fileServersNG

The fileServersNG module replaces the file servers subsystem that ships as part of the standard Alfresco Content Management System with a new subsystem that is based on the JFileServer file server code, enabling support for the newer SMB v2 and SMB v3 protocols, and adding new features.

SMB Protocols

The original SMB v1 protocol has been around for over 30 years, it was designed for a different world of smaller isolated networks rather than the interconnected world of today where networks are under constant attack. The SMB v1 protocol is not considered to be safe as it allows man in the middle and security downgrade attacks that have been used many times in real world attacks. Recent Windows updates have not installed the SMB v1 protocol. SMB v1 should be disabled for good, leaving SMB v1 available for older clients is a big security hole that can be exploited.

The SMB v2 and v3 protocols solve many of the issues that SMB v1 has. The SMB v2 protocol is more effecient on the network allowing much larger amounts of data to be transferred in a single request, whereas SMB v1 tends to use a maximum of around 64Kb in most cases, SMB v2 on Windows 10 will tend to use 2Mb. SMB v2 also uses a sliding window of requests, this helps with network latency as it is more like a streaming protocol whereas SMB v1 usually sends a request and waits for the response before sending the next request. SMB v2 also uses compounding of requests so multiple requests are sent in one packet, SMB v1 also has compounding but does not use it very often.

The SMB v2 and v3 protocols prevent security downgrade attacks by adding pre-authentication integrity checks and using secure negotiation which the client checks after successfully authenticating with the server. SMB v2 adds more effecient packet signing. SMB v3 adds full encryption support using effecient AES encryption, that is usually implemented in modern CPU hardware. Hardware accelerated encryption is available where the Java Virtual Machine supports it.

The fileServersNG Solution

fileServersNG is an Alfresco Module Package (AMP) that adds SMB v2 and SMB v3 support to Alfresco so you can continue to use shared drives to upload and edit files within Alfresco. The latest fileServersNG AMP supports Alfresco versions 6.2, 7.x up to 23.1, and is available here

As well as the SMB enhancements fileServersNG also has many updates to authentication to allow it to use the latest versions of Active Directory when using Kerberos authentication to the file server. This includes the latest high strength AES 128-bit and AES 256-bit modes.

The fileServersNG add-on includes a feature to allow access to previous file versions for files that have the Versionable aspect. To access the previous file versions use the Windows Explorer right click Properties menu item and select the Previous Versions tab.

Configuration

The fileServersNG subsystem is configured in the same way as the original subsystem using configuration properties in the alfresco-global.properties file. The fileServersNG subsystem uses the 'smb' prefix for the SMB properties and 'ftpng' for the FTP properties so that they do not clash with the existing file servers subsystem properties.

The following table lists the available configuration properties :-

Property	Description
smb.enabled	Enable the fileServersNG SMB file server, true or false
ftpng.enabled	Enable the fileServersNG FTP file server, true or false
smb.dialects	List of enabled SMB dialects that the server will negotiate with the client. SMB1, SMB2 and or SMB3
smb.kerberos.realm	Kerberos realm, enables Kerberos authentication if set
smb.kerberos.stripUsernameSuffix	Strips the suffix from the Kerberos authenticated user name that includes the realm, when matching to the Alfresco user account, true or false
smb.kerberos.loginEntryName	Entry to use within the Java login configuration, default FileServerSMB
smb.kerberos.debug	Enable Kerberos authentication debug output, true or false
smb.kerberos.config	Path to the Kerberos configuration file, eg. /kerberos/alfresco_krb5.conf
smb.login.config	Path to the Java login configuration file, eg. /kerberos/alfresco_login.config
smb.disableNTLM	Disable NTLM authentication, true or false
smb.disallowNTLMv1	Do not allow the weaker NTLM v1 authentication, true or false
smb.useSPNEGO	Use SPNEGO within the authentication phase, true or false. This will be forced to true when SMB2 and/or SMB3 dialects are enabled.
smb.maxPacketSize	Maximum packet size to negotiate with the client when using SMB2 or SMB3. Can be specified as 'n' bytes, 'nK' kilobytes or 'nM' megabytes. The default setting is 2M.
smb.requireSigning	Require the client to use packet signing for SMB2
smb.enablePostClose	Enable the experimental feature available in fileServersNG-v61 and fileServersNG-v5 that allows the file close response to be sent by the protocol layer then perform file close processing within Alfresco. This can speed up the response in particular for versioned files where it can take some time to check if the file is actually a new version. Value true or false.
smb.sessionDebug	Enable SMB debug output, see the Wiki document for the full list of debug levels
smb.AESProvider	Sets the JCE provider name to be used by the SMB3 AES/GCM encryption/decryption. To use hardware accelerated encryption/decryption use the value 'SunJCE'. The default setting will cause the software based encryption/decryption code from the BouncyCastle JCE provider to be used. To force use of the BouncyCastle JCE provider use a value of 'BC'.

Running fileServersNG

There are Docker images available with Alfresco 6.2, 7.4 and 23.1 installations with the fileServersNG file servers subsystem deployed. The latest Docker images are available here.

The source code for the fileServersNG AMP is available on Github and includes sample docker-compose.yml files to run Alfresco with the fileServersNG AMP deployed using the pre-built Docker images.

Pre-built AMPs are available for Alfresco 6.2, 7.x and 23.1 here. For older versions of Alfresco there are unsupported AMPs here.

Licencing

To enable the JFileServer Enterprise add-on within the fileServersNG file server subsystem a licence key is required. Request a fileServersNG trial licence by emailing info@filesys.org.

Licence keys are sold depending on the number of clients that will connect to the file server. The initial licence fee includes 12 months email support. For pricing contact info@filesys.org with the licence size required.