I've tried stting default_pass_scheme to NTLM (first thing I did) and I tried adding the {NTLM} prefix to the password field, both things don't work.
I will try the plaintext logins with NTLM in LDAP next, and I'll post my results.
I've already set auth_debug and auth_debug_password to yes. Here is the log dump (slightly edited for privacy):
Mar 6 16:00:19 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 6 16:00:19 office dovecot: auth(default): client out: CONT^I1^I Mar 6 16:00:19 office dovecot: auth(default): client in: CONT^I1^ITlRMTVNTUcsqABDAB7IIogoACgArAABACwADACgAAAAFASgKABADD1NJTlRSQU5TLVNPRlQ= Mar 6 16:00:19 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUtAbAskoDACMADAABBBFAooAjp5sXLYVGxMAABBDAFACABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAbcdA= Mar 6 16:00:19 office dovecot: auth(default): client in: CONT^I1^ITlRMTVNTUtAbascoGAAYAGoAAAAYABgAggAAABQAFABIFAKECAAIAFwABADGAAYAZAAFAKEAAACaAAAABQKIAgUBKAoAAAAPVABSAEEATgBTAC0AUwBPAEYAVABsAGkAbwByAFMASQBOAOlVqxuylfFZAAAAAFAKEAABADAAAAAAABCutypTqizx1LjI6+083WW8CXUIlREMLw== Mar 6 16:00:19 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 6 16:00:19 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<correct NTLM hash> Mar 6 16:00:20 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 6 16:00:20 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 6 16:00:20 office dovecot: auth(default): client out: CONT^I2^I Mar 6 16:00:20 office dovecot: auth(default): client in: CONT^I2^ITlRMTVNGUAABFAKEB4IIogFAKEAAAAAAAAAreAlAAAAFASgKAdAADw== Mar 6 16:00:20 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUA6CAATRDAAMADAAATRFAooAMg4lC++DGnwAAAAAAAAAABQAFAA8AAAAbwBmAGYAaQBjaGUAAwAMdG8AZgBmAGkAYwBlAAtreAA= Mar 6 16:00:20 office dovecot: auth(default): client in: CONT^I2^ITlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAABaDAAABIFAKECAAIAEgAAAAGAAYAUAAAAAAAAACGAAAABQKIAgUBKAoAAAAPbABpAG8AcgBTAEkATgBPVUNLOMzcAQHACKAAAPuZZleAAAWrongck2qbufsTT4VBZ0DYYGmt4dx2Scd6c1A= Mar 6 16:00:20 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 6 16:00:20 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<correct NTLM hash> Mar 6 16:00:22 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 6 16:00:22 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 6 16:00:22 office dovecot: auth(default): client out: CONT^I3^I Mar 6 16:01:19 office dovecot: imap-login: Disconnected: Inactivity: rip=x.x.x.x, lip=x.x.x.x, TLS Mar 6 16:01:22 office dovecot: imap-login: Disconnected: Inactivity: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS Mar 6 16:01:22 office dovecot: child 30826 (auth) killed with signal 11
It seems that the server is failing the authentication attempt, causing Outlook to retry the authentication. After two times, outlook just hangs and I need to kill it.
Any ideas?
Thanks, Lior
On 3/6/06, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBEDKAAyUhSUUBViskRAoeAAJ47VqTGwd8Us95uzGOTqjqdccRhiwCeN7fC hKJfz4B/WcJNvWwow/wqmgo= =NRN5 -----END PGP SIGNATURE-----