On 18.2.2019 12.17, Stuart Henderson via dovecot wrote: > On 2019-02-13, Mark Foley via dovecot <dovecot@dovecot.org> wrote: >> Is it possible that no one on this list is authenticating Outlook with >> Dovecot and NTLM? > Yes, it's possible, the outdated instructions you found on the wiki > suggests it's an uncommon configiration. > > No actual answers from me, but it might give you some clues: > >> More on this ... >> >> I short-sheeted ntlm_auth to see what was being passed to it. It is getting >> as arg1: >> >> --helper-protocol=squid-2.5-ntlmssp >> >> I tried running ntlm_auth at the command line as: >> >> ntlm_auth --username=user --password=password >> --helper-protocol=squid-2.5-ntlmssp >> >> It did nothing, just hung there. The ntlm_auth man page says: >> >> --helper-protocol=PROTO >> Operate as a stdio-based helper. Valid helper protocols are: > The squid auth helpers are stdio-based, they run in a loop, reading from > stdin, checking authentication, and return results on stdout. This avoids both > passing sensitive data on the command line (visible to ps, at least briefly) > and the need to keep forking and initialising a new process. > > So it's normal that it would just sit waiting for input. > > Dovecot is just reusing the same protocol that squid uses. > >> After more searching I came across this post, >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 >> which, in summary, said that ntlm_auth had to run as root. So, I added the >> following to my >> dovecot config per that post's suggestion: >> >> service auth { >> user = root >> } >> >> After restarting and trying again to connect from Outlook I got the message: >> >> auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: >> NT_STATUS_NO_MEMORY > I don't know the full details of how samba/ntlm works, but this seems like > an error coming from the server you're attempting to authenticate against. > I think you should start debugging on the samba side - make sure tools > like wbinfo are working, if not then debug those with samba, then move > on to Dovecot after you have that working. > > You might need to configure auth and auth-worker processes with larger vsz_limit, or configure default_vsz_limit = 1G
Aki