On 19.2.2019 4.48, Mark Foley via dovecot wrote:
> On Mon, 18 Feb 2019 10:17:16 -0000 Stuart Henderson wrote:
>> On 2019-02-13, Mark Foley via dovecot <dovecot@dovecot.org> wrote:
>>> Is it possible that no one on this list is authenticating Outlook with 
>>> Dovecot and NTLM?
>> Yes, it's possible, the outdated instructions you found on the wiki
>> suggests it's an uncommon configiration.
> Hmmm, really? And yet Windows/Outlook is still the predominant email client 
> out there
> (unfortunately). Maybe everyone is going to outlook.com?
>> No actual answers from me, but it might give you some clues:
>>> More on this ...
>>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting 
>>> as arg1:
>>> --helper-protocol=squid-2.5-ntlmssp
>>> I tried running ntlm_auth at the command line as:
>>> ntlm_auth --username=user --password=password 
>>> --helper-protocol=squid-2.5-ntlmssp
>>> It did nothing, just hung there. The ntlm_auth man page says:
>>> --helper-protocol=PROTO
>>>   Operate as a stdio-based helper. Valid helper protocols are:
>> The squid auth helpers are stdio-based, they run in a loop, reading from
>> stdin, checking authentication, and return results on stdout. This avoids 
>> both
>> passing sensitive data on the command line (visible to ps, at least briefly)
>> and the need to keep forking and initialising a new process.
>> So it's normal that it would just sit waiting for input.
>> Dovecot is just reusing the same protocol that squid uses.
> If --username and --password are passed on the command line, what is it 
> waiting for on stdin?
> Normally, ntlm_auth, with id and pw passed on the command line prints, 
> operation completed successfully. (0x0)" to stdout. There is no further stdin 
> input needed.
> Is there a way to disable the --helper-protocol in Dovecot? 
>>> After more searching I came across this post, 
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
>>> which, in summary, said that ntlm_auth had to run as root. So, I added the 
>>> following to my
>>> dovecot config per that post's suggestion:
>>> service auth {
>>>   user = root
>>> }
>>> After restarting and trying again to connect from Outlook I got the message:
>>> auth: Info: ntlm(?,,<SCINjFqBKcXAqAA6>): user not 
>>> authenticated: NT_STATUS_NO_MEMORY
>> I don't know the full details of how samba/ntlm works, but this seems like
>> an error coming from the server you're attempting to authenticate against.
>> I think you should start debugging on the samba side - make sure tools
>> like wbinfo are working, if not then debug those with samba, then move
>> on to Dovecot after you have that working.
> Samba has been running for years (with updates) and everything like wbinfo 
> works.  Dovecot can
> authenticate with kerberos/GSSAPI, and other applications can authenticate 
> with ntlm_auth.  My
> suspicion here is that the "user not authenticated" problem is perhaps 
> because dovecot cannot
> run the auth service as root? The dovecot user is dovenull, so why would it 
> be permitted to run
> as root in any case?
> I think the problem is in invoking ntlm_auth. I tried simply returning zero 
> from my "fake"
> ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from 
> ntlm_auth_helper.
> --Mark



service auth {

  user = root



Reply via email to