ntlm_auth random failures with dovecot

[Jason Gunthorpe]

I'm still a bit fuzzy on exactly what has blown up here since my 1.2
install (or maybe it was broken then and I never noticed), but it
looks like the way dovecot is calling out to ntlm_auth is violating
the --helper-protocol=squid-2.5-ntlmssp scheme.

The issue is how it handles simultaneous clients connecting - for
instance launching thunderbird with NTLM auth creates multiple imapds
that all have to be auth'd.

Since dovecot doesn't (and apparrently didn't in 1.2?) serialize this
it ends up sending a jumble to ntlm_auth. Strace sayth, as example:

read(0, "YR xxxxxxx=\n", 4096) = 48
read(0, "YR xxxxxxx=\n", 4096) = 48
read(0, "KK xxxxxxx=\n",4096) = 176
read(0, "KK xxxxxxx=\n",4096) = 176

That is two clients connecting at once, and the sequence has become
jumbled.

Fiddling around with ntlm_auth manually I can get it to give me this:

YR xxx # 1
TT xxx # 1
YR xxx # 2
TT xxx # 2
KK xxx # 2
AF jgg # 2
KK xxx # 1
Called NTLMSSP after state machine was 'done'
GENSEC login failed: NT_STATUS_INVALID_PARAMETER
NA NT_STATUS_INVALID_PARAMETER

Ie, reordering the sequence (# 1 and # 2) causes it to tell you that,
no, the sequence cannot be reordered.

To me this says the samba folks expect that the YY/TT/KK/AF sequence
is *NOT* reordered.

The implication is that the mech-winbind in dovecot must seralize
everything, and it doesn't!

So, this is fairly broken, I can hit these failure causes with a high
probability when using thunderbird.

Any thoughts on how to repair this?

The simplest answer would be to pool and assign a ntlm_auth process to
each incoming auth context, or to actually serialize auth. But it
can't treat ntlm_auth as a stateless helper.

Jason