NTLM authentication not working

Simo Sorce simo at redhat.com
Wed Apr 15 09:38:14 EDT 2020 

Hi Michal,
I have a fully working implementation of NTLM, that follows Microsoft's
spec faithfully and with proper testing, and also allow to configure
what is allowed and what isn't.
It is implemented as a GSSAPI module called GSSNTLMSSP:
https://github.com/gssapi/gss-ntlmssp

We can simply remove NTLM code entirely and just write a wrapper that
will use GSSNTLMSSP instead. This will relieve Cyrus-sasl from the need
to deal with this old broken protocol and defer it to an external
party, at the same time gaining a more tested, and better working
implementation.

Note that GSSNTLMSSP also provide a few advantages to users as it can
be integrated with Winbind and potentially other backends on a server
so that authentication will work in a Windows Domain w/o the need to
host lists of passwords for users on the individual servers.

I would avoid ntlm_auth (I am an historical Samba Team member so I know
it well), simply because it will remove features, namely that you won't
be able to just have a simple list of passwords on a system w/o having
to install all of samba and make it run. For small setup that's really
overkill.

Finally, we already have GSS-SPNEGO in SASL so not sure what you mean
at the end of your message here.
Note that GSSAPI will fallback to use GSSNTLMSSP *already* within
SPNEGO if available on the system (we used that in mod_auth_gssapi all
the time for example, as well as in Firefox actually), although I
haven't checked if cyrus-sasl code will work correctly in that case
yet.

Simo.

On Wed, 2020-04-15 at 01:39 +0200, Michal Bruncko wrote:
> since the NTLMv1 is considered as completely insecure 
> (https://bugzilla.mozilla.org/show_bug.cgi?id=828183) I would agree with 
> that as many applications (incl my case with Mozilla's stuff 
> Thunderbird/Firefox) no longer work natively with NTLMv1 without doing 
> additional config changes (network.auth.force-generic-ntlm-v1 set to TRUE).
> the question is what will remain in NTLM SASL subtree after removing 
> NTLMv1? Is the existing NTLM SASL implementation fully supporting 
> NTLMv2? I spent some time with debugging this but I wasn't able force 
> NTLM SASL module to provide NTLMv2 between the client and authenticator 
> (SambaAD/PDC) no matter whether I've set "yes" to sasl_ntlm_v2 
> (imapd.conf) or ntlm_v2 (for postfix) respectively or manually "enforce" 
> NTLMv2 based on patch from https://access.redhat.com/solutions/4253821 . 
> I was always forced to enable ntlm v1 authentication on samba side (ntlm 
> auth = yes) to make the NBT session progressing and not being refused by 
> authenticator.
> For me the less effort even for future could be with reusing Andrew's 
> patch (https://bugs.gentoo.org/81342) which is handing over this 
> authentication to winbind (ntlm_auth) and which also is the best way to 
> have this NTLM working in future without bigger maintenance efforts. I 
> can share the slightly modifed Andrew's patch which can be easily 
> applied against rhel/centos 7 if anybody is interested. as I wrote 
> before it has still some drawbacks which I hope can be even easily 
> managed by programmers (not my case) and used in upstream (at least) as 
> an alternative to current state. patch provides switch - which engine 
> has to be used for NTLM authentication - either cyrus (existing ntlm.c) 
> or samba (ntlm_samba.c, smb_helper.c) - and compiled into libntlm.so.
> Patch introduces also new module GSSSPNEGO (MS Kerberos method) but this 
> was not tested as the existing GSSAPI SASL module works well for us.
> 
> regards
> michal
> 
> 
> On 4/14/2020 10:16 PM, Quanah Gibson-Mount wrote:
> > 
> > --On Tuesday, April 14, 2020 10:36 PM +0200 Michal Bruncko 
> > <michal.bruncko at zssos.sk> wrote:
> > 
> > > hello again
> > > 
> > > today I've tried two other options:
> > 
> > I'd think at this point it'd be best to remove NTLMv1 from cyrus-sasl 
> > master, at least, entirely.
> > 
> > --Quanah
> > 
> > 
> > -- 
> > 
> > Quanah Gibson-Mount
> > Product Architect
> > Symas Corporation
> > Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> > <http://www.symas.com>

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

More information about the Cyrus-sasl mailing list