Need to authenticate Outlook and NTLM
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Feb 18 13:03:22 EET 2019
On 18.2.2019 12.17, Stuart Henderson via dovecot wrote:
> On 2019-02-13, Mark Foley via dovecot <dovecot at dovecot.org> wrote:
>> Is it possible that no one on this list is authenticating Outlook with Dovecot and NTLM?
> Yes, it's possible, the outdated instructions you found on the wiki
> suggests it's an uncommon configiration.
>
> No actual answers from me, but it might give you some clues:
>
>> More on this ...
>>
>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting as arg1:
>>
>> --helper-protocol=squid-2.5-ntlmssp
>>
>> I tried running ntlm_auth at the command line as:
>>
>> ntlm_auth --username=user --password=password --helper-protocol=squid-2.5-ntlmssp
>>
>> It did nothing, just hung there. The ntlm_auth man page says:
>>
>> --helper-protocol=PROTO
>> Operate as a stdio-based helper. Valid helper protocols are:
> The squid auth helpers are stdio-based, they run in a loop, reading from
> stdin, checking authentication, and return results on stdout. This avoids both
> passing sensitive data on the command line (visible to ps, at least briefly)
> and the need to keep forking and initialising a new process.
>
> So it's normal that it would just sit waiting for input.
>
> Dovecot is just reusing the same protocol that squid uses.
>
>> After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
>> which, in summary, said that ntlm_auth had to run as root. So, I added the following to my
>> dovecot config per that post's suggestion:
>>
>> service auth {
>> user = root
>> }
>>
>> After restarting and trying again to connect from Outlook I got the message:
>>
>> auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY
> I don't know the full details of how samba/ntlm works, but this seems like
> an error coming from the server you're attempting to authenticate against.
> I think you should start debugging on the samba side - make sure tools
> like wbinfo are working, if not then debug those with samba, then move
> on to Dovecot after you have that working.
>
>
You might need to configure auth and auth-worker processes with larger
vsz_limit, or configure default_vsz_limit = 1G
Aki
More information about the dovecot
mailing list