On Tue, 19 Feb 2019 08:53:13 +0200 Aki Tuomi wrote:
On 19.2.2019 4.48, Mark Foley via dovecot wrote:
On Mon, 18 Feb 2019 10:17:16 -0000 Stuart Henderson wrote:
On 2019-02-13, Mark Foley via dovecot <dovecot@dovecot.org> wrote:
Is it possible that no one on this list is authenticating Outlook with Dovecot and NTLM? Yes, it's possible, the outdated instructions you found on the wiki suggests it's an uncommon configiration. Hmmm, really? And yet Windows/Outlook is still the predominant email client out there (unfortunately). Maybe everyone is going to outlook.com?
No actual answers from me, but it might give you some clues:
I short-sheeted ntlm_auth to see what was being passed to it. It is getting as arg1:
--helper-protocol=squid-2.5-ntlmssp
I tried running ntlm_auth at the command line as:
ntlm_auth --username=user --password=password --helper-protocol=squid-2.5-ntlmssp
It did nothing, just hung there. The ntlm_auth man page says:
--helper-protocol=PROTO Operate as a stdio-based helper. Valid helper protocols are: The squid auth helpers are stdio-based, they run in a loop, reading from stdin, checking authentication, and return results on stdout. This avoids both passing sensitive data on the command line (visible to ps, at least briefly) and the need to keep forking and initialising a new process.
So it's normal that it would just sit waiting for input.
Dovecot is just reusing the same protocol that squid uses. If --username and --password are passed on the command line, what is it waiting for on stdin? Normally, ntlm_auth, with id and pw passed on the command line prints, "NT_STATUS_OK: The operation completed successfully. (0x0)" to stdout. There is no further stdin input needed.
Is there a way to disable the --helper-protocol in Dovecot?
After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 which, in summary, said that ntlm_auth had to run as root. So, I added the following to my dovecot config per that post's suggestion:
service auth { user = root }
After restarting and trying again to connect from Outlook I got the message:
auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY I don't know the full details of how samba/ntlm works, but this seems like an error coming from the server you're attempting to authenticate against. I think you should start debugging on the samba side - make sure tools like wbinfo are working, if not then debug those with samba, then move on to Dovecot after you have that working. Samba has been running for years (with updates) and everything like wbinfo works. Dovecot can authenticate with kerberos/GSSAPI, and other applications can authenticate with ntlm_auth. My suspicion here is that the "user not authenticated" problem is perhaps because dovecot cannot run the auth service as root? The dovecot user is dovenull, so why would it be permitted to run as root in any case?
I think the problem is in invoking ntlm_auth. I tried simply returning zero from my "fake" ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from ntlm_auth_helper.
--Mark
Hi,
try
service auth {
user = root
}
Aki - yes, I did try that. It was in my original post but has been edited out of the email chain since.
Things I've tried since:
I installed squid -- it wasn't installed before.
Now, with the NTLM mechanism and:
auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth
I get:
ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL
This link: https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html, suggests that I need to make /var/lib/samba/winbindd_privileged writable by, I assume, dovecot. Which I did. The link says this is a directory, but in fact it is a pipe:
ls -l /var/lib/samba/winbindd_privileged total 0 srwxrwxrwx 1 root dovecot 0 2019-02-20 00:05 pipe=
That could be an issue? That failed with:
auth: Info: ntlm(?,192.168.0.58,<6Iit7EyCysbAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY
I again tried adding the following both with root and dovecot group ownership:
service auth { user = root }
That gave the same NT_STATUS_NO_MEMORY error. Per your (Aki) suggestion, I tried adding:
default_vsz_limit = 1G
but that made no difference, same NT_STATUS_NO_MEMORY error.
Conclusion thus far: With root.root ownership of /var/lib/samba/winbindd_privileged and no 'service auth' directive, I get the "broken helper" error. With either dovecot ownership of that file (pipe) or using the 'service auth' directive, I get the NO_MEMORY error.
Does this tell anyone anything?
Coupla more things ...
The following works:
ntlm_auth --helper-protocol=squid-2.5-basic user password
This link: http://squid-web-proxy-cache.1019090.n4.nabble.com/NTLM-Authentication-Faili... describes almost exactly my same problem and handshakes (YR TlRMTVN ...). A commentor on this issue says (in 2015),
"NTLM is a proprietary protocol deprecated by its corporate creator in 2006 and officially has not been part of any MS products created after that year.
With some trouble it can be enabled. But now, 9 years later, it is off by default almost everywhere, or literally not existing in the new products code."
Is NTLM, in fact, simply obsolecent and not working?
According to what I've found, Outlook's, "Require logon using Secure Pasword Authentication (SPA)" is NTLM.
Sorry for the long post, but this is basically everything I've discovered and tried up to now.
Final question: Can Outlook authentication using Kerberos/GSSAPI? If so, I'll go that route.
THX --Mark