NTLM authentication not working

Michal Bruncko michal.bruncko at zssos.sk
Fri Apr 10 18:53:24 EDT 2020


Hello

I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for 
cyrus-imapd server for user authentication.

in imapd.conf:

sasl_ntlm_server:       dc1.example.com
sasl_ntlm_v2:           yes
sasl_mech_list:         PLAIN NTLM LOGIN

dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in NT4 PDC 
mode, but with same results.

on both samba servers the "server signing" global parameter set to 
"auto" (i.e. accepting non-signed connections is allowed - mandatory for 
this NTLM SASL plugin as what I read), but I cannot get authentication 
working.

in maillog:

Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: client.example.local 
[172.17.0.13] NTLM [SASL(0): successful result: ]

NTLM plugin on mailserver is communicating with samba server(s) over 
port 139. mailserver always exchanges with sambaserver four NBT packets, 
here is full stream:
23:47:14.971695 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [S.], 
seq 2264619136, ack 3113401271, win 14280, options [mss 1440,sackOK,TS 
val 3147289764 ecr 1769474260,nop,wscale 5], length 0
23:47:14.972300 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [.], ack 
1, win 113, options [nop,nop,TS val 1769474263 ecr 3147289764], length 0
23:47:14.972364 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [P.], 
seq 1:73, ack 1, win 113, options [nop,nop,TS val 1769474263 ecr 
3147289764], length 72 NBT Session Packet: Session Request
23:47:14.972386 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [.], ack 
73, win 447, options [nop,nop,TS val 3147289765 ecr 1769474263], length 0
23:47:14.979752 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [P.], 
seq 1:5, ack 73, win 447, options [nop,nop,TS val 3147289772 ecr 
1769474263], length 4 NBT Session Packet: Session Granted
23:47:14.980199 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [.], ack 
5, win 113, options [nop,nop,TS val 1769474271 ecr 3147289772], length 0
23:47:14.982440 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [P.], 
seq 73:124, ack 5, win 113, options [nop,nop,TS val 1769474273 ecr 
3147289772], length 51 NBT Session Packet: Session Message
23:47:14.985406 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [P.], 
seq 5:112, ack 124, win 447, options [nop,nop,TS val 3147289778 ecr 
1769474273], length 107 NBT Session Packet: Session Message
23:47:15.025563 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [.], ack 
112, win 113, options [nop,nop,TS val 1769474317 ecr 3147289778], length 0

i.e.:
1. from mailserver: NBT Session Packet: Session Request
2. from sambaserver: NBT Session Packet: Session Granted
3. from mailserver: NBT Session Packet: Session Message
4. from sambaserver: NBT Session Packet: Session Message

which corresponds to following samba log messages:

[2020/04/10 23:52:00.583266,  3] ../source3/smbd/process.c:1880(process_smb)
   Transaction 0 of length 51 (0 toread)
[2020/04/10 23:52:00.583359,  3] 
../source3/smbd/process.c:1489(switch_message)
   switch message SMBnegprot (pid 28556) conn 0x0
[2020/04/10 23:52:00.586326,  3] 
../source3/smbd/negprot.c:576(reply_negprot)
   Requested protocol [NT LM 0.12]
[2020/04/10 23:52:00.586887,  3] ../source3/smbd/negprot.c:377(reply_nt1)
   not using SPNEGO
[2020/04/10 23:52:00.586969,  3] 
../source3/smbd/negprot.c:684(reply_negprot)
   Selected protocol NT LM 0.12
[2020/04/10 23:52:00.591116,  3] 
../source3/smbd/server_exit.c:249(exit_server_common)
   Server exit (failed to receive smb request)

basically sambaserver accepted session request, accepted protocol type 
(NT LM 0.12) request from mailserver (returning STATUS_SUCCESS to 
mailclient), but mailserver is not responding at all and gracefully 
closes connection.  there is nothing else exchanged. basically NTLM 
client creates NBT session and proposes protocol which samba accepted, 
but then it ends.

question is what I am doing wrong? did I miss something? I know that 
based from existing open issues the "sasl_ntlm_v2" parameter is ignored, 
but I have tried to to hardcode it, but it ends with same results - 
there is no difference.

mailserver is centos 7 system with following packages:
cyrus-sasl-ntlm-2.1.26-23.el7.x86_64
cyrus-imapd-2.4.17-15.el7.x86_64

but I have tried to test this NTLM plugin also on older centos 6 system 
as mailserver (also with cyrus-imapd server) and the behaviour is 
completely same (error message in maillog, packets exchanged):
cyrus-sasl-ntlm-2.1.23-15.el6_6.2.x86_64
cyrus-imapd-2.3.16-15.el6.x86_64

thanks for any help on this

michal


More information about the Cyrus-sasl mailing list