenticator

 Authenticator 

implementation provides support for newer CIFS authentication types such as 
NTLMSSP, SPNEGO, NTLMv2 and Active Directory/Kerberos.

Enterprise CIFS Authenticator

<class>...</class>

Specifies the authenticator class. Use 

org.alfresco.jlan.server.auth.EnterpriseCifsAuthenticator

 for 

the enterprise authenticator.

<mode>...</mode>

Specifies the security mode. This should be set to USER for 
the passthru authenticator.

<KDC>...</KDC>

IP address or DNS name of the Active Directory server.

<Realm>...</Realm>

Kerberos realm.

<Password>...</Password>

Account password used by the server to get a service 
ticket.

<LoginEntry>...</LoginEntry>

Java security login configuration file entry name.

Defaults is 'JLANServerCIFS'.

<disallowNTLMV1/>

Do not allow weaker NTLMv1 logins.

<kerberosDebug/>

Enables Java API debug output.
Using this setting is equivalent to setting the system 
properties 

sun.security.jgss.debug

 and 

sun.security.krb5.debug

 to true.

A sample security configuration section is shown below:-

<security>

  <authenticator>

    <class>

      org.alfresco.jlan.server.auth.EnterpriseCifsAuthenticator

    </class>

    <KDC>win2003.alfresco.com</KDC>

    <Realm>ALFRESCO</Realm>

    <Password>password</Password>

37

Summary of Contents for JLAN

Page 1: ...Alfresco JLAN Server Installation Guide For Alfresco JLAN Server v6 0 Author GK Spencer Alfresco 2007 2011 All rights reserved ...

Page 2: ...figuration 21 2 4 7 2 1 DatabaseInterface Configuration 25 2 4 7 2 2 FileLoader Configuration 26 2 4 7 2 3 Sample Configurations 29 2 4 8 Security Configuration 33 2 4 8 1 LocalAuthenticator 34 2 4 8 2 PassthruAuthenticator 36 2 4 8 3 Enterprise Authenticator 37 2 4 9 Share Mapper Configuration 38 2 4 10 Drive Mappings Configuration 38 2 4 11 Debug Configuration 39 2 4 11 1 Cluster Debug Configura...

Page 3: ... key components that may be replaced customized are Virtual filesystem driver classes Authentication classes Server configuration classes Virtual filesystem mapping class Access control manager and access control rules Quota manager The JLAN Server kit contains a virtual filesystem driver class that maps to the local filesystem using the java io File class and a database filesystem that stores the...

Page 4: ...ar files includes in the JLAN Server kit alfresco jlan jar Contains the core server applications but does not contain the database interface code for mySQL Oracle or Cloudscape Derby alfresco jlan db jar Contains the core server applications plus the mySQL Oracle and Derby database interface classes The database filesystem version of the Jar also requires the appropriate JDBC classes to be on the ...

Page 5: ...the demo kit jlanserver xml The sample configuration file is setup to use the Win32 NetBIOS interface To use the NetBIOS over TCP IP and or native SMB interfaces the network broadcast mask must be configured before the sample configuration file can be used The runsrv bat batch file may also be used to start the server under Windows 2 3 org alfresco jlan app JLANServerService The JLANServerService ...

Page 6: ...ate the configuration jlanserver dtd The configuration is contained within the jlanserver section of the configuration file The server is configured via the servers global SMB FTP NFS shares security shareMapper DriveMappings cluster and debug sub sections Configuration items added in recent versions of the JLAN Server are shown in bold type 2 4 1 Server Configuration The servers section defines t...

Page 7: ...oadcast 90 1 255 255 broadcast smbdialects smbdialects Enables the SMB dialects that the server will negotiate with a client The available dialects are Core LanMan and NT smbdialects Core LanMan NT smbdialects comment comment Server comment sent out as part of the host announcement and also returned by various server workstation information requests comment JLAN SMB Server comment bindto n n n n b...

Page 8: ...ied using the adapter attribute The adapter name is the name returned by the NetworkInterface class such as eth0 or en0 The platforms attribute may be specified to control which platforms the NetBIOS SMB component will be enabled on The platforms value is a comma delimeted list of platform names where the valid names are linux macosx windows solaris and aix NetBIOS over TCP IP may be enabled at th...

Page 9: ...nly be accessible from the local host The lana attribute can be used to specify which NetBIOS LAN adapter the Win32 NetBIOS interface will use If not specified the first available LANA will be used The api attribute is used to specify the native code interface to be used The valid values are netbios for the original Win32 Netbios API based code or winsock for the new Winsock Netbios based code The...

Page 10: ...lue in seconds The default session timeout is 15 minutes If no I O occurs on the session within this time then the session will be closed by the server Windows clients send keep alive requests usually within 15 minutes disableNIO Disables the new NIO based CIFS server code and reverts to using the older socket and JNI based code The SMB server has many debug settings which are controlled by the fo...

Page 11: ...quests PKTTYPE Output received packet type DCERPC DCE RPC handling NOTIFY Change notification processing STREAMS NTFS streams SOCKET Low level connections LOCK File byte range locks unlocks STATECACHE File state caching TIMING Request response timing PKTPOOL Memory pool allocations deallocations PKTSTATS Dump memory pool statistics during server shutdown THREADPOOL Thread pool BENCHMARK Benchmarki...

Page 12: ...lass class authenticator The authenticator configuration sub section is used to enable a custom FTP authentication class that implements the org alfresco jlan ftp FTPAuthenticator interface The class must be specified other configuration parameters may be specified as required bindto n n n n bindto bindto adapter Specifies which network adapter to bind to if the host has multiple network adapters ...

Page 13: ... site specific extensions to the FTP server The class must be specified and must implement the org alfresco jlan ftp FTPSiteInterface interface Other configuration parameters may be specified as required keyStore keyStore Path to the keys store file when FTPS is enabled trustStore trustStore Path to the trust store file when FTPS is enabled storePassphrase storePassphrase Store passphrase requireS...

Page 14: ...P Debug Levels TIMING Request response timing SSL FTPS SSL A sample FTP server configuration section is shown below FTP bindto 192 168 1 2 bindto allowAnonymous debug flags File FileIO Search Error FTP 14 ...

Page 15: ...et pool should be two to three times the thread pool size for optimum performance ThreadPool n ThreadPool Number of worker threads to allocate to the thread pool that processes RPC requests from NFS clients The thread pool is now shared between the TCP and UDP connections Defaults to 16 worker threads debug flags Enable various NFS server debug output mountServerDebug Enables mount server debug ou...

Page 16: ...acheDebug Enable file cache debug output The following table lists the available NFS debug levels NFS Debug Levels RXDATA Received session data TXDATA Transmitted session data SEARCH File directory searches INFO Information requests FILE File access FILEIO File read write ERROR Request errors DIRECTORY Directory related commands A sample NFS server configuration section is shown below NFS enablePo...

Page 17: ... to map or mount the virtual filesystem The optional comment is returned by various information requests diskshare name JLAN comment Test area driver Specifies the start of the disk share driver class definition block accessControl accessControl default Specifies the access control rules block The default attribute specifies the default access for clients that do not match any of the access contro...

Page 18: ...lass org alfresco jlan smb server disk JavaFileDiskDriver class The accessControl sub section contains the access control rules that are used to allow read or read write access to the share or to disallow access to the share The accessControl block may be empty if a default access of Read or Write is specified for example accessControl default Read The following table details the access control ru...

Page 19: ...he callers domain name This rule only applies to SMB CIFS sessions A sample access control block is shown below diskshare name TESTAREA driver class org alfresco jlan smb server disk JavaFileDiskDriver class LocalPath N TestArea LocalPath driver volume label TESTLABEL size totalSize 2T freeSize 100G accessControl default Read user name gkspencer access Write user name GK Spencer access Write addre...

Page 20: ... disk package The driver sub section configuration parameters are shown below JavaFileDiskDriver Configuration LocalPath LocalPath Specifies the local path to map the virtual filesystem to A sample JavaFileDiskDriver share configuration section is shown below shares diskshare name JLAN comment Test share class org alfresco jlan smb server disk JavaFileDiskDriver class LocalPath R JLAN LocalPath di...

Page 21: ...ame Description SimpleFileLoader Provides a simple file loader that loads saves files to the local filesystem maintaining the same directory structure The loader class is org alfresco jlan server filesys loader SimpleFileLoader DBFileLoader Loads saves file data to database BLOB fields using a thread pool of worker threads to load save the file data in background A queue of load save requests is m...

Page 22: ...andalone server cache cluster for the clustered cache or custom for a custom cache implementation The standalone state cache has the following configuration values Standalone State Cache Configuration fileStateExpire n fileStateExpire Specifies the file state expiry interval in seconds This is the number of seconds a file state may be held in the state cache after the file has been closed by the l...

Page 23: ...een nodes in the cluster nearCache disable nearCache timeout n Used to disable the near cache or set the near cache timeout value If the near cache is disabled clustered state cache lookups may require a network access to fetch the required file state The default near cache timeout value is 5 seconds the minimum allowed value is 3 seconds the maximum allowed value is 120 seconds 2 minutes cacheDeb...

Page 24: ...RENAME Rename state FILEDATAUPDATE File data updates FILESTATUS File status changes exist not exist 24 ...

Page 25: ...ucture details Defaults to JLANFileSys if not specified StreamsTable StreamsTable Name of the database table that holds the NTFS streams details Defaults to JLANStreams if not specified RetentionTable RetentionTable Name of the database table that holds the file folder retention details Defaults to JLANRetain if not specified QueueTable QueueTable Name of the database table used to hold the backgr...

Page 26: ...ileLoader Configuration class class Specifies the file loader class which must be an implementation of the org alfresco jlan smb loader FileLoader interface For the JDBCFileLoader the class is org alfresco jlan smb disk jdbc JDBCFileLoader FragmentSize n FragmentSize Specifies the maximum size of file data to be stored per blob If the file is larger than this value it will be split up into multipl...

Page 27: ... the database for more file requests The default level is 50 SmallFileSize n SmallFileSize Enables packing of small files that are below the specified size into Jar files The file size may be specified as n bytes or nK for kilobytes FilesPerJar n FilesPerJar Specifies the maximum number of small files to pack into each Jar file when the Jar packing feature is enabled The SizePerJar setting may als...

Page 28: ... 0 no compression KeepJars Indicates that the generated Jar files should not be deleted from the temporary cache are after they have been saved by the file loader This setting is useful for testing purposes Debug Enables JDBCFileLoader debug output 28 ...

Page 29: ...nectionPool 10 20 ConnectionPool DatabaseInterface FileLoader class org alfresco jlan server filesys loader SimpleFileLoader class RootPath N DerbyFileSys RootPath FileLoader driver diskshare The following sample configuration uses a mySQL database to hold the filesystem structure load save queues and file data The file data is stored using BLOB fields The configuration enables the packing of smal...

Page 30: ...ng BLOB fields When files are opened the file data will be copied to temporary cache files in the N oracleTemp directory A retention period of seven days will be applied to files folders created on the filesystem to prevent them from being deleted or modified during the retention period The background load save thread pool will allocate six thread for file loading and two threads for file saving d...

Page 31: ... used so that all nodes in the cluster can co ordinate access to files implement cluster wide locking and notify each other of file updates The near cache is enabled to improve cluster performance Debug output is enabled to monitor file state cache expiry and file access requests diskshare name MySQLBlob comment MySQL virtual filesystem driver class org alfresco jlan server filesys db DBDiskDriver...

Page 32: ...izePerJar 1000K SizePerJar JarCompressionLevel 9 JarCompressionLevel FileLoader stateCache type cluster clusterName MySQLCluster clusterName clusterTopic MySQLTopic clusterTopic nearCache timeout 10 cacheDebug flags Expire FileAccess stateCache driver diskshare 32 ...

Page 33: ... of access control rules can be specified that are applied to all shares that do not have access control rules assigned Security Configuration authenticator Defines the authentication class to be used and the security mode for the server accessControlManager Defines the access control manager class debug output status and additional custom rules globalAccessControl Defines a set of access control ...

Page 34: ...access control manager debug output rule rule Specifies custom access control rule classes to be added to the available access control rule types The value specifies a class that extends the org alfresco jlan server auth acl AccessControlParser abstract class If the new access control rule has the same name type as one of the default access control rules it will replace the original rule type Mult...

Page 35: ...t account is an administrator account home home Specifies a home directory on the local filesystem for this user When using the default share mapper the user can map to a share called HOME that will map to the specified directory A sample security configuration section is shown below security JCEProvider cryptix jce provider CryptixCrypto JCEProvider authenticator class org alfresco jlan server au...

Page 36: ...e or TCP IP address of a server to be used to autheticate users against The authenticator will make a test connection to the server protocolOrder protocolOrder Specifies the type of protocols and the order of connection for passthru authentication sessions The default is to use NetBIOS if that fails then try to connect using native SMB port 445 Specify either a single protocol type or a comma deli...

Page 37: ...security mode This should be set to USER for the passthru authenticator KDC KDC IP address or DNS name of the Active Directory server Realm Realm Kerberos realm Password Password Account password used by the server to get a service ticket LoginEntry LoginEntry Java security login configuration file entry name Defaults is JLANServerCIFS disallowNTLMV1 Do not allow weaker NTLMv1 logins kerberosDebug...

Page 38: ...apper class debug shareMapper 2 4 10 Drive Mappings Configuration The DriveMappings section defines local drive mappings that will be added when the JLAN Server SMB CIFS server starts This can be useful when using the JLAN Server to provide custom filesystems to the local host The drives are mapped after the SMB CIFS server component has started and removed as the SMB CIFS server shuts down DriveM...

Page 39: ...classes The org alfresco jlan debug ConsoleDebug class outputs all debug information to the console The org alfresco jlan debug LogFileDebug class outputs all debug information to a file The org alfresco debug JDKLoggingDebug class outputs all debug information using the JDK Logging APIs The org alfresco debug cluster ClusterDebug class sends all debug output to other nodes within the cluster as w...

Page 40: ...ging server for the cluster is configured to be a receive only node for the debug interface This node does not broadcast its debug output to the cluster The cluster debug interface sends a copy of the debug output to the cluster and passes a copy to another debug interface to handle the local output This may be the console file or JDK logging debug interface or a custom debug interface of your own...

Page 41: ...nd acting as the central debug logger for the cluster debug output class org alfresco jlan debug cluster ClusterDebug class debugTopic AlfrescoJLANDebug debugTopic receiveOnly localOutput class org alfresco jlan debug LogFileDebug class logFile jlansrv log logFile append localOutput output debug 41 ...

Page 42: ...001 Native SMB CIFS is enabled by default Changing the value to zero and rebooting the system will disable native SMB CIFS support The native SMB CIFS service is designed to use DNS to lookup host names 3 2 Windows NetBIOS Over TCP IP NetBIOS over TCP uses a combination of TCP sockets and UDP datagrams A session is established using a TCP IP socket connection to port 139 on the file server The Net...

Page 43: ... native SMB CIFS implementation under Windows requires that the Windows native SMB CIFS server be disabled The JLAN Server kit includes the port445 reg registry file which can apply the relevant change to disable the Windows natvie SMB CIFS server a reboot is required after applying this change The followng SMB CIFS XML configuration section is the minimum configuration required to enable JLAN Ser...

Page 44: ... support SMB host name JLANSRV domain ALFRESCO netBIOSSMB broadcast 192 168 1 255 broadcast host SMB The above configuration will bind globally to all available network adapters The network adapter that the NetBIOS over TCP IP handler binds to can also be specified SMB host name JLANSRV domain ALFRESCO netBIOSSMB broadcast 192 168 1 255 broadcast bindto 192 168 1 2 bindto host SMB To have the JLAN...

Page 45: ...tBIOS support SMB host name JLANSRV domain ALFRESCO Win32NetBIOS host SMB If there are multiple network adapters in the server system you may need to specify the NetBIOS logical adapter known as a LANA The easiest way to determine the available LANAs is to enable the Socket debug level using the sessionDebug flags setting within the SMB configuration section this will dump out a list of the availa...

Page 46: ... SMB host name JLANSRV domain ALFRESCO Win32NetBIOS Win32Announce interval 5 host SMB 46 ...

Page 47: ...tion types for this account and Do not require Kerberos preauthentication options in the Account Options section 2 Use the ktpass utility to generate a key table The ktpass utility is a free download from the Microsoft site and is also part of the Win2003 Resource Kit There is a restriction in the Microsoft ktpass utility use this commandline on the Domain Controller only ktpass princ cifs cifs se...

Page 48: ...resco org ALFRESCO ORG adsrv alfresco org ALFRESCO ORG Note The realm should be specified in uppercase 6 Setup the Java login configuration file This would usually be in the JRE lib security folder Create a file named jlan login config with the following entry JLANServerCIFS com sun security auth module Krb5LoginModule required storeKey true useKeyTab true keytab C etc cifs keytab principal cifs j...

Page 49: ...ord from step 1 To help diagnose problems with the Kerberos Active Directory setup you can enable debug output from the Java security APIs by defining the following property on the command line of the JVM Dsun security krb5 debug true 49 ...

Reviews: