Hello
I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for
cyrus-imapd server for user authentication.
in imapd.conf:
sasl_ntlm_server: dc1.example.com
sasl_ntlm_v2: yes
sasl_mech_list: PLAIN NTLM LOGIN
dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in NT4 PDC
mode, but with same results.
on both samba servers the "server signing" global parameter set to
"auto" (i.e. accepting non-signed connections is allowed - mandatory for
this NTLM SASL plugin as what I read), but I cannot get authentication
working.
in maillog:
Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: client.example.local
[172.17.0.13] NTLM [SASL(0): successful result: ]
NTLM plugin on mailserver is communicating with samba server(s) over
port 139. mailserver always exchanges with sambaserver four NBT packets,
here is full stream:
23:47:14.971695 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [S.],
seq 2264619136, ack 3113401271, win 14280, options [mss 1440,sackOK,TS
val 3147289764 ecr 1769474260,nop,wscale 5], length 0
23:47:14.972300 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [.], ack
1, win 113, options [nop,nop,TS val 1769474263 ecr 3147289764], length 0
23:47:14.972364 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [P.],
seq 1:73, ack 1, win 113, options [nop,nop,TS val 1769474263 ecr
3147289764], length 72 NBT Session Packet: Session Request
23:47:14.972386 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [.], ack
73, win 447, options [nop,nop,TS val 3147289765 ecr 1769474263], length 0
23:47:14.979752 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [P.],
seq 1:5, ack 73, win 447, options [nop,nop,TS val 3147289772 ecr
1769474263], length 4 NBT Session Packet: Session Granted
23:47:14.980199 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [.], ack
5, win 113, options [nop,nop,TS val 1769474271 ecr 3147289772], length 0
23:47:14.982440 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [P.],
seq 73:124, ack 5, win 113, options [nop,nop,TS val 1769474273 ecr
3147289772], length 51 NBT Session Packet: Session Message
23:47:14.985406 IP 192.168.0.31.139 > 192.168.0.51.36196: Flags [P.],
seq 5:112, ack 124, win 447, options [nop,nop,TS val 3147289778 ecr
1769474273], length 107 NBT Session Packet: Session Message
23:47:15.025563 IP 192.168.0.51.36196 > 192.168.0.31.139: Flags [.], ack
112, win 113, options [nop,nop,TS val 1769474317 ecr 3147289778], length 0
i.e.:
1. from mailserver: NBT Session Packet: Session Request
2. from sambaserver: NBT Session Packet: Session Granted
3. from mailserver: NBT Session Packet: Session Message
4. from sambaserver: NBT Session Packet: Session Message
which corresponds to following samba log messages:
[2020/04/10 23:52:00.583266, 3] ../source3/smbd/process.c:1880(process_smb)
Transaction 0 of length 51 (0 toread)
[2020/04/10 23:52:00.583359, 3]
../source3/smbd/process.c:1489(switch_message)
switch message SMBnegprot (pid 28556) conn 0x0
[2020/04/10 23:52:00.586326, 3]
../source3/smbd/negprot.c:576(reply_negprot)
Requested protocol [NT LM 0.12]
[2020/04/10 23:52:00.586887, 3] ../source3/smbd/negprot.c:377(reply_nt1)
not using SPNEGO
[2020/04/10 23:52:00.586969, 3]
../source3/smbd/negprot.c:684(reply_negprot)
Selected protocol NT LM 0.12
[2020/04/10 23:52:00.591116, 3]
../source3/smbd/server_exit.c:249(exit_server_common)
Server exit (failed to receive smb request)
basically sambaserver accepted session request, accepted protocol type
(NT LM 0.12) request from mailserver (returning STATUS_SUCCESS to
mailclient), but mailserver is not responding at all and gracefully
closes connection. there is nothing else exchanged. basically NTLM
client creates NBT session and proposes protocol which samba accepted,
but then it ends.
question is what I am doing wrong? did I miss something? I know that
based from existing open issues the "sasl_ntlm_v2" parameter is ignored,
but I have tried to to hardcode it, but it ends with same results -
there is no difference.
mailserver is centos 7 system with following packages:
cyrus-sasl-ntlm-2.1.26-23.el7.x86_64
cyrus-imapd-2.4.17-15.el7.x86_64
but I have tried to test this NTLM plugin also on older centos 6 system
as mailserver (also with cyrus-imapd server) and the behaviour is
completely same (error message in maillog, packets exchanged):
cyrus-sasl-ntlm-2.1.23-15.el6_6.2.x86_64
cyrus-imapd-2.3.16-15.el6.x86_64
thanks for any help on this
michal
