Re: NTLM authentication not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


ok, seems I found the problem. NTLM email client which I am using for testing - Thunderbind - is refusing to finish NTLM authentication because IMAP server is using NTLMv1, which is denied by default Thunderbird configuration. setting up "network.auth.force-generic-ntlm-v1" to "true" makes this authentication finally working. the problem is why NTLMv2 is not used? I found this and recompiled cyrus-sasl with patch enforcing NTLMv2, but seems NTLMv2 is not used neither. then I found out your correspondence here where you're stating the same, isnt it that?


On 4/13/2020 10:23 PM, Michal Bruncko wrote:
Dear Dan

thank you for response. followed your proposal with increasing debugging, but for whatever reason it did not produced anything more into syslog. my rsyslog.conf was setup this way (followed by restarting rsyslog daemon) as the first option in list:

*.*                                            -/var/log/debug

but rather I did strace of imapd daemon and paralel packet capture of communication to samba server.

I hope this can be helpful.

thanks again


On 4/13/2020 5:19 PM, Dan White wrote:
On 04/11/20 00:53 +0200, Michal Bruncko wrote:
I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for cyrus-imapd server for user authentication.

in imapd.conf:

sasl_ntlm_v2:           yes
sasl_mech_list:         PLAIN NTLM LOGIN is samba 4 AD DC, I have tried also samba 4.2 in NT4 PDC mode, but with same results.

in maillog:

Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: client.example.local [] NTLM [SASL(0): successful result: ]

which corresponds to following samba log messages:

[2020/04/10 23:52:00.583266,  3] ../source3/smbd/process.c:1880(process_smb)
  Transaction 0 of length 51 (0 toread)
[2020/04/10 23:52:00.583359,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBnegprot (pid 28556) conn 0x0
[2020/04/10 23:52:00.586326,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LM 0.12]
[2020/04/10 23:52:00.586887,  3] ../source3/smbd/negprot.c:377(reply_nt1)
  not using SPNEGO
[2020/04/10 23:52:00.586969,  3] ../source3/smbd/negprot.c:684(reply_negprot)
  Selected protocol NT LM 0.12
[2020/04/10 23:52:00.591116,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (failed to receive smb request)

Hi Michal,

You can increase libsasl's logging with the following in your imapd.conf:

sasl_log_level: 7

See: for
a description of the available log levels. You may need to modify your
syslog configuration to accept more verbose auth.* levels.

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux