Re: NTLM authentication not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


hello again

today I've tried two other options:

1. Dhruva's NTLMv2 patch posted here
2. Andrew's Bartlett patch to handover NTLM to winbind (ntlm_auth)

1. the first one seems to be not complete. "unix_timestamp" as used in code snip is not defined elsewhere and therefore I consider it as an customized function. tried to dirty replace that line with "strcpy(timestamp, (char)time(NULL));" but NTLMv2 was not woring neither (thunderbird refused to talk to initiated NTLM negotiation) so I assume the code is not complete.

2. after adjusting patch to centos 7 needs and make it working based on "--with-ntlm_impl=" parameter either ntlm.c (ntlm.h) for "cyrus" or ntlm_samba.*,smb_helper.* for samba implementation it seems this patch really work with using NTLM and untouched Thunderbird NTLM settings with following two drawbacks: - if "log level" in smb.conf is greater than zero, then ntlm_auth tool is producing unsolicited output which is passed by SASL NTLM module to client via IMAP channel. this unexpected output confuses client which then breaks NTLM auth process. with "log level" set to zero, the NTLM works properly. this issue have been encountered only with cyrus-imap. with postfix there was no issue as log output from ntlm_auth have been suppressed by smtpd daemon and not passed to client. - once the authentication is done for example on postfix level durting sending the email, the smtpd daemon segfaults:

Apr 14 21:06:19 ms1 postfix/smtpd[28463]: connect from server.local[] Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 44 bytes do child: YR Tl...AA= Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 199 bytes from helper: TT Tl...AA= Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 332 bytes do child: KK Tl...AA= Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 9 bytes from helper: AF username Apr 14 21:06:19 ms1 postfix/smtpd[28463]: kill_helper: Helper died with status 0 Apr 14 21:06:20 ms1 postfix/smtpd[28463]: 17D02209DAE: client=server.local[], sasl_method=NTLM, sasl_username=username@AD.LOCAL Apr 14 21:06:20 ms1 postfix/cleanup[28469]: 17D02209DAE: message-id=<dc85e9d0-59ab-4441-c819-bb5854eab0bf@ad.local> Apr 14 21:06:20 ms1 opendkim[1570]: 17D02209DAE: DKIM-Signature field added (s=defaultnew, d=ad.local) Apr 14 21:06:20 ms1 postfix/qmgr[28449]: 17D02209DAE: from=<username@ad.local>, size=2313, nrcpt=1 (queue active) Apr 14 21:06:20 ms1 kernel: smtpd[28463]: segfault at 55ffffffffff ip 00007f8c9fa07ff4 sp 00007ffdba204b90 error 4 in[7f8c9f99a000+1c3000] Apr 14 21:06:20 ms1 postfix/master[28447]: warning: process /usr/libexec/postfix/smtpd pid 28463 killed by signal 11 Apr 14 21:06:20 ms1 postfix/master[28447]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

based on gdb tool it seems that this is related to fclose function during closure within smb_helper.c coming with this patch:

(gdb) where
#0  0x00007f030b945ff4 in fclose@@GLIBC_2.2.5 () from /lib64/
#1  0x00007f0307b424c9 in kill_helper (helper=0x55bfc70310b0)
    at smb_helper.c:160
#2  0x00007f030cb7dc78 in server_dispose (pconn=0x55bfc702d620) at server.c:317
#3  0x00007f030cb7879b in sasl_dispose (pconn=pconn@entry=0x55bfc702bbb0)
    at common.c:851
#4  0x000055bfc6c0741d in xsasl_cyrus_server_free (xp=0x55bfc702bb80)
    at xsasl_cyrus_server.c:428
#5  0x000055bfc6bfdf11 in smtpd_sasl_deactivate (
    state=state@entry=0x7ffcca507e10) at smtpd_sasl_glue.c:271
#6  0x000055bfc6bf1034 in smtpd_proto (state=state@entry=0x7ffcca507e10)
    at smtpd.c:4888
#7  0x000055bfc6bf1d56 in smtpd_service (stream=<optimized out>,
    service=0x7ffcca509ed6 "smtps", argv=<optimized out>) at smtpd.c:4962
#8  0x000055bfc6c00b8a in single_server_wakeup (fd=<optimized out>, attr=0x0)
    at single_server.c:278
#9  0x000055bfc6c301b8 in event_loop (delay=<optimized out>) at events.c:1182
#10 0x000055bfc6c01c21 in single_server_main (argc=argc@entry=19,
    service=service@entry=0x55bfc6bf1c50 <smtpd_service>)
    at single_server.c:772
#11 0x000055bfc6becc67 in main (argc=19, argv=0x7ffcca508938) at smtpd.c:5459

this sigsegv could be related to this part of code:

void kill_helper(struct smb_helper *helper)
        int status;

        if ((helper == NULL) || (helper->child_pid == 0))


        waitpid(helper->child_pid, &status, 0);
        syslog(LOG_DEBUG, "kill_helper: Helper died with status %d\n", status);

        helper->child_pid = 0;

but this is somehow strange as "kill_helper: Helper died with status 0" came into syslog sooner than segfault message of smtpd - which means that both fclose lines have been completed without issues. also I have tried to use conditions in following way:

        if (helper->pipe_out != NULL) {
        if (helper->pipe_in != NULL) {

which also did not improve situation... so I am a bit lost here.

in sum this patch seems to be the best option now to have a NTLMv2 capability for user authentication, but it has (at least) these two drawbacks...


On 4/14/2020 1:08 AM, Michal Bruncko wrote:
ok, seems I found the problem. NTLM email client which I am using for testing - Thunderbind - is refusing to finish NTLM authentication because IMAP server is using NTLMv1, which is denied by default Thunderbird configuration. setting up "network.auth.force-generic-ntlm-v1" to "true" makes this authentication finally working. the problem is why NTLMv2 is not used? I found this and recompiled cyrus-sasl with patch enforcing NTLMv2, but seems NTLMv2 is not used neither. then I found out your correspondence here where you're stating the same, isnt it that?


On 4/13/2020 10:23 PM, Michal Bruncko wrote:
Dear Dan

thank you for response. followed your proposal with increasing debugging, but for whatever reason it did not produced anything more into syslog. my rsyslog.conf was setup this way (followed by restarting rsyslog daemon) as the first option in list:

*.*                                            -/var/log/debug

but rather I did strace of imapd daemon and paralel packet capture of communication to samba server.

I hope this can be helpful.

thanks again


On 4/13/2020 5:19 PM, Dan White wrote:
On 04/11/20 00:53 +0200, Michal Bruncko wrote:
I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for cyrus-imapd server for user authentication.

in imapd.conf:

sasl_ntlm_v2:           yes
sasl_mech_list:         PLAIN NTLM LOGIN is samba 4 AD DC, I have tried also samba 4.2 in NT4 PDC mode, but with same results.

in maillog:

Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin: client.example.local [] NTLM [SASL(0): successful result: ]

which corresponds to following samba log messages:

[2020/04/10 23:52:00.583266,  3] ../source3/smbd/process.c:1880(process_smb)
  Transaction 0 of length 51 (0 toread)
[2020/04/10 23:52:00.583359,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBnegprot (pid 28556) conn 0x0
[2020/04/10 23:52:00.586326,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LM 0.12]
[2020/04/10 23:52:00.586887,  3] ../source3/smbd/negprot.c:377(reply_nt1)
  not using SPNEGO
[2020/04/10 23:52:00.586969,  3] ../source3/smbd/negprot.c:684(reply_negprot)
  Selected protocol NT LM 0.12
[2020/04/10 23:52:00.591116,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (failed to receive smb request)

Hi Michal,

You can increase libsasl's logging with the following in your imapd.conf:

sasl_log_level: 7

See: for
a description of the available log levels. You may need to modify your
syslog configuration to accept more verbose auth.* levels.

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux