Re: NTLM authentication not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



since the NTLMv1 is considered as completely insecure (https://bugzilla.mozilla.org/show_bug.cgi?id=828183) I would agree with that as many applications (incl my case with Mozilla's stuff Thunderbird/Firefox) no longer work natively with NTLMv1 without doing additional config changes (network.auth.force-generic-ntlm-v1 set to TRUE). the question is what will remain in NTLM SASL subtree after removing NTLMv1? Is the existing NTLM SASL implementation fully supporting NTLMv2? I spent some time with debugging this but I wasn't able force NTLM SASL module to provide NTLMv2 between the client and authenticator (SambaAD/PDC) no matter whether I've set "yes" to sasl_ntlm_v2 (imapd.conf) or ntlm_v2 (for postfix) respectively or manually "enforce" NTLMv2 based on patch from https://access.redhat.com/solutions/4253821 . I was always forced to enable ntlm v1 authentication on samba side (ntlm auth = yes) to make the NBT session progressing and not being refused by authenticator. For me the less effort even for future could be with reusing Andrew's patch (https://bugs.gentoo.org/81342) which is handing over this authentication to winbind (ntlm_auth) and which also is the best way to have this NTLM working in future without bigger maintenance efforts. I can share the slightly modifed Andrew's patch which can be easily applied against rhel/centos 7 if anybody is interested. as I wrote before it has still some drawbacks which I hope can be even easily managed by programmers (not my case) and used in upstream (at least) as an alternative to current state. patch provides switch - which engine has to be used for NTLM authentication - either cyrus (existing ntlm.c) or samba (ntlm_samba.c, smb_helper.c) - and compiled into libntlm.so. Patch introduces also new module GSSSPNEGO (MS Kerberos method) but this was not tested as the existing GSSAPI SASL module works well for us.

regards
michal


On 4/14/2020 10:16 PM, Quanah Gibson-Mount wrote:


--On Tuesday, April 14, 2020 10:36 PM +0200 Michal Bruncko <michal.bruncko@xxxxxxxx> wrote:

hello again

today I've tried two other options:

I'd think at this point it'd be best to remove NTLMv1 from cyrus-sasl master, at least, entirely.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux