diff --git a/source/java/org/alfresco/filesys/netbios/server/NetBIOSNameServer.java b/source/java/org/alfresco/filesys/netbios/server/NetBIOSNameServer.java index f555db4162..fb0b46b0d2 100644 --- a/source/java/org/alfresco/filesys/netbios/server/NetBIOSNameServer.java +++ b/source/java/org/alfresco/filesys/netbios/server/NetBIOSNameServer.java @@ -1758,7 +1758,7 @@ public class NetBIOSNameServer extends NetworkServer implements Runnable // Unknown opcode default: - logger.error("Unknown OpCode 0x" + Integer.toHexString(nbPkt.getOpcode())); +// logger.error("Unknown OpCode 0x" + Integer.toHexString(nbPkt.getOpcode())); break; } } diff --git a/source/java/org/alfresco/filesys/server/auth/CifsAuthenticator.java b/source/java/org/alfresco/filesys/server/auth/CifsAuthenticator.java index d5214a3957..3bc7459979 100644 --- a/source/java/org/alfresco/filesys/server/auth/CifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/server/auth/CifsAuthenticator.java @@ -912,19 +912,32 @@ public abstract class CifsAuthenticator */ protected final String mapUserNameToPerson(String userName) { - // Get the home folder for the user + // Get, or create, the person for this user - UserTransaction tx = m_transactionService.getUserTransaction(); + UserTransaction tx = m_transactionService.getUserTransaction( false); String personName = null; try { tx.begin(); - personName = m_personService.getUserIdentifier( userName); + + NodeRef userNode = m_personService.getPerson(userName); + if ( userNode != null) + { + // Get the person name and use that as the current user to line up with permission checks + + personName = (String) m_nodeService.getProperty(userNode, ContentModel.PROP_USERNAME); + } + tx.commit(); } catch (Throwable ex) { + // DEBUG + + if ( logger.isDebugEnabled()) + logger.debug( "Error mapping person for user " + userName, ex); + try { tx.rollback(); diff --git a/source/java/org/alfresco/filesys/server/auth/EnterpriseCifsAuthenticator.java b/source/java/org/alfresco/filesys/server/auth/EnterpriseCifsAuthenticator.java index e181ead0f5..8c586936bb 100644 --- a/source/java/org/alfresco/filesys/server/auth/EnterpriseCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/server/auth/EnterpriseCifsAuthenticator.java @@ -71,6 +71,7 @@ import org.alfresco.filesys.smb.server.SMBSrvSession; import org.alfresco.filesys.smb.server.VirtualCircuit; import org.alfresco.filesys.util.DataPacker; import org.alfresco.filesys.util.HexDump; +import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.NTLMMode; import org.ietf.jgss.Oid; @@ -202,25 +203,54 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca throw new InvalidConfigurationException("Invalid login entry specified"); } - // Build the CIFS service account name + // Get the server principal name - StringBuilder cifsAccount = new StringBuilder(); + ConfigElement principal = params.getChild("Principal"); - cifsAccount.append("cifs/"); - cifsAccount.append( config.getServerName().toLowerCase()); - cifsAccount.append("@"); - cifsAccount.append(m_krbRealm); - - m_accountName = cifsAccount.toString(); + if ( principal != null) { + + // Use the supplied principal name to build the account name + + StringBuffer cifsAccount = new StringBuffer(); + + cifsAccount.append( principal.getValue()); + cifsAccount.append("@"); + cifsAccount.append(m_krbRealm); + + m_accountName = cifsAccount.toString(); + } + else { + + // Build the CIFS service account name + + StringBuffer cifsAccount = new StringBuffer(); + + cifsAccount.append("cifs/"); + cifsAccount.append( config.getServerName().toLowerCase()); + cifsAccount.append("@"); + cifsAccount.append(m_krbRealm); + + m_accountName = cifsAccount.toString(); + } // Create a login context for the CIFS server service try { + // DEBUG + + if ( logger.isDebugEnabled()) + logger.debug( "CIFS Kerberos login using account " + m_accountName); + // Login the CIFS server service m_loginContext = new LoginContext( m_loginEntryName, this); m_loginContext.login(); + + // DEBUG + + if ( logger.isDebugEnabled()) + logger.debug( "CIFS Kerberos login successful"); } catch ( LoginException ex) { @@ -236,9 +266,9 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca Vector mechTypes = new Vector(); - mechTypes.add(OID.NTLMSSP); mechTypes.add(OID.KERBEROS5); mechTypes.add(OID.MSKERBEROS5); + mechTypes.add(OID.NTLMSSP); // Build the SPNEGO NegTokenInit blob @@ -1172,33 +1202,92 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca // Start a transaction sess.beginReadTransaction( m_transactionService); + + // Check if this is a null logon + + String userName = krbDetails.getUserName(); + + if ( userName != null) + { + // Check for the machine account name + + if ( userName.endsWith( "$") && userName.equals( userName.toUpperCase())) + { + // Null logon + + client.setLogonType( ClientInfo.LogonNull); + + // Debug + + if ( logger.isDebugEnabled()) + logger.debug("Machine account logon, " + userName + ", as null logon"); + } + else + { + // Map the user name to an Alfresco person name + + String alfPersonName = mapUserNameToPerson( userName); + + // Check if the user name was mapped, if not then check if this is a domain client system name, ie. ends with '$' + + if ( alfPersonName != null) + { + // Setup the Acegi authenticated user + + AuthenticationUtil.setCurrentUser( alfPersonName); + + // Store the full user name in the client information, indicate that this is not a guest logon + + client.setUserName( krbDetails.getSourceName()); + client.setGuest( false); + + client.setAuthenticationToken( m_authComponent.getCurrentAuthentication()); + + // Indicate that the session is logged on + + sess.setLoggedOn(true); + } + else + { + // Return a logon failure status + + throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } + } + } + else + { + // Null logon + + client.setLogonType( ClientInfo.LogonNull); + } - // Setup the Acegi authenticated user - - // Set the current user to be authenticated, save the authentication token - - client.setAuthenticationToken( m_authComponent.setCurrentUser( mapUserNameToPerson(krbDetails.getUserName()))); - - // Store the full user name in the client information, indicate that this is not a guest logon - - client.setUserName( krbDetails.getSourceName()); - client.setGuest( false); - // Indicate that the session is logged on sess.setLoggedOn(true); - + // Debug if ( logger.isDebugEnabled()) - logger.debug("Logged on using Kerberos"); + logger.debug("Logged on using Kerberos, user " + userName); + } + else + { + // Debug + + if ( logger.isDebugEnabled()) + logger.debug( "No SPNEGO response, Kerberos logon failed"); + + // Return a logon failure status + + throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); } } catch (Exception ex) { // Log the error - logger.error(ex); + logger.error("Kerberos logon error", ex); // Return a logon failure status diff --git a/source/java/org/alfresco/filesys/server/auth/passthru/PassthruAuthenticator.java b/source/java/org/alfresco/filesys/server/auth/passthru/PassthruAuthenticator.java index 37408cd87a..8271a5b867 100644 --- a/source/java/org/alfresco/filesys/server/auth/passthru/PassthruAuthenticator.java +++ b/source/java/org/alfresco/filesys/server/auth/passthru/PassthruAuthenticator.java @@ -802,6 +802,9 @@ public class PassthruAuthenticator extends CifsAuthenticator implements SessionL NTLanManAuthContext ntlmCtx = (NTLanManAuthContext) getAuthContext( sess); + if ( ntlmCtx == null) + throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + // Build a type2 message to send back to the client, containing the challenge String domain = sess.getSMBServer().getServerName(); diff --git a/source/java/org/alfresco/filesys/server/auth/spnego/NegTokenInit.java b/source/java/org/alfresco/filesys/server/auth/spnego/NegTokenInit.java index 2d750d9687..e36551037d 100644 --- a/source/java/org/alfresco/filesys/server/auth/spnego/NegTokenInit.java +++ b/source/java/org/alfresco/filesys/server/auth/spnego/NegTokenInit.java @@ -30,6 +30,7 @@ import java.io.IOException; import java.util.Enumeration; import java.util.Vector; +import org.alfresco.filesys.util.HexDump; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.DERApplicationSpecific; @@ -401,6 +402,14 @@ public class NegTokenInit str.append(" token="); str.append(m_mechToken.length); str.append(" bytes"); + + if ( m_mechToken.length > 16) + { + str.append(" ["); + str.append ( HexDump.hexString(m_mechToken, 0, 16, " ")); + str.append("]"); + } + } if ( m_mecListMICPrincipal != null)