I'm still a bit fuzzy on exactly what has blown up here since my 1.2 install (or maybe it was broken then and I never noticed), but it looks like the way dovecot is calling out to ntlm_auth is violating the --helper-protocol=squid-2.5-ntlmssp scheme.
The issue is how it handles simultaneous clients connecting - for instance launching thunderbird with NTLM auth creates multiple imapds that all have to be auth'd.
Since dovecot doesn't (and apparrently didn't in 1.2?) serialize this it ends up sending a jumble to ntlm_auth. Strace sayth, as example:
read(0, "YR xxxxxxx=\n", 4096) = 48 read(0, "YR xxxxxxx=\n", 4096) = 48 read(0, "KK xxxxxxx=\n",4096) = 176 read(0, "KK xxxxxxx=\n",4096) = 176
That is two clients connecting at once, and the sequence has become jumbled.
Fiddling around with ntlm_auth manually I can get it to give me this:
YR xxx # 1 TT xxx # 1 YR xxx # 2 TT xxx # 2 KK xxx # 2 AF jgg # 2 KK xxx # 1 Called NTLMSSP after state machine was 'done' GENSEC login failed: NT_STATUS_INVALID_PARAMETER NA NT_STATUS_INVALID_PARAMETER
Ie, reordering the sequence (# 1 and # 2) causes it to tell you that, no, the sequence cannot be reordered.
To me this says the samba folks expect that the YY/TT/KK/AF sequence is *NOT* reordered.
The implication is that the mech-winbind in dovecot must seralize everything, and it doesn't!
So, this is fairly broken, I can hit these failure causes with a high probability when using thunderbird.
Any thoughts on how to repair this?
The simplest answer would be to pool and assign a ntlm_auth process to each incoming auth context, or to actually serialize auth. But it can't treat ntlm_auth as a stateless helper.
Jason