Re: NTLM authentication not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


since the NTLMv1 is considered as completely insecure ( I would agree with that as many applications (incl my case with Mozilla's stuff Thunderbird/Firefox) no longer work natively with NTLMv1 without doing additional config changes (network.auth.force-generic-ntlm-v1 set to TRUE). the question is what will remain in NTLM SASL subtree after removing NTLMv1? Is the existing NTLM SASL implementation fully supporting NTLMv2? I spent some time with debugging this but I wasn't able force NTLM SASL module to provide NTLMv2 between the client and authenticator (SambaAD/PDC) no matter whether I've set "yes" to sasl_ntlm_v2 (imapd.conf) or ntlm_v2 (for postfix) respectively or manually "enforce" NTLMv2 based on patch from . I was always forced to enable ntlm v1 authentication on samba side (ntlm auth = yes) to make the NBT session progressing and not being refused by authenticator. For me the less effort even for future could be with reusing Andrew's patch ( which is handing over this authentication to winbind (ntlm_auth) and which also is the best way to have this NTLM working in future without bigger maintenance efforts. I can share the slightly modifed Andrew's patch which can be easily applied against rhel/centos 7 if anybody is interested. as I wrote before it has still some drawbacks which I hope can be even easily managed by programmers (not my case) and used in upstream (at least) as an alternative to current state. patch provides switch - which engine has to be used for NTLM authentication - either cyrus (existing ntlm.c) or samba (ntlm_samba.c, smb_helper.c) - and compiled into Patch introduces also new module GSSSPNEGO (MS Kerberos method) but this was not tested as the existing GSSAPI SASL module works well for us.


On 4/14/2020 10:16 PM, Quanah Gibson-Mount wrote:

--On Tuesday, April 14, 2020 10:36 PM +0200 Michal Bruncko <michal.bruncko@xxxxxxxx> wrote:

hello again

today I've tried two other options:

I'd think at this point it'd be best to remove NTLMv1 from cyrus-sasl master, at least, entirely.



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux