hello again
today I've tried two other options:
1. Dhruva's NTLMv2 patch posted here
https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2009-October/001875.html
2. Andrew's Bartlett patch to handover NTLM to winbind (ntlm_auth)
Results:
1. the first one seems to be not complete. "unix_timestamp" as used in
code snip is not defined elsewhere and therefore I consider it as an
customized function. tried to dirty replace that line with
"strcpy(timestamp, (char)time(NULL));" but NTLMv2 was not woring neither
(thunderbird refused to talk to initiated NTLM negotiation) so I assume
the code is not complete.
2. after adjusting patch to centos 7 needs and make it working based on
"--with-ntlm_impl=" parameter either ntlm.c (ntlm.h) for "cyrus" or
ntlm_samba.*,smb_helper.* for samba implementation it seems this patch
really work with using NTLM and untouched Thunderbird NTLM settings with
following two drawbacks:
- if "log level" in smb.conf is greater than zero, then ntlm_auth tool
is producing unsolicited output which is passed by SASL NTLM module to
client via IMAP channel. this unexpected output confuses client which
then breaks NTLM auth process. with "log level" set to zero, the NTLM
works properly. this issue have been encountered only with cyrus-imap.
with postfix there was no issue as log output from ntlm_auth have been
suppressed by smtpd daemon and not passed to client.
- once the authentication is done for example on postfix level durting
sending the email, the smtpd daemon segfaults:
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: connect from
server.local[192.168.11.13]
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 44
bytes do child: YR Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 199 bytes
from helper: TT Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Sending 332
bytes do child: KK Tl...AA=
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: interact_helper: Got 9 bytes
from helper: AF username
Apr 14 21:06:19 ms1 postfix/smtpd[28463]: kill_helper: Helper died with
status 0
Apr 14 21:06:20 ms1 postfix/smtpd[28463]: 17D02209DAE:
client=server.local[192.168.11.13], sasl_method=NTLM,
sasl_username=username@AD.LOCAL
Apr 14 21:06:20 ms1 postfix/cleanup[28469]: 17D02209DAE:
message-id=<dc85e9d0-59ab-4441-c819-bb5854eab0bf@ad.local>
Apr 14 21:06:20 ms1 opendkim[1570]: 17D02209DAE: DKIM-Signature field
added (s=defaultnew, d=ad.local)
Apr 14 21:06:20 ms1 postfix/qmgr[28449]: 17D02209DAE:
from=<username@ad.local>, size=2313, nrcpt=1 (queue active)
Apr 14 21:06:20 ms1 kernel: smtpd[28463]: segfault at 55ffffffffff ip
00007f8c9fa07ff4 sp 00007ffdba204b90 error 4 in
libc-2.17.so[7f8c9f99a000+1c3000]
Apr 14 21:06:20 ms1 postfix/master[28447]: warning: process
/usr/libexec/postfix/smtpd pid 28463 killed by signal 11
Apr 14 21:06:20 ms1 postfix/master[28447]: warning:
/usr/libexec/postfix/smtpd: bad command startup -- throttling
based on gdb tool it seems that this is related to fclose function
during closure within smb_helper.c coming with this patch:
(gdb) where
#0 0x00007f030b945ff4 in fclose@@GLIBC_2.2.5 () from /lib64/libc.so.6
#1 0x00007f0307b424c9 in kill_helper (helper=0x55bfc70310b0)
at smb_helper.c:160
#2 0x00007f030cb7dc78 in server_dispose (pconn=0x55bfc702d620) at
server.c:317
#3 0x00007f030cb7879b in sasl_dispose (pconn=pconn@entry=0x55bfc702bbb0)
at common.c:851
#4 0x000055bfc6c0741d in xsasl_cyrus_server_free (xp=0x55bfc702bb80)
at xsasl_cyrus_server.c:428
#5 0x000055bfc6bfdf11 in smtpd_sasl_deactivate (
state=state@entry=0x7ffcca507e10) at smtpd_sasl_glue.c:271
#6 0x000055bfc6bf1034 in smtpd_proto (state=state@entry=0x7ffcca507e10)
at smtpd.c:4888
#7 0x000055bfc6bf1d56 in smtpd_service (stream=<optimized out>,
service=0x7ffcca509ed6 "smtps", argv=<optimized out>) at smtpd.c:4962
#8 0x000055bfc6c00b8a in single_server_wakeup (fd=<optimized out>,
attr=0x0)
at single_server.c:278
#9 0x000055bfc6c301b8 in event_loop (delay=<optimized out>) at
events.c:1182
#10 0x000055bfc6c01c21 in single_server_main (argc=argc@entry=19,
argv=argv@entry=0x7ffcca508938,
service=service@entry=0x55bfc6bf1c50 <smtpd_service>)
at single_server.c:772
#11 0x000055bfc6becc67 in main (argc=19, argv=0x7ffcca508938) at
smtpd.c:5459
this sigsegv could be related to this part of code:
void kill_helper(struct smb_helper *helper)
{
int status;
if ((helper == NULL) || (helper->child_pid == 0))
return;
fclose(helper->pipe_out);
fclose(helper->pipe_in);
waitpid(helper->child_pid, &status, 0);
syslog(LOG_DEBUG, "kill_helper: Helper died with status %d\n",
status);
helper->child_pid = 0;
free(helper);
}
but this is somehow strange as "kill_helper: Helper died with status 0"
came into syslog sooner than segfault message of smtpd - which means
that both fclose lines have been completed without issues. also I have
tried to use conditions in following way:
if (helper->pipe_out != NULL) {
fclose(helper->pipe_out);
if (helper->pipe_in != NULL) {
fclose(helper->pipe_in);
which also did not improve situation... so I am a bit lost here.
in sum this patch seems to be the best option now to have a NTLMv2
capability for user authentication, but it has (at least) these two
drawbacks...
regards
michal
On 4/14/2020 1:08 AM, Michal Bruncko wrote:
ok, seems I found the problem. NTLM email client which I am using for
testing - Thunderbind - is refusing to finish NTLM authentication
because IMAP server is using NTLMv1, which is denied by default
Thunderbird configuration. setting up
"network.auth.force-generic-ntlm-v1" to "true" makes this
authentication finally working. the problem is why NTLMv2 is not used?
I found this https://access.redhat.com/solutions/4253821 and
recompiled cyrus-sasl with patch enforcing NTLMv2, but seems NTLMv2 is
not used neither. then I found out your correspondence here
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-December/034227.html
where you're stating the same, isnt it that?
thanks
michal
On 4/13/2020 10:23 PM, Michal Bruncko wrote:
Dear Dan
thank you for response. followed your proposal with increasing
debugging, but for whatever reason it did not produced anything more
into syslog. my rsyslog.conf was setup this way (followed by
restarting rsyslog daemon) as the first option in list:
*.* -/var/log/debug
but rather I did strace of imapd daemon and paralel packet capture of
communication to samba server.
I hope this can be helpful.
thanks again
michal
On 4/13/2020 5:19 PM, Dan White wrote:
On 04/11/20 00:53 +0200, Michal Bruncko wrote:
I am trying to use NTLM autentication (using cyrus-sasl-ntlm) for
cyrus-imapd server for user authentication.
in imapd.conf:
sasl_ntlm_server: dc1.example.com
sasl_ntlm_v2: yes
sasl_mech_list: PLAIN NTLM LOGIN
dc1.example.com is samba 4 AD DC, I have tried also samba 4.2 in
NT4 PDC mode, but with same results.
in maillog:
Apr 10 23:32:30 mail cyrus/imaps[10078]: NTLM server step 1
Apr 10 23:32:30 mail cyrus/imaps[10078]: client flags: ffff8207
Apr 10 23:32:33 mail cyrus/imaps[10078]: badlogin:
client.example.local [172.17.0.13] NTLM [SASL(0): successful result: ]
which corresponds to following samba log messages:
[2020/04/10 23:52:00.583266, 3]
../source3/smbd/process.c:1880(process_smb)
Transaction 0 of length 51 (0 toread)
[2020/04/10 23:52:00.583359, 3]
../source3/smbd/process.c:1489(switch_message)
switch message SMBnegprot (pid 28556) conn 0x0
[2020/04/10 23:52:00.586326, 3]
../source3/smbd/negprot.c:576(reply_negprot)
Requested protocol [NT LM 0.12]
[2020/04/10 23:52:00.586887, 3]
../source3/smbd/negprot.c:377(reply_nt1)
not using SPNEGO
[2020/04/10 23:52:00.586969, 3]
../source3/smbd/negprot.c:684(reply_negprot)
Selected protocol NT LM 0.12
[2020/04/10 23:52:00.591116, 3]
../source3/smbd/server_exit.c:249(exit_server_common)
Server exit (failed to receive smb request)
Hi Michal,
You can increase libsasl's logging with the following in your
imapd.conf:
sasl_log_level: 7
See:
https://github.com/cyrusimap/cyrus-sasl/blob/master/include/sasl.h for
a description of the available log levels. You may need to modify your
syslog configuration to accept more verbose auth.* levels.