since the NTLMv1 is considered as completely insecure
(https://bugzilla.mozilla.org/show_bug.cgi?id=828183) I would agree with
that as many applications (incl my case with Mozilla's stuff
Thunderbird/Firefox) no longer work natively with NTLMv1 without doing
additional config changes (network.auth.force-generic-ntlm-v1 set to TRUE).
the question is what will remain in NTLM SASL subtree after removing
NTLMv1? Is the existing NTLM SASL implementation fully supporting
NTLMv2? I spent some time with debugging this but I wasn't able force
NTLM SASL module to provide NTLMv2 between the client and authenticator
(SambaAD/PDC) no matter whether I've set "yes" to sasl_ntlm_v2
(imapd.conf) or ntlm_v2 (for postfix) respectively or manually "enforce"
NTLMv2 based on patch from https://access.redhat.com/solutions/4253821 .
I was always forced to enable ntlm v1 authentication on samba side (ntlm
auth = yes) to make the NBT session progressing and not being refused by
authenticator.
For me the less effort even for future could be with reusing Andrew's
patch (https://bugs.gentoo.org/81342) which is handing over this
authentication to winbind (ntlm_auth) and which also is the best way to
have this NTLM working in future without bigger maintenance efforts. I
can share the slightly modifed Andrew's patch which can be easily
applied against rhel/centos 7 if anybody is interested. as I wrote
before it has still some drawbacks which I hope can be even easily
managed by programmers (not my case) and used in upstream (at least) as
an alternative to current state. patch provides switch - which engine
has to be used for NTLM authentication - either cyrus (existing ntlm.c)
or samba (ntlm_samba.c, smb_helper.c) - and compiled into libntlm.so.
Patch introduces also new module GSSSPNEGO (MS Kerberos method) but this
was not tested as the existing GSSAPI SASL module works well for us.
regards
michal
On 4/14/2020 10:16 PM, Quanah Gibson-Mount wrote:
--On Tuesday, April 14, 2020 10:36 PM +0200 Michal Bruncko
<michal.bruncko@xxxxxxxx> wrote:
hello again
today I've tried two other options:
I'd think at this point it'd be best to remove NTLMv1 from cyrus-sasl
master, at least, entirely.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
