Re: NTLM authentication not working

[Michal Bruncko <michal.bruncko@xxxxxxxx>]

ok, seems I found the problem. NTLM email client which I am using for 
testing - Thunderbind - is refusing to finish NTLM authentication 
because IMAP server is using NTLMv1, which is denied by default 
Thunderbird configuration. setting up 
"network.auth.force-generic-ntlm-v1" to "true" makes this authentication 
finally working. the problem is why NTLMv2 is not used? I found this 
https://access.redhat.com/solutions/4253821 and recompiled cyrus-sasl 
with patch enforcing NTLMv2, but seems NTLMv2 is not used neither. then 
I found out your correspondence here 
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-December/034227.html 
where you're stating the same, isnt it that?

thanks
michal

On 4/13/2020 10:23 PM, Michal Bruncko wrote:
> Dear Dan
>
> thank you for response. followed your proposal with increasing 
> debugging, but for whatever reason it did not produced anything more 
> into syslog. my rsyslog.conf was setup this way (followed by 
> restarting rsyslog daemon) as the first option in list:
>
> *.*                                            -/var/log/debug
>
> but rather I did strace of imapd daemon and paralel packet capture of 
> communication to samba server.
>
> I hope this can be helpful.
>
> thanks again
>
> michal
>
>
>
> On 4/13/2020 5:19 PM, Dan White wrote:
> > On 04/11/20 00:53 +0200, Michal Bruncko wrote:
> > > I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for 
> > > cyrus-imapd server for user authentication.
> > >
> > > in imapd.conf:
> > >
> > > sasl_ntlm_server:       dc1.example.com
> > > sasl_ntlm_v2:           yes
> > > sasl_mech_list:         PLAIN NTLM LOGIN
> > >
> > > dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in NT4 
> > > PDC mode, but with same results.
> > >
> > > in maillog:
> > >
> > > Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
> > > Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
> > > Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: 
> > > client.example.local [172.17.0.13] NTLM [SASL(0): successful result: ]
> > >
> > > which corresponds to following samba log messages:
> > >
> > > [2020/04/10 23:52:00.583266,  3] 
> > > ../source3/smbd/process.c:1880(process_smb)
> > >   Transaction 0 of length 51 (0 toread)
> > > [2020/04/10 23:52:00.583359,  3] 
> > > ../source3/smbd/process.c:1489(switch_message)
> > >   switch message SMBnegprot (pid 28556) conn 0x0
> > > [2020/04/10 23:52:00.586326,  3] 
> > > ../source3/smbd/negprot.c:576(reply_negprot)
> > >   Requested protocol [NT LM 0.12]
> > > [2020/04/10 23:52:00.586887,  3] 
> > > ../source3/smbd/negprot.c:377(reply_nt1)
> > >   not using SPNEGO
> > > [2020/04/10 23:52:00.586969,  3] 
> > > ../source3/smbd/negprot.c:684(reply_negprot)
> > >   Selected protocol NT LM 0.12
> > > [2020/04/10 23:52:00.591116,  3] 
> > > ../source3/smbd/server_exit.c:249(exit_server_common)
> > >   Server exit (failed to receive smb request)
> >
> > Hi Michal,
> >
> > You can increase libsasl's logging with the following in your 
> > imapd.conf:
> >
> > sasl_log_level: 7
> >
> > See: 
> > https://github.com/cyrusimap/cyrus-sasl/blob/master/include/sasl.h for
> > a description of the available log levels. You may need to modify your
> > syslog configuration to accept more verbose auth.* levels.