I'm still a bit fuzzy on exactly what has blown up here since my 1.2 install (or maybe it was broken then and I never noticed), but it looks like the way dovecot is calling out to ntlm_auth is violating the --helper-protocol=squid-2.5-ntlmssp scheme.
The issue is how it handles simultaneous clients connecting - for instance launching thunderbird with NTLM auth creates multiple imapds that all have to be auth'd. Since dovecot doesn't (and apparrently didn't in 1.2?) serialize this it ends up sending a jumble to ntlm_auth. Strace sayth, as example: read(0, "YR xxxxxxx=\n", 4096) = 48 read(0, "YR xxxxxxx=\n", 4096) = 48 read(0, "KK xxxxxxx=\n",4096) = 176 read(0, "KK xxxxxxx=\n",4096) = 176 That is two clients connecting at once, and the sequence has become jumbled. Fiddling around with ntlm_auth manually I can get it to give me this: YR xxx # 1 TT xxx # 1 YR xxx # 2 TT xxx # 2 KK xxx # 2 AF jgg # 2 KK xxx # 1 Called NTLMSSP after state machine was 'done' GENSEC login failed: NT_STATUS_INVALID_PARAMETER NA NT_STATUS_INVALID_PARAMETER Ie, reordering the sequence (# 1 and # 2) causes it to tell you that, no, the sequence cannot be reordered. To me this says the samba folks expect that the YY/TT/KK/AF sequence is *NOT* reordered. The implication is that the mech-winbind in dovecot must seralize everything, and it doesn't! So, this is fairly broken, I can hit these failure causes with a high probability when using thunderbird. Any thoughts on how to repair this? The simplest answer would be to pool and assign a ntlm_auth process to each incoming auth context, or to actually serialize auth. But it can't treat ntlm_auth as a stateless helper. Jason