[Dovecot] dovecot NTLM authentication

Andrey Panin pazke at donpac.ru
Tue Mar 7 12:32:49 EET 2006 

On 066, 03 07, 2006 at 10:04:38AM +0200, Lior Okman wrote:
> I applied the patch, and retried the NTLM in LDAP authentication.
> 
> Here are the additional entries from the log:
> 
> Mar  7 09:58:47 office dovecot: auth(default): client in:
> AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> Mar  7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I
> Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:47 office dovecot: auth(default): client out:
> CONT^I1^ITlRMTVNTUAACFAKADAABADAAAAAFAooAeOC7i82KuAcAAWRONGAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> Mar  7 09:58:47 office dovecot: auth(default): client in:
> AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> Mar  7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I
> Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:47 office dovecot: auth(default): client out:
> CONT^I1^ITlRMTVNTUAACAABADAAFAKEAAAAFAooAlM4BWKmQWTMAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> base=dc=example,dc=com scope=subtree
> filter=(&(objectClass=sambaSamAccount)(uid=lior))
> fields=uid,sambaNTPassword
> Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> base=dc=example,dc=com scope=subtree
> filter=(&(objectClass=sambaSamAccount)(uid=lior))
> fields=uid,sambaNTPassword
> Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:

Ooops... <valid NTLM hash> should be shown here too. Timo, we probably need your help.

> Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> ntlm negotiated
> Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> performing ntlm2 authetication
> Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:

And here too.

> Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> ntlm negotiated
> Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> performing ntlm2 authetication
> Mar  7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
> Mar  7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
> Mar  7 09:58:48 office dovecot: auth(default): client in:
> AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> Mar  7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I
> Mar  7 09:58:48 office dovecot: auth(default): client in:
> AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> Mar  7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I
> Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:48 office dovecot: auth(default): client out:
> CONT^I2^ITlRMTVNTUAACAAAADAABADAaAAAAFAooALL2N8pBm8n4AAFAKEAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> base=dc=example,dc=com scope=subtree
> filter=(&(objectClass=sambaSamAccount)(uid=lior))
> fields=uid,sambaNTPassword
> Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:48 office dovecot: auth(default): client out:
> CONT^I2^ITlRMTVNTUAACAABADAABADAAAAAFAooAXljMNOEfMmcAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
> Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> ntlm negotiated
> Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> performing ntlm2 authetication
> Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> base=dc=example,dc=com scope=subtree
> filter=(&(objectClass=sambaSamAccount)(uid=lior))
> fields=uid,sambaNTPassword
> Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
> Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> ntlm negotiated
> Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> performing ntlm2 authetication
> Mar  7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
> Mar  7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
> Mar  7 09:58:50 office dovecot: auth(default): client in:
> AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> Mar  7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I
> Mar  7 09:58:50 office dovecot: auth(default): client in:
> AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> Mar  7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I
> Mar  7 09:59:10 office dovecot: imap-login: Authenticate NTLM failed:
> Authentication aborted: user=<lior>, method=NTLM, rip=x.x.x.x,
> lip=x.x.x.x, TLS
> Mar  7 09:59:10 office dovecot: imap-login: Disconnected: user=<lior>,
> method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS
> 
> 
> Thanks,
> Lior
> 
> On 3/7/06, Andrey Panin <pazke at donpac.ru> wrote:
> > On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
> > > On 3/6/06, Timo Sirainen <tss at iki.fi> wrote:
> > > > On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
> > > > > When I compare the NTLM hash provided by the dovecotpw utility to the
> > > > > one I have in my SAMBA ldap, it appears to be exactly the same.
> > > > >
> > > > > When I use the LDAP passdb backend, I can see in the log file that
> > > > > dovecot has received the correct NTLM hash value, but outlook fails to
> > > > > authenticate successfully.
> > > > >
> > > > > I'm using the debianized dovecot version v1.0.beta2.
> > > >
> > > > It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it
> > > > reads the scheme wrong. The passwords in LDAP probably aren't prefixed
> > > > with {NTLM}? Have you set default_pass_scheme = NTLM in
> > > > dovecot-ldap.conf?
> > > >
> > > > Have you tried if plaintext logins work with NTLM hashes in LDAP? If
> > > > they don't, try setting auth_debug=yes and auth_debug_passwords=yes and
> > > > check if the logs help.
> > > >
> > >
> > > I've tried putting plaintext passwords in LDAP, and this time it
> > > works. Putting the NTLM hash in LDAP still fails, but the value in
> > > LDAP is exactly the same as the value generated by dovecotpw.
> > >
> > > What should I try next?
> >
> > Could you try -beta3 with attached patch applied ?
> >
> > --
> > Andrey Panin            | Linux and UNIX system administrator
> > pazke at donpac.ru         | PGP key: wwwkeys.pgp.net
> >

-- 
Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20060307/4ae2a464/attachment.pgp

More information about the dovecot mailing list