NTLM authentication not working

Michal Bruncko michal.bruncko at zssos.sk
Mon Apr 13 19:08:38 EDT 2020


ok, seems I found the problem. NTLM email client which I am using for 
testing - Thunderbind - is refusing to finish NTLM authentication 
because IMAP server is using NTLMv1, which is denied by default 
Thunderbird configuration. setting up 
"network.auth.force-generic-ntlm-v1" to "true" makes this authentication 
finally working. the problem is why NTLMv2 is not used? I found this 
https://access.redhat.com/solutions/4253821 and recompiled cyrus-sasl 
with patch enforcing NTLMv2, but seems NTLMv2 is not used neither. then 
I found out your correspondence here 
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-December/034227.html 
where you're stating the same, isnt it that?

thanks
michal

On 4/13/2020 10:23 PM, Michal Bruncko wrote:
> Dear Dan
>
> thank you for response. followed your proposal with increasing 
> debugging, but for whatever reason it did not produced anything more 
> into syslog. my rsyslog.conf was setup this way (followed by 
> restarting rsyslog daemon) as the first option in list:
>
> *.*                                            -/var/log/debug
>
> but rather I did strace of imapd daemon and paralel packet capture of 
> communication to samba server.
>
> I hope this can be helpful.
>
> thanks again
>
> michal
>
>
>
> On 4/13/2020 5:19 PM, Dan White wrote:
>> On 04/11/20 00:53 +0200, Michal Bruncko wrote:
>>> I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for 
>>> cyrus-imapd server for user authentication.
>>>
>>> in imapd.conf:
>>>
>>> sasl_ntlm_server:       dc1.example.com
>>> sasl_ntlm_v2:           yes
>>> sasl_mech_list:         PLAIN NTLM LOGIN
>>>
>>> dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in NT4 
>>> PDC mode, but with same results.
>>>
>>> in maillog:
>>>
>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
>>> Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: 
>>> client.example.local [172.17.0.13] NTLM [SASL(0): successful result: ]
>>>
>>> which corresponds to following samba log messages:
>>>
>>> [2020/04/10 23:52:00.583266,  3] 
>>> ../source3/smbd/process.c:1880(process_smb)
>>>   Transaction 0 of length 51 (0 toread)
>>> [2020/04/10 23:52:00.583359,  3] 
>>> ../source3/smbd/process.c:1489(switch_message)
>>>   switch message SMBnegprot (pid 28556) conn 0x0
>>> [2020/04/10 23:52:00.586326,  3] 
>>> ../source3/smbd/negprot.c:576(reply_negprot)
>>>   Requested protocol [NT LM 0.12]
>>> [2020/04/10 23:52:00.586887,  3] 
>>> ../source3/smbd/negprot.c:377(reply_nt1)
>>>   not using SPNEGO
>>> [2020/04/10 23:52:00.586969,  3] 
>>> ../source3/smbd/negprot.c:684(reply_negprot)
>>>   Selected protocol NT LM 0.12
>>> [2020/04/10 23:52:00.591116,  3] 
>>> ../source3/smbd/server_exit.c:249(exit_server_common)
>>>   Server exit (failed to receive smb request)
>>
>> Hi Michal,
>>
>> You can increase libsasl's logging with the following in your 
>> imapd.conf:
>>
>> sasl_log_level: 7
>>
>> See: 
>> https://github.com/cyrusimap/cyrus-sasl/blob/master/include/sasl.h for
>> a description of the available log levels. You may need to modify your
>> syslog configuration to accept more verbose auth.* levels.
>>
>



More information about the Cyrus-sasl mailing list