NTLM authentication not working
Michal Bruncko
michal.bruncko at zssos.sk
Mon Apr 13 19:08:38 EDT 2020
ok, seems I found the problem. NTLM email client which I am using for
testing - Thunderbind - is refusing to finish NTLM authentication
because IMAP server is using NTLMv1, which is denied by default
Thunderbird configuration. setting up
"network.auth.force-generic-ntlm-v1" to "true" makes this authentication
finally working. the problem is why NTLMv2 is not used? I found this
https://access.redhat.com/solutions/4253821 and recompiled cyrus-sasl
with patch enforcing NTLMv2, but seems NTLMv2 is not used neither. then
I found out your correspondence here
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-December/034227.html
where you're stating the same, isnt it that?
thanks
michal
On 4/13/2020 10:23 PM, Michal Bruncko wrote:
> Dear Dan
>
> thank you for response. followed your proposal with increasing
> debugging, but for whatever reason it did not produced anything more
> into syslog. my rsyslog.conf was setup this way (followed by
> restarting rsyslog daemon) as the first option in list:
>
> *.* -/var/log/debug
>
> but rather I did strace of imapd daemon and paralel packet capture of
> communication to samba server.
>
> I hope this can be helpful.
>
> thanks again
>
> michal
>
>
>
> On 4/13/2020 5:19 PM, Dan White wrote:
>> On 04/11/20 00:53 +0200, Michal Bruncko wrote:
>>> I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for
>>> cyrus-imapd server for user authentication.
>>>
>>> in imapd.conf:
>>>
>>> sasl_ntlm_server: dc1.example.com
>>> sasl_ntlm_v2: yes
>>> sasl_mech_list: PLAIN NTLM LOGIN
>>>
>>> dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in NT4
>>> PDC mode, but with same results.
>>>
>>> in maillog:
>>>
>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
>>> Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin:
>>> client.example.local [172.17.0.13] NTLM [SASL(0): successful result: ]
>>>
>>> which corresponds to following samba log messages:
>>>
>>> [2020/04/10 23:52:00.583266, 3]
>>> ../source3/smbd/process.c:1880(process_smb)
>>> Transaction 0 of length 51 (0 toread)
>>> [2020/04/10 23:52:00.583359, 3]
>>> ../source3/smbd/process.c:1489(switch_message)
>>> switch message SMBnegprot (pid 28556) conn 0x0
>>> [2020/04/10 23:52:00.586326, 3]
>>> ../source3/smbd/negprot.c:576(reply_negprot)
>>> Requested protocol [NT LM 0.12]
>>> [2020/04/10 23:52:00.586887, 3]
>>> ../source3/smbd/negprot.c:377(reply_nt1)
>>> not using SPNEGO
>>> [2020/04/10 23:52:00.586969, 3]
>>> ../source3/smbd/negprot.c:684(reply_negprot)
>>> Selected protocol NT LM 0.12
>>> [2020/04/10 23:52:00.591116, 3]
>>> ../source3/smbd/server_exit.c:249(exit_server_common)
>>> Server exit (failed to receive smb request)
>>
>> Hi Michal,
>>
>> You can increase libsasl's logging with the following in your
>> imapd.conf:
>>
>> sasl_log_level: 7
>>
>> See:
>> https://github.com/cyrusimap/cyrus-sasl/blob/master/include/sasl.h for
>> a description of the available log levels. You may need to modify your
>> syslog configuration to accept more verbose auth.* levels.
>>
>
More information about the Cyrus-sasl
mailing list