Configuring Kerberos/AD Authentication For The fileServersNG SMB Server

From FileSys.Org Wiki

By default the fileServersNG SMB server uses NTLM authentication, for more secure and single signon authentication you can configure the SMB server to use Kerberos logons.

This document details how to configure the fileServersNG SMB server to use Kerberos authentication using a Windows Active Directory (AD) server setup.

Setting Up The File Server User Account

The fileServersNG SMB server requires an AD user account to map a service principal name to that the client will request when accessing the SMB server.

Create a user account on the AD server, fill in the user logon name eg. jfileserver, disable the 'User must change password at next logon' option, and enable the 'Password never expires' option. Set a password for the new account.

The 'Do not require Kerberos pre-authentication' option can be checked or un-checked. If this option is unchecked the account password will need to be specified in the fileServersNG Kerberos configuration properties. If there are options for AES 128 bit and AES 256 bit encryption then enable both options.

KerberosADOptions.jpg

The file server host also requires a DNS entry with the AD server.

Generate The Keytab and Service Principal Name

Generate a key table for the file server using the ktpass command.

ktpass -princ cifs/<file-server-host-name>.<domain>@<REALM>
 -pass <file-server-account-password>
 -mapuser <domain>\<file-server-account-name>
 -crypto ALL
 -ptype KRB5_NT_PRINCIPAL
 -out <output-file-name>
 -kvno 0

If you only want to use a particular encryption type then use -crypto AES128-SHA1 or -crypto AES256-SHA1. The older encryption setting of -crypto RC4-HMAC-NT can be used but may not allow some newer clients to access the file server.

The generated key table will be used by the SMB server to authenticate the server so it will then be able to authenticate the client logons.

Copy the key table to the file server host system.

Create the service principal name mapping, that clients will use to connect to the SMB file server service, using the setspn utility. Newer versions of the ktpass command will set the SPN when generating the key table.

To check if the SPN is set use

setspn -Q cifs/<file-server-host-name>.<domain>

If the SPN has not been set then use the following commands to set the SPNs

setspn cifs/<file-server-host-name> <file-server-account-name>
setspn cifs/<file-server-host-name>.<domain> <file-server-account-name>

Configure Kerberos On The File Server

The Java authentication APIs require a Kerberos configuration file, this can either be in the default location such as /etc/krb5.conf on linux and macOS, C:\winnt\krb5.ini on Windows, the location can be specified on the Java command line using the java.security.krb5.conf property, or using the fileServersNG property value smb.kerberos.config to specify the configuration file path and name.

A sample Kerberos configuration file is shown below, the Kerberos realm is always specified in uppercase.

[libdefaults]
default realm = FILESYS.ORG

[realms]
FILESYS.ORG {
  kdc = adsrv.filesys.org
  admin_server = adsrv.filesys.org
}

[domain-realm]
adsrv.filesys.org = FILESYS.ORG
.adsrv.filesys.org = FILESYS.ORG

Setup The Java Login Configuration

The Java login configuration is used by the file server application to logon the server application using Kerberos by using the details in the key table that was generated on the Windows AD server.

The Java login configuration file can be stored in your user home folder or a system folder such as /etc. Create a new file called fileserversng.login.conf. The default Java login configuration section name is FileServerSMB. A sample Java login configuration file is shown below :-

FileServerSMB {
 com.sun.security.auth.module.Krb5LoginModule required
 debug=false
 storeKey=true
 useKeyTab=true
 keyTab="<path-to-the-key-table-file>"
 principal="cifs/<file-server-host-name>.<domain>";
};

Note: Use spaces in the Java login configuration file, tab characters cause problems.

To enable the Java login configuration use the fileServersNG property value smb.login.config to specify the path to the login configuration file.

You can also set the login configuration file by updating the main Java security configuration file. This is usually located in the <JRE-folder>/lib/security/java.security file.

Look for the example configuration line that starts with #java.login.config.url.1=.... Uncomment the line, or add a new line, similar to the value shown:-

java.login.config.url.1=<path-to-the-java-login-configuration-file>

Configure The fileServersNG SMB Authentication

In the Alfresco configuration file, usually alfresco-global.properties, enable the SMB server Kerberos authentication via the following property settings:-

smb.kerberos.realm=<KERBEROS-REALM>
smb.kerberos.config=<PATH-TO-KERBEROS-CONF>
smb.login.config=<PATH-TO-LOGIN-CONF>
smb.kerberos.stripUsernameSuffix=true

The following configuration properties are also available for the fileServersNG SMB Kerberos authentication setup:-

Configuration Property Description
smb.kerberos.password Kerberos file server account password. Required if the Active Directory account 'Do not require Kerberos pre-authentication' option was un-checked.
smb.kerberos.stripUsernameSuffix A Kerberos logged in user name will usually include the domain, ie. user@domain, in order to map this to an Alfresco user name the @domain is stripped from the name when this property is set to true.
smb.kerberos.loginEntryName Entry name for the Java login configuration section to use for Kerberos authentication. This defaults to FileServerSMB.
smb.useSPNEGO Force Simple Protected Negotiation to be used for the authentication, this will be selected automatically if Kerberos authentication is enabled. If only NTLM authentication is enabled the default is to use NTLMSSP in the authentication exchanges. Set to true or false.
smb.disallowNTLMv1 Do not allow the weaker NTLM v1 logons, only NTLM v2 logons will be accepted. Set to true or false.
smb.disableNTLM Only allow Kerberos authentication. NTLM authentication will not be advertised by the server or accepted. Set to true or false.
smb.kerberos.debug Enables the Java authentication API debug output. Equivalent of setting the Java system properties 'sun.security.jgss.debug' and 'sun.security.krb5.debug'. Set to true or false.