[Dovecot] dovecot NTLM authentication
Hi,
I'm trying to configure DoveCot to allow NTLM authentication. I've successfully authenticated with Outlook 2003 against Dovecot when the passdb backend used to store the password is a passwd-file. It doesn't matter if the passwd-file contains plain or NTLM encrypted passwords.
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
I can post my dovecot-ldap.conf file, if it will help.
Can anybody help me configure my dovecot to allow Outlook to perform NTLM authentication when the password database is in LDAP?
Thanks, Lior Okman
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
I've tried stting default_pass_scheme to NTLM (first thing I did) and I tried adding the {NTLM} prefix to the password field, both things don't work.
I will try the plaintext logins with NTLM in LDAP next, and I'll post my results.
I've already set auth_debug and auth_debug_password to yes. Here is the log dump (slightly edited for privacy):
Mar 6 16:00:19 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 6 16:00:19 office dovecot: auth(default): client out: CONT^I1^I Mar 6 16:00:19 office dovecot: auth(default): client in: CONT^I1^ITlRMTVNTUcsqABDAB7IIogoACgArAABACwADACgAAAAFASgKABADD1NJTlRSQU5TLVNPRlQ= Mar 6 16:00:19 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUtAbAskoDACMADAABBBFAooAjp5sXLYVGxMAABBDAFACABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAbcdA= Mar 6 16:00:19 office dovecot: auth(default): client in: CONT^I1^ITlRMTVNTUtAbascoGAAYAGoAAAAYABgAggAAABQAFABIFAKECAAIAFwABADGAAYAZAAFAKEAAACaAAAABQKIAgUBKAoAAAAPVABSAEEATgBTAC0AUwBPAEYAVABsAGkAbwByAFMASQBOAOlVqxuylfFZAAAAAFAKEAABADAAAAAAABCutypTqizx1LjI6+083WW8CXUIlREMLw== Mar 6 16:00:19 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 6 16:00:19 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<correct NTLM hash> Mar 6 16:00:20 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 6 16:00:20 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 6 16:00:20 office dovecot: auth(default): client out: CONT^I2^I Mar 6 16:00:20 office dovecot: auth(default): client in: CONT^I2^ITlRMTVNGUAABFAKEB4IIogFAKEAAAAAAAAAreAlAAAAFASgKAdAADw== Mar 6 16:00:20 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUA6CAATRDAAMADAAATRFAooAMg4lC++DGnwAAAAAAAAAABQAFAA8AAAAbwBmAGYAaQBjaGUAAwAMdG8AZgBmAGkAYwBlAAtreAA= Mar 6 16:00:20 office dovecot: auth(default): client in: CONT^I2^ITlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAABaDAAABIFAKECAAIAEgAAAAGAAYAUAAAAAAAAACGAAAABQKIAgUBKAoAAAAPbABpAG8AcgBTAEkATgBPVUNLOMzcAQHACKAAAPuZZleAAAWrongck2qbufsTT4VBZ0DYYGmt4dx2Scd6c1A= Mar 6 16:00:20 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 6 16:00:20 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<correct NTLM hash> Mar 6 16:00:22 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 6 16:00:22 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 6 16:00:22 office dovecot: auth(default): client out: CONT^I3^I Mar 6 16:01:19 office dovecot: imap-login: Disconnected: Inactivity: rip=x.x.x.x, lip=x.x.x.x, TLS Mar 6 16:01:22 office dovecot: imap-login: Disconnected: Inactivity: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS Mar 6 16:01:22 office dovecot: child 30826 (auth) killed with signal 11
It seems that the server is failing the authentication attempt, causing Outlook to retry the authentication. After two times, outlook just hangs and I need to kill it.
Any ideas?
Thanks, Lior
On 3/6/06, Timo Sirainen tss@iki.fi wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBEDKAAyUhSUUBViskRAoeAAJ47VqTGwd8Us95uzGOTqjqdccRhiwCeN7fC hKJfz4B/WcJNvWwow/wqmgo= =NRN5 -----END PGP SIGNATURE-----
On 3/6/06, Timo Sirainen tss@iki.fi wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
I've tried putting plaintext passwords in LDAP, and this time it works. Putting the NTLM hash in LDAP still fails, but the value in LDAP is exactly the same as the value generated by dovecotpw.
What should I try next?
On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
On 3/6/06, Timo Sirainen tss@iki.fi wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
I've tried putting plaintext passwords in LDAP, and this time it works. Putting the NTLM hash in LDAP still fails, but the value in LDAP is exactly the same as the value generated by dovecotpw.
What should I try next?
Could you try -beta3 with attached patch applied ?
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
I applied the patch, and retried the NTLM in LDAP authentication.
Here are the additional entries from the log:
Mar 7 09:58:47 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUAACFAKADAABADAAAAAFAooAeOC7i82KuAcAAWRONGAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:47 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUAACAABADAAFAKEAAAAFAooAlM4BWKmQWTMAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 7 09:58:48 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I Mar 7 09:58:48 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUAACAAAADAABADAaAAAAFAooALL2N8pBm8n4AAFAKEAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUAACAABADAABADAAAAAFAooAXljMNOEfMmcAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 7 09:58:50 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I Mar 7 09:58:50 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I Mar 7 09:59:10 office dovecot: imap-login: Authenticate NTLM failed: Authentication aborted: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS Mar 7 09:59:10 office dovecot: imap-login: Disconnected: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS
Thanks, Lior
On 3/7/06, Andrey Panin pazke@donpac.ru wrote:
On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
On 3/6/06, Timo Sirainen tss@iki.fi wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
I've tried putting plaintext passwords in LDAP, and this time it works. Putting the NTLM hash in LDAP still fails, but the value in LDAP is exactly the same as the value generated by dovecotpw.
What should I try next?
Could you try -beta3 with attached patch applied ?
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEDTCVPjHNUy6paxMRAtu6AKCoJ9AT2T4uc0Twvqxg7QWXx7/9XwCfaU5K b2ysipO7mrz0qb9Vx+75JVU= =KN7o -----END PGP SIGNATURE-----
On 066, 03 07, 2006 at 10:04:38AM +0200, Lior Okman wrote:
I applied the patch, and retried the NTLM in LDAP authentication.
Here are the additional entries from the log:
Mar 7 09:58:47 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUAACFAKADAABADAAAAAFAooAeOC7i82KuAcAAWRONGAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:47 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUAACAABADAAFAKEAAAAFAooAlM4BWKmQWTMAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
Ooops... <valid NTLM hash> should be shown here too. Timo, we probably need your help.
Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
And here too.
Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 7 09:58:48 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I Mar 7 09:58:48 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUAACAAAADAABADAaAAAAFAooALL2N8pBm8n4AAFAKEAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUAACAABADAABADAAAAAFAooAXljMNOEfMmcAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 7 09:58:50 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I Mar 7 09:58:50 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I Mar 7 09:59:10 office dovecot: imap-login: Authenticate NTLM failed: Authentication aborted: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS Mar 7 09:59:10 office dovecot: imap-login: Disconnected: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS
Thanks, Lior
On 3/7/06, Andrey Panin pazke@donpac.ru wrote:
On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
On 3/6/06, Timo Sirainen tss@iki.fi wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
I've tried putting plaintext passwords in LDAP, and this time it works. Putting the NTLM hash in LDAP still fails, but the value in LDAP is exactly the same as the value generated by dovecotpw.
What should I try next?
Could you try -beta3 with attached patch applied ?
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
Hi,
I think I've found the problem with the non-plain ldap authentication.
I tried DIGEST-MD5 authentication with LDAP, and it also failed when the password in LDAP wasn't in PLAIN. It seems that if the password in LDAP wasn't PLAIN, then instead of providing a copy of the encrypted password onwards, the password cached inside auth_request was being used. This meant that it was being cleared a bit later in auth_request_handle_passdb_callback, before being passed to the mech-??? callbacks.
By the time verification was attempted, it was done with a blank password.
Lior
On 3/7/06, Andrey Panin pazke@donpac.ru wrote:
On 066, 03 07, 2006 at 10:04:38AM +0200, Lior Okman wrote:
I applied the patch, and retried the NTLM in LDAP authentication.
Here are the additional entries from the log:
Mar 7 09:58:47 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUAACFAKADAABADAAAAAFAooAeOC7i82KuAcAAWRONGAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:47 office dovecot: auth(default): client in: AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): client out: CONT^I1^ITlRMTVNTUAACAABADAAFAKEAAAAFAooAlM4BWKmQWTMAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:47 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
Ooops... <valid NTLM hash> should be shown here too. Timo, we probably need your help.
Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
And here too.
Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior Mar 7 09:58:48 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I Mar 7 09:58:48 office dovecot: auth(default): client in: AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUAACAAAADAABADAaAAAAFAooALL2N8pBm8n4AAFAKEAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): client out: CONT^I2^ITlRMTVNTUAACAABADAABADAAAAAFAooAXljMNOEfMmcAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA= Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:48 office dovecot: auth(default): client in: CONT<hidden> Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): base=dc=example,dc=com scope=subtree filter=(&(objectClass=sambaSamAccount)(uid=lior)) fields=uid,sambaNTPassword Mar 7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x): uid(user)=lior sambaNTPassword(password)=<valid NTLM hash> Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds: Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm negotiated Mar 7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): performing ntlm2 authetication Mar 7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior Mar 7 09:58:50 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I Mar 7 09:58:50 office dovecot: auth(default): client in: AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x Mar 7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I Mar 7 09:59:10 office dovecot: imap-login: Authenticate NTLM failed: Authentication aborted: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS Mar 7 09:59:10 office dovecot: imap-login: Disconnected: user=<lior>, method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS
Thanks, Lior
On 3/7/06, Andrey Panin pazke@donpac.ru wrote:
On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
On 3/6/06, Timo Sirainen tss@iki.fi wrote:
On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
When I compare the NTLM hash provided by the dovecotpw utility to the one I have in my SAMBA ldap, it appears to be exactly the same.
When I use the LDAP passdb backend, I can see in the log file that dovecot has received the correct NTLM hash value, but outlook fails to authenticate successfully.
I'm using the debianized dovecot version v1.0.beta2.
It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it reads the scheme wrong. The passwords in LDAP probably aren't prefixed with {NTLM}? Have you set default_pass_scheme = NTLM in dovecot-ldap.conf?
Have you tried if plaintext logins work with NTLM hashes in LDAP? If they don't, try setting auth_debug=yes and auth_debug_passwords=yes and check if the logs help.
I've tried putting plaintext passwords in LDAP, and this time it works. Putting the NTLM hash in LDAP still fails, but the value in LDAP is exactly the same as the value generated by dovecotpw.
What should I try next?
Could you try -beta3 with attached patch applied ?
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEDWFRPjHNUy6paxMRAtxWAKDdbljYWkoDDENR5fodNqSEBv8fDACdGCx3 V46CD0suUCpM2u9uE1Wk80g= =vD/6 -----END PGP SIGNATURE-----
On Tue, 2006-03-07 at 23:41 +0200, Lior Okman wrote:
I think I've found the problem with the non-plain ldap authentication.
I tried DIGEST-MD5 authentication with LDAP, and it also failed when the password in LDAP wasn't in PLAIN. It seems that if the password in LDAP wasn't PLAIN, then instead of providing a copy of the encrypted password onwards, the password cached inside auth_request was being used. This meant that it was being cleared a bit later in auth_request_handle_passdb_callback, before being passed to the mech-??? callbacks.
Thanks, committed the patch to CVS.
participants (3)
-
Andrey Panin
-
Lior Okman
-
Timo Sirainen