[Dovecot] [Patch] Samba's proposed "ntlm_auth + winbind" support for dovecot-auth

Dmitry Butskoy buc at odusz.so-cdu.ru
Mon Jul 2 20:13:22 EEST 2007 

Timo Sirainen wrote:
> On Mon, 2007-07-02 at 20:19 +0400, Dmitry Butskoy wrote:
>   
>> Timo Sirainen wrote:
>>     
>>>> - Currently I strip domain part of the username returned, i.e. from 
>>>> "DOMAIN\user" just to "user". Maybe better add some option 
>>>> "auth_winbind_strip_domain" for this?
>>>>     
>>>>         
>>> What if you changed it to user at domain? Then you could use Dovecot's
>>> standard %n or %u variables.
>>>   
>>>       
>> AFAIK "user at domain" should have an actual form of "user at example.com", 
>> but "ntlm_auth" returns "EXAMPLE\user" in such a case, not 
>> "EXAMPLE.COM\user". At least for NTLM (against AD).
>> OTOH the spnego could retrurn the actual "user at example.com", but it is 
>> still unknown to me :)
>>     
>
> I don't think it's a problem even if it returned only user at example. %d
> then just expands to example. At least I think it's better than not
> having the domain at all.
>   

I propose to have an option.
For example, winbind already has "winbind use default domain" option, 
which cause (sometimes :) ) it to return usernames without domain part. 
It is useful at UNIX machines, where the actual UNIX username is just 
"user", not "DOMAIN\user" .

What happens when dovecot receives "DOMAIN\user" or "user at exmaple.com" 
form? How it determine then the local UNIX username?
>>> There's one thing I'd want changed: make it non-blocking. Both input and
>>> output are currently blocking, so dovecot-auth is stuck while waiting
>>> for ntlm_auth to reply. I want to avoid this whenever possible (I don't
>>> ever want to see "authentication just gets stuck, why??" mails.
>>> "ntlm_auth timed out" message in log is much nicer).
>>>
>>> I guess ntlm_auth can handle only a single session at a time? 
>>>       
>> No.
>>     
>
> I mean simultaneously. Like you can't send multiple "begin/continue
> authentication" commands to it and then just wait until one of them
> finishes?
>   

Oh, yep. You're right, only one at a time.


>>> So this
>>> would pretty much require that you either implement some kind of a queue
>>>   
>>>       
>> Currently I prefer to use blocking io, which provides such "a queue" 
>> de-facto. At least for initial implementation. (I hope "ntlm_auth" is 
>> fast enough).
>>     
>
> I think the problem isn't ntlm_auth itself, but that it also has to talk
> to AD. So any network problems there could leave it hanging.
>   

OTOH winbind daemon can "cache" something now...

Hmm.. Apache seems to use blocking-io. I'll look later for Squid.


>>> or execute multiple ntlm_auths.
>>>       
>> Does the use of worker for, say,  PAM userdb affects us here too?
>>     
>
> PAM is passdb. But anyway it shouldn't affect.
>   

I mean that when we use worker for some userdb, we actually have several 
dovecot-auth processes, hence several ntlm_auth as well. Am I right?


~buc

More information about the dovecot mailing list