NTLM authentication not working
Michal Bruncko
michal.bruncko at zssos.sk
Tue Apr 14 15:36:55 EDT 2020
hello again
today I've tried two other options:
1. Dhruva's NTLMv2 patch posted here
https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2009-October/001875.html
2. Andrew's Bartlett patch to handover NTLM to winbind (ntlm_auth)
Results:
1. the first one seems to be not complete. "unix_timestamp" as used in
code snip is not defined elsewhere and therefore I consider it as an
customized function. tried to dirty replace that line with
"strcpy(timestamp, (char)time(NULL));" but NTLMv2 was not woring neither
(thunderbird refused to talk to initiated NTLM negotiation) so I assume
the code is not complete.
2. after adjusting patch to centos 7 needs and make it working based on
"--with-ntlm_impl=" parameter either ntlm.c (ntlm.h) for "cyrus" or
ntlm_samba.*,smb_helper.* for samba implementation it seems this patch
really work with using NTLM and untouched Thunderbird NTLM settings with
following two drawbacks:
- if "log level" in smb.conf is greater than zero, then ntlm_auth tool
is producing unsolicited output which is passed by SASL NTLM module to
client via IMAP channel. this unexpected output confuses client which
then breaks NTLM auth process. with "log level" set to zero, the NTLM
works properly. this issue have been encountered only with cyrus-imap.
with postfix there was no issue as log output from ntlm_auth have been
suppressed by smtpd daemon and not passed to client.
- once the authentication is done for example on postfix level durting
sending the email, the smtpd daemon segfaults:
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: connect from
server.local[192.168.11.13]
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 44
bytes do child: YR Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 199 bytes
from helper: TT Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 332
bytes do child: KK Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 9 bytes
from helper: AF username
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: kill_helper: Helper died with
status 0
Apr 14 21:06:20 ms1 postfix/smtpd[28463]: 17D02209DAE:
client=server.local[192.168.11.13], sasl_method=NTLM,
sasl_username=username at AD.LOCAL
Apr 14 21:06:20 ms1 postfix/cleanup[28469]: 17D02209DAE:
message-id=<dc85e9d0-59ab-4441-c819-bb5854eab0bf at ad.local>
Apr 14 21:06:20 ms1 opendkim[1570]: 17D02209DAE: DKIM-Signature field
added (s=defaultnew, d=ad.local)
Apr 14 21:06:20 ms1 postfix/qmgr[28449]: 17D02209DAE:
from=<username at ad.local>, size=2313, nrcpt=1 (queue active)
Apr 14 21:06:20 ms1 kernel: smtpd[28463]: segfault at 55ffffffffff ip
00007f8c9fa07ff4 sp 00007ffdba204b90 error 4 in
libc-2.17.so[7f8c9f99a000+1c3000]
Apr 14 21:06:20 ms1 postfix/master[28447]: warning: process
/usr/libexec/postfix/smtpd pid 28463 killed by signal 11
Apr 14 21:06:20 ms1 postfix/master[28447]: warning:
/usr/libexec/postfix/smtpd: bad command startup -- throttling
based on gdb tool it seems that this is related to fclose function
during closure within smb_helper.c coming with this patch:
(gdb) where
#0 0x00007f030b945ff4 in fclose@@GLIBC_2.2.5 () from /lib64/libc.so.6
#1 0x00007f0307b424c9 in kill_helper (helper=0x55bfc70310b0)
at smb_helper.c:160
#2 0x00007f030cb7dc78 in server_dispose (pconn=0x55bfc702d620) at
server.c:317
#3 0x00007f030cb7879b in sasl_dispose (pconn=pconn at entry=0x55bfc702bbb0)
at common.c:851
#4 0x000055bfc6c0741d in xsasl_cyrus_server_free (xp=0x55bfc702bb80)
at xsasl_cyrus_server.c:428
#5 0x000055bfc6bfdf11 in smtpd_sasl_deactivate (
state=state at entry=0x7ffcca507e10) at smtpd_sasl_glue.c:271
#6 0x000055bfc6bf1034 in smtpd_proto (state=state at entry=0x7ffcca507e10)
at smtpd.c:4888
#7 0x000055bfc6bf1d56 in smtpd_service (stream=<optimized out>,
service=0x7ffcca509ed6 "smtps", argv=<optimized out>) at smtpd.c:4962
#8 0x000055bfc6c00b8a in single_server_wakeup (fd=<optimized out>,
attr=0x0)
at single_server.c:278
#9 0x000055bfc6c301b8 in event_loop (delay=<optimized out>) at
events.c:1182
#10 0x000055bfc6c01c21 in single_server_main (argc=argc at entry=19,
argv=argv at entry=0x7ffcca508938,
service=service at entry=0x55bfc6bf1c50 <smtpd_service>)
at single_server.c:772
#11 0x000055bfc6becc67 in main (argc=19, argv=0x7ffcca508938) at
smtpd.c:5459
this sigsegv could be related to this part of code:
void kill_helper(struct smb_helper *helper)
{
int status;
if ((helper == NULL) || (helper->child_pid == 0))
return;
fclose(helper->pipe_out);
fclose(helper->pipe_in);
waitpid(helper->child_pid, &status, 0);
syslog(LOG_DEBUG, "kill_helper: Helper died with status %d\n",
status);
helper->child_pid = 0;
free(helper);
}
but this is somehow strange as "kill_helper: Helper died with status 0"
came into syslog sooner than segfault message of smtpd - which means
that both fclose lines have been completed without issues. also I have
tried to use conditions in following way:
if (helper->pipe_out != NULL) {
fclose(helper->pipe_out);
if (helper->pipe_in != NULL) {
fclose(helper->pipe_in);
which also did not improve situation... so I am a bit lost here.
in sum this patch seems to be the best option now to have a NTLMv2
capability for user authentication, but it has (at least) these two
drawbacks...
regards
michal
On 4/14/2020 1:08 AM, Michal Bruncko wrote:
> ok, seems I found the problem. NTLM email client which I am using for
> testing - Thunderbind - is refusing to finish NTLM authentication
> because IMAP server is using NTLMv1, which is denied by default
> Thunderbird configuration. setting up
> "network.auth.force-generic-ntlm-v1" to "true" makes this
> authentication finally working. the problem is why NTLMv2 is not used?
> I found this https://access.redhat.com/solutions/4253821 and
> recompiled cyrus-sasl with patch enforcing NTLMv2, but seems NTLMv2 is
> not used neither. then I found out your correspondence here
> https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-December/034227.html
> where you're stating the same, isnt it that?
>
> thanks
> michal
>
> On 4/13/2020 10:23 PM, Michal Bruncko wrote:
>> Dear Dan
>>
>> thank you for response. followed your proposal with increasing
>> debugging, but for whatever reason it did not produced anything more
>> into syslog. my rsyslog.conf was setup this way (followed by
>> restarting rsyslog daemon) as the first option in list:
>>
>> *.* -/var/log/debug
>>
>> but rather I did strace of imapd daemon and paralel packet capture of
>> communication to samba server.
>>
>> I hope this can be helpful.
>>
>> thanks again
>>
>> michal
>>
>>
>>
>> On 4/13/2020 5:19 PM, Dan White wrote:
>>> On 04/11/20 00:53 +0200, Michal Bruncko wrote:
>>>> I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for
>>>> cyrus-imapd server for user authentication.
>>>>
>>>> in imapd.conf:
>>>>
>>>> sasl_ntlm_server: dc1.example.com
>>>> sasl_ntlm_v2: yes
>>>> sasl_mech_list: PLAIN NTLM LOGIN
>>>>
>>>> dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in
>>>> NT4 PDC mode, but with same results.
>>>>
>>>> in maillog:
>>>>
>>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
>>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
>>>> Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin:
>>>> client.example.local [172.17.0.13] NTLM [SASL(0): successful result: ]
>>>>
>>>> which corresponds to following samba log messages:
>>>>
>>>> [2020/04/10 23:52:00.583266, 3]
>>>> ../source3/smbd/process.c:1880(process_smb)
>>>> Transaction 0 of length 51 (0 toread)
>>>> [2020/04/10 23:52:00.583359, 3]
>>>> ../source3/smbd/process.c:1489(switch_message)
>>>> switch message SMBnegprot (pid 28556) conn 0x0
>>>> [2020/04/10 23:52:00.586326, 3]
>>>> ../source3/smbd/negprot.c:576(reply_negprot)
>>>> Requested protocol [NT LM 0.12]
>>>> [2020/04/10 23:52:00.586887, 3]
>>>> ../source3/smbd/negprot.c:377(reply_nt1)
>>>> not using SPNEGO
>>>> [2020/04/10 23:52:00.586969, 3]
>>>> ../source3/smbd/negprot.c:684(reply_negprot)
>>>> Selected protocol NT LM 0.12
>>>> [2020/04/10 23:52:00.591116, 3]
>>>> ../source3/smbd/server_exit.c:249(exit_server_common)
>>>> Server exit (failed to receive smb request)
>>>
>>> Hi Michal,
>>>
>>> You can increase libsasl's logging with the following in your
>>> imapd.conf:
>>>
>>> sasl_log_level: 7
>>>
>>> See:
>>> https://github.com/cyrusimap/cyrus-sasl/blob/master/include/sasl.h for
>>> a description of the available log levels. You may need to modify your
>>> syslog configuration to accept more verbose auth.* levels.
>>>
>>
>
More information about the Cyrus-sasl
mailing list