[Dovecot] dovecot NTLM authentication

Lior Okman lior.okman at gmail.com
Tue Mar 7 23:41:39 EET 2006 

Hi,


I think I've found the problem with the non-plain ldap authentication.

I tried DIGEST-MD5 authentication with LDAP, and it also failed when
the password in LDAP wasn't in PLAIN. It seems that if the password in
LDAP wasn't PLAIN, then instead of providing a copy of the encrypted
password onwards, the password cached inside auth_request was being
used. This meant that it was being cleared a bit later in
auth_request_handle_passdb_callback, before being passed to the
mech-??? callbacks.

By the time verification was attempted, it was done with a blank password.

Lior

On 3/7/06, Andrey Panin <pazke at donpac.ru> wrote:
> On 066, 03 07, 2006 at 10:04:38AM +0200, Lior Okman wrote:
> > I applied the patch, and retried the NTLM in LDAP authentication.
> >
> > Here are the additional entries from the log:
> >
> > Mar  7 09:58:47 office dovecot: auth(default): client in:
> > AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> > Mar  7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I
> > Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:47 office dovecot: auth(default): client out:
> > CONT^I1^ITlRMTVNTUAACFAKADAABADAAAAAFAooAeOC7i82KuAcAAWRONGAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> > Mar  7 09:58:47 office dovecot: auth(default): client in:
> > AUTH^I1^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> > Mar  7 09:58:47 office dovecot: auth(default): client out: CONT^I1^I
> > Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:47 office dovecot: auth(default): client out:
> > CONT^I1^ITlRMTVNTUAACAABADAAFAKEAAAAFAooAlM4BWKmQWTMAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> > Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > base=dc=example,dc=com scope=subtree
> > filter=(&(objectClass=sambaSamAccount)(uid=lior))
> > fields=uid,sambaNTPassword
> > Mar  7 09:58:47 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > base=dc=example,dc=com scope=subtree
> > filter=(&(objectClass=sambaSamAccount)(uid=lior))
> > fields=uid,sambaNTPassword
> > Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> > Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
>
> Ooops... <valid NTLM hash> should be shown here too. Timo, we probably need your help.
>
> > Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > ntlm negotiated
> > Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > performing ntlm2 authetication
> > Mar  7 09:58:47 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> > Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
>
> And here too.
>
> > Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > ntlm negotiated
> > Mar  7 09:58:47 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > performing ntlm2 authetication
> > Mar  7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
> > Mar  7 09:58:48 office dovecot: auth(default): client out: FAIL^I1^Iuser=lior
> > Mar  7 09:58:48 office dovecot: auth(default): client in:
> > AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> > Mar  7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I
> > Mar  7 09:58:48 office dovecot: auth(default): client in:
> > AUTH^I2^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> > Mar  7 09:58:48 office dovecot: auth(default): client out: CONT^I2^I
> > Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:48 office dovecot: auth(default): client out:
> > CONT^I2^ITlRMTVNTUAACAAAADAABADAaAAAAFAooALL2N8pBm8n4AAFAKEAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> > Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > base=dc=example,dc=com scope=subtree
> > filter=(&(objectClass=sambaSamAccount)(uid=lior))
> > fields=uid,sambaNTPassword
> > Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:48 office dovecot: auth(default): client out:
> > CONT^I2^ITlRMTVNTUAACAABADAABADAAAAAFAooAXljMNOEfMmcAWRONGAAAABQAFAA8AAAAbwBmAGYAaQBjAGUAAwAMAG8AZgBmAGkAYwBlAAAAAAA=
> > Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> > Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
> > Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > ntlm negotiated
> > Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > performing ntlm2 authetication
> > Mar  7 09:58:48 office dovecot: auth(default): client in: CONT<hidden>
> > Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > base=dc=example,dc=com scope=subtree
> > filter=(&(objectClass=sambaSamAccount)(uid=lior))
> > fields=uid,sambaNTPassword
> > Mar  7 09:58:48 office dovecot: auth(default): ldap(lior,x.x.x.x):
> > uid(user)=lior sambaNTPassword(password)=<valid NTLM hash>
> > Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x): ntlm creds:
> > Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > ntlm negotiated
> > Mar  7 09:58:48 office dovecot: auth(default): ntlm(lior,x.x.x.x):
> > performing ntlm2 authetication
> > Mar  7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
> > Mar  7 09:58:50 office dovecot: auth(default): client out: FAIL^I2^Iuser=lior
> > Mar  7 09:58:50 office dovecot: auth(default): client in:
> > AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> > Mar  7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I
> > Mar  7 09:58:50 office dovecot: auth(default): client in:
> > AUTH^I3^INTLM^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=x.x.x.x
> > Mar  7 09:58:50 office dovecot: auth(default): client out: CONT^I3^I
> > Mar  7 09:59:10 office dovecot: imap-login: Authenticate NTLM failed:
> > Authentication aborted: user=<lior>, method=NTLM, rip=x.x.x.x,
> > lip=x.x.x.x, TLS
> > Mar  7 09:59:10 office dovecot: imap-login: Disconnected: user=<lior>,
> > method=NTLM, rip=x.x.x.x, lip=x.x.x.x, TLS
> >
> >
> > Thanks,
> > Lior
> >
> > On 3/7/06, Andrey Panin <pazke at donpac.ru> wrote:
> > > On 066, 03 07, 2006 at 08:20:51AM +0200, Lior Okman wrote:
> > > > On 3/6/06, Timo Sirainen <tss at iki.fi> wrote:
> > > > > On Mon, 2006-03-06 at 15:26 +0200, Lior Okman wrote:
> > > > > > When I compare the NTLM hash provided by the dovecotpw utility to the
> > > > > > one I have in my SAMBA ldap, it appears to be exactly the same.
> > > > > >
> > > > > > When I use the LDAP passdb backend, I can see in the log file that
> > > > > > dovecot has received the correct NTLM hash value, but outlook fails to
> > > > > > authenticate successfully.
> > > > > >
> > > > > > I'm using the debianized dovecot version v1.0.beta2.
> > > > >
> > > > > It shouldn't matter if it's in LDAP or in passwd-file. I'd guess it
> > > > > reads the scheme wrong. The passwords in LDAP probably aren't prefixed
> > > > > with {NTLM}? Have you set default_pass_scheme = NTLM in
> > > > > dovecot-ldap.conf?
> > > > >
> > > > > Have you tried if plaintext logins work with NTLM hashes in LDAP? If
> > > > > they don't, try setting auth_debug=yes and auth_debug_passwords=yes and
> > > > > check if the logs help.
> > > > >
> > > >
> > > > I've tried putting plaintext passwords in LDAP, and this time it
> > > > works. Putting the NTLM hash in LDAP still fails, but the value in
> > > > LDAP is exactly the same as the value generated by dovecotpw.
> > > >
> > > > What should I try next?
> > >
> > > Could you try -beta3 with attached patch applied ?
> > >
> > > --
> > > Andrey Panin            | Linux and UNIX system administrator
> > > pazke at donpac.ru         | PGP key: wwwkeys.pgp.net
> > >
>
> --
> Andrey Panin            | Linux and UNIX system administrator
> pazke at donpac.ru         | PGP key: wwwkeys.pgp.net
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFEDWFRPjHNUy6paxMRAtxWAKDdbljYWkoDDENR5fodNqSEBv8fDACdGCx3
> V46CD0suUCpM2u9uE1Wk80g=
> =vD/6
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-non-plain-from-ldap.patch
Type: text/x-patch
Size: 615 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20060307/4633acc3/dovecot-non-plain-from-ldap.bin

More information about the dovecot mailing list