NTLM authentication not working

Michal Bruncko michal.bruncko at zssos.sk
Tue Apr 14 19:39:11 EDT 2020


since the NTLMv1 is considered as completely insecure 
(https://bugzilla.mozilla.org/show_bug.cgi?id=828183) I would agree with 
that as many applications (incl my case with Mozilla's stuff 
Thunderbird/Firefox) no longer work natively with NTLMv1 without doing 
additional config changes (network.auth.force-generic-ntlm-v1 set to TRUE).
the question is what will remain in NTLM SASL subtree after removing 
NTLMv1? Is the existing NTLM SASL implementation fully supporting 
NTLMv2? I spent some time with debugging this but I wasn't able force 
NTLM SASL module to provide NTLMv2 between the client and authenticator 
(SambaAD/PDC) no matter whether I've set "yes" to sasl_ntlm_v2 
(imapd.conf) or ntlm_v2 (for postfix) respectively or manually "enforce" 
NTLMv2 based on patch from https://access.redhat.com/solutions/4253821 . 
I was always forced to enable ntlm v1 authentication on samba side (ntlm 
auth = yes) to make the NBT session progressing and not being refused by 
authenticator.
For me the less effort even for future could be with reusing Andrew's 
patch (https://bugs.gentoo.org/81342) which is handing over this 
authentication to winbind (ntlm_auth) and which also is the best way to 
have this NTLM working in future without bigger maintenance efforts. I 
can share the slightly modifed Andrew's patch which can be easily 
applied against rhel/centos 7 if anybody is interested. as I wrote 
before it has still some drawbacks which I hope can be even easily 
managed by programmers (not my case) and used in upstream (at least) as 
an alternative to current state. patch provides switch - which engine 
has to be used for NTLM authentication - either cyrus (existing ntlm.c) 
or samba (ntlm_samba.c, smb_helper.c) - and compiled into libntlm.so.
Patch introduces also new module GSSSPNEGO (MS Kerberos method) but this 
was not tested as the existing GSSAPI SASL module works well for us.

regards
michal


On 4/14/2020 10:16 PM, Quanah Gibson-Mount wrote:
>
>
> --On Tuesday, April 14, 2020 10:36 PM +0200 Michal Bruncko 
> <michal.bruncko at zssos.sk> wrote:
>
>> hello again
>>
>> today I've tried two other options:
>
> I'd think at this point it'd be best to remove NTLMv1 from cyrus-sasl 
> master, at least, entirely.
>
> --Quanah
>
>
> -- 
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>



More information about the Cyrus-sasl mailing list