This page applies to Alfresco 2.x and earlier. In alfresco 3.0 - 3.1, the syntax changed and instead of a global <config evaluator='string-compare' condition='Filesystem Security'> section, there was one authenticator per file service.
The Alfresco CIFS server has several different authenticator implementations. The default authenticator provides user authentication against the Alfresco user database using NTLMv1 password hashing. The default authenticator is configured using :-
The default authenticator has configuration options to allow guest access when the client uses the guest user name to connect, <allowGuest/>, and to map client user names that are not in the Alfresco user database to the guest user, <mapUnknownUserToGuest/>.
There are two other CIFS authenticators included with Alfresco that provide passthru authentication and Enterprise authentication support.
The CIFS passthru authenticator provides the ability to use existing Windows file servers to authenticate users accessing the Alfresco CIFS server. To configure the passthru authenticator use :-
The configuration options available for the passthru authenticator are :-
Specifies a comma delimeted list of servers to use for passthru authentication.
Use the local server for passthru authentication.
Specifies the Windows domain/workgroup to use for passthru authentication. The CIFS server will locate the domain controllers.
Use the domain/workgroup that the local server belongs to when finding the domain controllers.
Specifies the type of protocols and the order of connection for passthru authentication sessions. The default is to use NetBIOS, if that fails then try to connect using native SMB/port 445. Specify either a single protocol type or a comma delimited list with a primary and secondary protocol type. The available protocol types are 'NetBIOS' for NetBIOS over TCP and 'TCPIP' for native SMB.
Specifies how often passthru servers that are marked as offline are checked to see if they are now online. The default check interval is 5 minutes. The check interval is specified in seconds.
You should only specify one of the above options.
The passthru authenticator can only be configured when the main authentication component is configured to use the LDAP or JAAS component.
Note that NTLMv2 is NOT compatible with passthru authentication. The only NTLMv2 support is when hashed passwords are stored with the alfresco database. Indeed, NTLMv2 has been designed to avoid 'Man-in-the-middle' attacks, and when alfresco is configured as a passthru server, it in fact behaves as a 'Man-in-the-middle'.