ntlm_auth random failures with dovecot
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Sun Jan 4 05:49:54 UTC 2015
I'm still a bit fuzzy on exactly what has blown up here since my 1.2
install (or maybe it was broken then and I never noticed), but it
looks like the way dovecot is calling out to ntlm_auth is violating
the --helper-protocol=squid-2.5-ntlmssp scheme.
The issue is how it handles simultaneous clients connecting - for
instance launching thunderbird with NTLM auth creates multiple imapds
that all have to be auth'd.
Since dovecot doesn't (and apparrently didn't in 1.2?) serialize this
it ends up sending a jumble to ntlm_auth. Strace sayth, as example:
read(0, "YR xxxxxxx=\n", 4096) = 48
read(0, "YR xxxxxxx=\n", 4096) = 48
read(0, "KK xxxxxxx=\n",4096) = 176
read(0, "KK xxxxxxx=\n",4096) = 176
That is two clients connecting at once, and the sequence has become
jumbled.
Fiddling around with ntlm_auth manually I can get it to give me this:
YR xxx # 1
TT xxx # 1
YR xxx # 2
TT xxx # 2
KK xxx # 2
AF jgg # 2
KK xxx # 1
Called NTLMSSP after state machine was 'done'
GENSEC login failed: NT_STATUS_INVALID_PARAMETER
NA NT_STATUS_INVALID_PARAMETER
Ie, reordering the sequence (# 1 and # 2) causes it to tell you that,
no, the sequence cannot be reordered.
To me this says the samba folks expect that the YY/TT/KK/AF sequence
is *NOT* reordered.
The implication is that the mech-winbind in dovecot must seralize
everything, and it doesn't!
So, this is fairly broken, I can hit these failure causes with a high
probability when using thunderbird.
Any thoughts on how to repair this?
The simplest answer would be to pool and assign a ntlm_auth process to
each incoming auth context, or to actually serialize auth. But it
can't treat ntlm_auth as a stateless helper.
Jason
More information about the dovecot
mailing list