The Samba team recommends to use their "ntlm_auth" command line helper
for "NTLM" and "GSS-SPNEGO" authentication. This helper interacts with
the Samba's winbind daemon, and this way can authenticate users against
NT or Active Directory windows domain.
Currently Dovecot can do "NTLM" authentication too, but just "locally" (against a local or sql database etc.).
I've made a patch (attached), which adds "ntlm_auth" (or "winbind") support for Dovecot.
The idea is to add two new authentication mechanisms: "mech_winbind_ntlm" and "mech_winbind_spnego". Both are coded in one additional file, "mech-winbind.c". An option "auth_ntlm_use_winbind" specifies whether to use the current implementation of ntlm, or do it by the "ntlm_auth" helper. "GSS-SPNEGO" always performed by the helper. Normally, "ntlm_auth" is invoked once, for all further requests.
Such a way, "ntlm_auth helper from the Samba package, interacting with
the Samba's winbind daemon", is used now by Squid, Apache and AFAIK some
other applications. It is "strongly recommended" by the Samba team, and
was already proposed even in this maillist 3 year ago (see f.e.
http://www.dovecot.org/list/dovecot/2004-September/004775.html ).
I hope there are no any serious performance issues for such a "complex way" -- f.e. with our web proxy, using this way, ~200 users do not feel any actual delays etc.
I've successfully tested this patch with NTLM against AD domain.
This patch can considerably improve the situation of "Email client on Windows desktop under Windows domain, but imap/pop at UNIX server".
Currently, windows users have to specify their "login/password" for email accounts manually. There is an "SPA" (Secure Password Authentication) alternative for them, where just the desktop's login is used transparently, but it cannot be used now, because Dovecot cannot perform NTLM against, say, Active Directory domain.
Since "dovecot-auth" daemon can be utilized by MTA as well (Postfix and other), the support of "ntlm_auth" in Dovecot can satisfy both SMTP and IMAP servers at UNIX side, and solve the issue completely.
Questions and requests: the helper's cmdline exactly ?
- I try to code things most close to used style, i.e. using Dovecot's memory-management and io-pipe routines etc., but could someone look at it and check whether I've missed something or not?
- Perhaps some names (of routines, modules) could be chosen better?
- Maybe some other options should be implemented, i.e. "auth_winbind_helper_ntlm" and "auth_winbind_helper_spnego" to specify
- Currently I strip domain part of the username returned, i.e. from "DOMAIN\user" just to "user". Maybe better add some option "auth_winbind_strip_domain" for this?
Certainly, it will be fine if someone else check it more, especially for "GSS-SPNEGO" which I cannot test for a while.
Regards, Dmitry Butskoy http://www.fedoraproject.org/wiki/DmitryButskoy