NTLM authentication not working

Michal Bruncko michal.bruncko at zssos.sk
Tue Apr 14 15:36:55 EDT 2020


hello again

today I've tried two other options:

1. Dhruva's NTLMv2 patch posted here 
https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2009-October/001875.html
2. Andrew's Bartlett patch to handover NTLM to winbind (ntlm_auth)

Results:
1. the first one seems to be not complete. "unix_timestamp" as used in 
code snip is not defined elsewhere and therefore I consider it as an 
customized function. tried to dirty replace that line with 
"strcpy(timestamp, (char)time(NULL));" but NTLMv2 was not woring neither 
(thunderbird refused to talk to initiated NTLM negotiation) so I assume 
the code is not complete.

2. after adjusting patch to centos 7 needs and make it working based on 
"--with-ntlm_impl=" parameter either ntlm.c (ntlm.h) for "cyrus" or 
ntlm_samba.*,smb_helper.* for samba implementation it seems this patch 
really work with using NTLM and untouched Thunderbird NTLM settings with 
following two drawbacks:
- if "log level" in smb.conf is greater than zero, then ntlm_auth tool 
is producing unsolicited output which is passed by SASL NTLM module to 
client via IMAP channel. this unexpected output confuses client which 
then breaks NTLM auth process. with "log level" set to zero, the NTLM 
works properly. this issue have been encountered only with cyrus-imap. 
with postfix there was no issue as log output from ntlm_auth have been 
suppressed by smtpd daemon and not passed to client.
- once the authentication is done for example on postfix level durting 
sending the email, the smtpd daemon segfaults:

Apr 14 21:06:19 ms1 postfix/smtpd[28463]: connect from 
server.local[192.168.11.13]
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 44 
bytes do child: YR Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 199 bytes 
from helper: TT Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 332 
bytes do child: KK Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 9 bytes 
from helper: AF username
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: kill_helper: Helper died with 
status 0
Apr 14 21:06:20 ms1 postfix/smtpd[28463]: 17D02209DAE: 
client=server.local[192.168.11.13], sasl_method=NTLM, 
sasl_username=username at AD.LOCAL
Apr 14 21:06:20 ms1 postfix/cleanup[28469]: 17D02209DAE: 
message-id=<dc85e9d0-59ab-4441-c819-bb5854eab0bf at ad.local>
Apr 14 21:06:20 ms1 opendkim[1570]: 17D02209DAE: DKIM-Signature field 
added (s=defaultnew, d=ad.local)
Apr 14 21:06:20 ms1 postfix/qmgr[28449]: 17D02209DAE: 
from=<username at ad.local>, size=2313, nrcpt=1 (queue active)
Apr 14 21:06:20 ms1 kernel: smtpd[28463]: segfault at 55ffffffffff ip 
00007f8c9fa07ff4 sp 00007ffdba204b90 error 4 in 
libc-2.17.so[7f8c9f99a000+1c3000]
Apr 14 21:06:20 ms1 postfix/master[28447]: warning: process 
/usr/libexec/postfix/smtpd pid 28463 killed by signal 11
Apr 14 21:06:20 ms1 postfix/master[28447]: warning: 
/usr/libexec/postfix/smtpd: bad command startup -- throttling

based on gdb tool it seems that this is related to fclose function 
during closure within smb_helper.c coming with this patch:

(gdb) where
#0  0x00007f030b945ff4 in fclose@@GLIBC_2.2.5 () from /lib64/libc.so.6
#1  0x00007f0307b424c9 in kill_helper (helper=0x55bfc70310b0)
     at smb_helper.c:160
#2  0x00007f030cb7dc78 in server_dispose (pconn=0x55bfc702d620) at 
server.c:317
#3  0x00007f030cb7879b in sasl_dispose (pconn=pconn at entry=0x55bfc702bbb0)
     at common.c:851
#4  0x000055bfc6c0741d in xsasl_cyrus_server_free (xp=0x55bfc702bb80)
     at xsasl_cyrus_server.c:428
#5  0x000055bfc6bfdf11 in smtpd_sasl_deactivate (
     state=state at entry=0x7ffcca507e10) at smtpd_sasl_glue.c:271
#6  0x000055bfc6bf1034 in smtpd_proto (state=state at entry=0x7ffcca507e10)
     at smtpd.c:4888
#7  0x000055bfc6bf1d56 in smtpd_service (stream=<optimized out>,
     service=0x7ffcca509ed6 "smtps", argv=<optimized out>) at smtpd.c:4962
#8  0x000055bfc6c00b8a in single_server_wakeup (fd=<optimized out>, 
attr=0x0)
     at single_server.c:278
#9  0x000055bfc6c301b8 in event_loop (delay=<optimized out>) at 
events.c:1182
#10 0x000055bfc6c01c21 in single_server_main (argc=argc at entry=19,
     argv=argv at entry=0x7ffcca508938,
     service=service at entry=0x55bfc6bf1c50 <smtpd_service>)
     at single_server.c:772
#11 0x000055bfc6becc67 in main (argc=19, argv=0x7ffcca508938) at 
smtpd.c:5459


this sigsegv could be related to this part of code:

void kill_helper(struct smb_helper *helper)
{
         int status;

         if ((helper == NULL) || (helper->child_pid == 0))
                 return;

        fclose(helper->pipe_out);
        fclose(helper->pipe_in);

         waitpid(helper->child_pid, &status, 0);
         syslog(LOG_DEBUG, "kill_helper: Helper died with status %d\n", 
status);

         helper->child_pid = 0;
         free(helper);
}

but this is somehow strange as "kill_helper: Helper died with status 0" 
came into syslog sooner than segfault message of smtpd - which means 
that both fclose lines have been completed without issues. also I have 
tried to use conditions in following way:

         if (helper->pipe_out != NULL) {
                 fclose(helper->pipe_out);
         if (helper->pipe_in != NULL) {
                 fclose(helper->pipe_in);

which also did not improve situation... so I am a bit lost here.


in sum this patch seems to be the best option now to have a NTLMv2 
capability for user authentication, but it has (at least) these two 
drawbacks...

regards
michal



On 4/14/2020 1:08 AM, Michal Bruncko wrote:
> ok, seems I found the problem. NTLM email client which I am using for 
> testing - Thunderbind - is refusing to finish NTLM authentication 
> because IMAP server is using NTLMv1, which is denied by default 
> Thunderbird configuration. setting up 
> "network.auth.force-generic-ntlm-v1" to "true" makes this 
> authentication finally working. the problem is why NTLMv2 is not used? 
> I found this https://access.redhat.com/solutions/4253821 and 
> recompiled cyrus-sasl with patch enforcing NTLMv2, but seems NTLMv2 is 
> not used neither. then I found out your correspondence here 
> https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-December/034227.html 
> where you're stating the same, isnt it that?
>
> thanks
> michal
>
> On 4/13/2020 10:23 PM, Michal Bruncko wrote:
>> Dear Dan
>>
>> thank you for response. followed your proposal with increasing 
>> debugging, but for whatever reason it did not produced anything more 
>> into syslog. my rsyslog.conf was setup this way (followed by 
>> restarting rsyslog daemon) as the first option in list:
>>
>> *.*                                            -/var/log/debug
>>
>> but rather I did strace of imapd daemon and paralel packet capture of 
>> communication to samba server.
>>
>> I hope this can be helpful.
>>
>> thanks again
>>
>> michal
>>
>>
>>
>> On 4/13/2020 5:19 PM, Dan White wrote:
>>> On 04/11/20 00:53 +0200, Michal Bruncko wrote:
>>>> I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for 
>>>> cyrus-imapd server for user authentication.
>>>>
>>>> in imapd.conf:
>>>>
>>>> sasl_ntlm_server:       dc1.example.com
>>>> sasl_ntlm_v2:           yes
>>>> sasl_mech_list:         PLAIN NTLM LOGIN
>>>>
>>>> dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in 
>>>> NT4 PDC mode, but with same results.
>>>>
>>>> in maillog:
>>>>
>>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
>>>> Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
>>>> Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: 
>>>> client.example.local [172.17.0.13] NTLM [SASL(0): successful result: ]
>>>>
>>>> which corresponds to following samba log messages:
>>>>
>>>> [2020/04/10 23:52:00.583266,  3] 
>>>> ../source3/smbd/process.c:1880(process_smb)
>>>>   Transaction 0 of length 51 (0 toread)
>>>> [2020/04/10 23:52:00.583359,  3] 
>>>> ../source3/smbd/process.c:1489(switch_message)
>>>>   switch message SMBnegprot (pid 28556) conn 0x0
>>>> [2020/04/10 23:52:00.586326,  3] 
>>>> ../source3/smbd/negprot.c:576(reply_negprot)
>>>>   Requested protocol [NT LM 0.12]
>>>> [2020/04/10 23:52:00.586887,  3] 
>>>> ../source3/smbd/negprot.c:377(reply_nt1)
>>>>   not using SPNEGO
>>>> [2020/04/10 23:52:00.586969,  3] 
>>>> ../source3/smbd/negprot.c:684(reply_negprot)
>>>>   Selected protocol NT LM 0.12
>>>> [2020/04/10 23:52:00.591116,  3] 
>>>> ../source3/smbd/server_exit.c:249(exit_server_common)
>>>>   Server exit (failed to receive smb request)
>>>
>>> Hi Michal,
>>>
>>> You can increase libsasl's logging with the following in your 
>>> imapd.conf:
>>>
>>> sasl_log_level: 7
>>>
>>> See: 
>>> https://github.com/cyrusimap/cyrus-sasl/blob/master/include/sasl.h for
>>> a description of the available log levels. You may need to modify your
>>> syslog configuration to accept more verbose auth.* levels.
>>>
>>
>



More information about the Cyrus-sasl mailing list