[Dovecot] dovecot NTLM authentication

Lior Okman lior.okman at gmail.com
Tue Mar 7 10:04:38 EET 2006 

I applied the patch, and retried the NTLM in LDAP authentication.

Here are the additional entries from the log:

Mar  7 09:58:47 office dovecot: auth(default): client in:
AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I
Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:47 office dovecot: auth(default): client out:
CONT^I1^ITlRMTVNTUAACFAKADAABADAAAAAFAooAeOC7i82KuAcAAWRONGAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
Mar  7 09:58:47 office dovecot: auth(default): client in:
AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I
Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:47 office dovecot: auth(default): client out:
CONT^I1^ITlRMTVNTUAACAABADAAFAKEAAAAFAooAlM4BWKmQWTMAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
base=dc=example,dc=com scope=subtree
filter=(&(objectClass=sambaSamAccount)(uid=lior))
fields=uid,sambaNTPassword
Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
base=dc=example,dc=com scope=subtree
filter=(&(objectClass=sambaSamAccount)(uid=lior))
fields=uid,sambaNTPassword
Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
ntlm negotiated
Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
performing ntlm2 authetication
Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
ntlm negotiated
Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
performing ntlm2 authetication
Mar  7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
Mar  7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
Mar  7 09:58:48 office dovecot: auth(default): client in:
AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I
Mar  7 09:58:48 office dovecot: auth(default): client in:
AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I
Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:48 office dovecot: auth(default): client out:
CONT^I2^ITlRMTVNTUAACAAAADAABADAaAAAAFAooALL2N8pBm8n4AAFAKEAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
base=dc=example,dc=com scope=subtree
filter=(&(objectClass=sambaSamAccount)(uid=lior))
fields=uid,sambaNTPassword
Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:48 office dovecot: auth(default): client out:
CONT^I2^ITlRMTVNTUAACAABADAABADAAAAAFAooAXljMNOEfMmcAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
ntlm negotiated
Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
performing ntlm2 authetication
Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
base=dc=example,dc=com scope=subtree
filter=(&(objectClass=sambaSamAccount)(uid=lior))
fields=uid,sambaNTPassword
Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
ntlm negotiated
Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
performing ntlm2 authetication
Mar  7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
Mar  7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
Mar  7 09:58:50 office dovecot: auth(default): client in:
AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I
Mar  7 09:58:50 office dovecot: auth(default): client in:
AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
Mar  7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I
Mar  7 09:59:10 office dovecot: imap-login: Authenticate NTLM failed:
Authentication aborted: user=<lior>, method=NTLM, rip=x.x.x.x,
lip=x.x.x.x, TLS
Mar  7 09:59:10 office dovecot: imap-login: Disconnected: user=<lior>,
method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS


Thanks,
Lior

On 3/7/06, Andrey Panin <pazke at donpac.ru> wrote:
> On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
> > On 3/6/06, Timo Sirainen <tss at iki.fi> wrote:
> > > On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
> > > > When I compare the NTLM hash provided by the dovecotpw utility to the
> > > > one I have in my SAMBA ldap, it appears to be exactly the same.
> > > >
> > > > When I use the LDAP passdb backend, I can see in the log file that
> > > > dovecot has received the correct NTLM hash value, but outlook fails to
> > > > authenticate successfully.
> > > >
> > > > I'm using the debianized dovecot version v1.0.beta2.
> > >
> > > It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it
> > > reads the scheme wrong. The passwords in LDAP probably aren't prefixed
> > > with {NTLM}? Have you set default_pass_scheme = NTLM in
> > > dovecot-ldap.conf?
> > >
> > > Have you tried if plaintext logins work with NTLM hashes in LDAP? If
> > > they don't, try setting auth_debug=yes and auth_debug_passwords=yes and
> > > check if the logs help.
> > >
> >
> > I've tried putting plaintext passwords in LDAP, and this time it
> > works. Putting the NTLM hash in LDAP still fails, but the value in
> > LDAP is exactly the same as the value generated by dovecotpw.
> >
> > What should I try next?
>
> Could you try -beta3 with attached patch applied ?
>
> --
> Andrey Panin            | Linux and UNIX system administrator
> pazke at donpac.ru         | PGP key: wwwkeys.pgp.net
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFEDTCVPjHNUy6paxMRAtu6AKCoJ9AT2T4uc0Twvqxg7QWXx7/9XwCfaU5K
> b2ysipO7mrz0qb9Vx+75JVU=
> =KN7o
> -----END PGP SIGNATURE-----
>
>
>
>

More information about the dovecot mailing list