Re: [Evolution] EWS NTLM auth not working
Hello Milan, yes, of course, that was also my plan, I just needed to make a final touch. Originally, I wanted to ask in libsoup mailing list if someone would take a look. But since you proposed to file it as a bug report, I did. I created a new bug report: Bug 793613 - NTLMv2 responses support https://bugzilla.gnome.org/show_bug.cgi?id=793613 ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
On Sun, 2018-02-18 at 09:23 +0100, j2ev wrote: > Anyway, I made some more progress also. I tried to make na > implementation of NTLMv2 in libsoup and was able to successfully > authenticate against our "Send NTLMv2 response only. Refuse LM & > NTLM" enabled server (domain). So it seems I was right, that libsoup > actually does not support NTLMv2, just NTLM2 Session Response. Hi, would you mind to share your libsoup changes, please? I found for example [1], which mentions NTLMv2, but it's possible it's not the right bug report for it. Updating or filling a new libsoup bug with your proposed change will help others and you get credits for the change as well. Thanks and bye, Milan [1] https://bugzilla.gnome.org/show_bug.cgi?id=736554 ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
Hello David, in my understanding, the process with libsoup and ntlm_auth when using NTLM auth is: - libsoup checks if ntlm_auth binary is present in the system - if ntlm_auth is present, it is called with parameters "--helper- protocol ntlmssp-client-1 --use-cached-creds --username (--domain)" - if cached credentials are not available, SSO fails, libsoup computes the NTLM responses itself Kerberos auth works fine, but the problem is that tickets expire and when I am not at work, I have to connect to VPN to renew them. Anyway, I made some more progress also. I tried to make na implementation of NTLMv2 in libsoup and was able to successfully authenticate against our "Send NTLMv2 response only. Refuse LM & NTLM" enabled server (domain). So it seems I was right, that libsoup actually does not support NTLMv2, just NTLM2 Session Response.___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
On Tue, 2018-02-06 at 22:06 +0100, j...@centrum.cz wrote: > Hello, > > I spent a little more time investigating the issue. I took a look in > to the source code of libsoup and I think it calls winbind's > ntlm_auth binary without password with the --use-cached-creds option > only. And if that does not work, it makes some own computations. I am > no programmer, so I might be wrong. Nevertheless, I tried to join the > domain and login with pam_winbind to be able to use the cached > credentials. I tried to call ntlm_auth manually and it worked and so > did login in Evolution. I think that libsoup itself might not > actually support NTLMv2, maybe just NTLM2, or the implementation is > broken. Anyway, I post it for information. If there would be anyone > willing to take a look on this, I would appreciate. Using Thunderbird > with EWS plugin for calendars is rather difficult. Can you clarify please? If you use ntlm_auth for single-sign-on, it works? If you use Kerberos (which you should), it works? The only case that doesn't work is when you *don't* use ntlm_auth (because you've moved it out of the way or because winbindd does have creds), and libsoup attempts to do the authentication for itself using a password that you provide manually? I'd like to see the NTLM exchanges in both working and failing cases, please. smime.p7s Description: S/MIME cryptographic signature ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
Unfortunately not, because the server allows NTLM and Kerberos only. __ Od: MayDay Computers <maydaycomput...@gmail.com> Komu: Datum: 06.02.2018 22:22 Předmět: Re: [Evolution] EWS NTLM auth not working CC: <evolution-list@gnome.org> Does "Basic" auth not work for you? I have the same issues with NTLM, but Basic auth works. Travis Walden maydaycomput...@gmail.com On Tue, Feb 6, 2018 at 4:06 PM, <j...@centrum.cz> wrote: > Hello, > > > > I spent a little more time investigating the issue. I took a look in to the > source code of libsoup and I think it calls winbind's ntlm_auth binary > without password with the --use-cached-creds option only. And if that does > not work, it makes some own computations. I am no programmer, so I might be > wrong. Nevertheless, I tried to join the domain and login with pam_winbind > to be able to use the cached credentials. I tried to call ntlm_auth manually > and it worked and so did login in Evolution. I think that libsoup itself > might not actually support NTLMv2, maybe just NTLM2, or the implementation > is broken. Anyway, I post it for information. If there would be anyone > willing to take a look on this, I would appreciate. Using Thunderbird with > EWS plugin for calendars is rather difficult. > > > > Regards > > j2ev > > > > __ >> Od: <j...@centrum.cz> >> Komu: <evolution-list@gnome.org> >> Datum: 21.10.2017 16:47 >> Předmět: Re: [Evolution] EWS NTLM auth not working >> > > Hello, > > > > in case some other desperate soul crosses over this topic, I still wasn't > able to resolve this issue. It just looks Evolution / libsoup / ntlm_auth is > not for some reason sending NTLMv2, but just NTLMv1. I asked in libsoup > mailing list as well, but it is rather dead or had no luck. > > > > j2ev > > > > > > __ >> Od: <j...@centrum.cz> >> Komu: <evolution-list@gnome.org> >> Datum: 03.07.2017 19:22 >> Předmět: Re: [Evolution] EWS NTLM auth not working >> > > Hi Milan, > > > > thanks for your input. Yes, I do have ntlm_auth binary. But I've already > tried to rename it, even purge winbind from the system, which provides it. > The behavior was still the same. Well, I will try libsoup list then. > > > > Thanks > > > > > >> Hi, >> does your system contain >> /usr/bin/ntlm_auth >> binary, please? libsoup uses it when it's available, otherwise it does >> some NTLM computation on its own. I would try to either move it away >> (rename it is enough) or install it, depending on the current system >> state, whether it'll change anything. >> >> Otherwise this is a question on libsoup, eventually the Samba folks >> (whom provide that ntlm_auth binary). >> Bye, >> Milan > > > ___ > evolution-list mailing list > evolution-list@gnome.org > To change your list options or unsubscribe, visit ... > https://mail.gnome.org/mailman/listinfo/evolution-list <https://mail.gnome.org/mailman/listinfo/evolution-list> > ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list <https://mail.gnome.org/mailman/listinfo/evolution-list> ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
Does "Basic" auth not work for you? I have the same issues with NTLM, but Basic auth works. Travis Walden maydaycomput...@gmail.com On Tue, Feb 6, 2018 at 4:06 PM, <j...@centrum.cz> wrote: > Hello, > > > > I spent a little more time investigating the issue. I took a look in to the > source code of libsoup and I think it calls winbind's ntlm_auth binary > without password with the --use-cached-creds option only. And if that does > not work, it makes some own computations. I am no programmer, so I might be > wrong. Nevertheless, I tried to join the domain and login with pam_winbind > to be able to use the cached credentials. I tried to call ntlm_auth manually > and it worked and so did login in Evolution. I think that libsoup itself > might not actually support NTLMv2, maybe just NTLM2, or the implementation > is broken. Anyway, I post it for information. If there would be anyone > willing to take a look on this, I would appreciate. Using Thunderbird with > EWS plugin for calendars is rather difficult. > > > > Regards > > j2ev > > > > __ >> Od: <j...@centrum.cz> >> Komu: <evolution-list@gnome.org> >> Datum: 21.10.2017 16:47 >> Předmět: Re: [Evolution] EWS NTLM auth not working >> > > Hello, > > > > in case some other desperate soul crosses over this topic, I still wasn't > able to resolve this issue. It just looks Evolution / libsoup / ntlm_auth is > not for some reason sending NTLMv2, but just NTLMv1. I asked in libsoup > mailing list as well, but it is rather dead or had no luck. > > > > j2ev > > > > > > ______ >> Od: <j...@centrum.cz> >> Komu: <evolution-list@gnome.org> >> Datum: 03.07.2017 19:22 >> Předmět: Re: [Evolution] EWS NTLM auth not working >> > > Hi Milan, > > > > thanks for your input. Yes, I do have ntlm_auth binary. But I've already > tried to rename it, even purge winbind from the system, which provides it. > The behavior was still the same. Well, I will try libsoup list then. > > > > Thanks > > > > > >> Hi, >> does your system contain >>/usr/bin/ntlm_auth >> binary, please? libsoup uses it when it's available, otherwise it does >> some NTLM computation on its own. I would try to either move it away >> (rename it is enough) or install it, depending on the current system >> state, whether it'll change anything. >> >> Otherwise this is a question on libsoup, eventually the Samba folks >> (whom provide that ntlm_auth binary). >> Bye, >> Milan > > > ___ > evolution-list mailing list > evolution-list@gnome.org > To change your list options or unsubscribe, visit ... > https://mail.gnome.org/mailman/listinfo/evolution-list > ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
Hello, I spent a little more time investigating the issue. I took a look in to the source code of libsoup and I think it calls winbind's ntlm_auth binary without password with the --use-cached-creds option only. And if that does not work, it makes some own computations. I am no programmer, so I might be wrong. Nevertheless, I tried to join the domain and login with pam_winbind to be able to use the cached credentials. I tried to call ntlm_auth manually and it worked and so did login in Evolution. I think that libsoup itself might not actually support NTLMv2, maybe just NTLM2, or the implementation is broken. Anyway, I post it for information. If there would be anyone willing to take a look on this, I would appreciate. Using Thunderbird with EWS plugin for calendars is rather difficult. Regards j2ev __ Od: <j...@centrum.cz> Komu: <evolution-list@gnome.org> Datum: 21.10.2017 16:47 Předmět: Re: [Evolution] EWS NTLM auth not working Hello, in case some other desperate soul crosses over this topic, I still wasn't able to resolve this issue. It just looks Evolution / libsoup / ntlm_auth is not for some reason sending NTLMv2, but just NTLMv1. I asked in libsoup mailing list as well, but it is rather dead or had no luck. j2ev __ > Od: <j...@centrum.cz> > Komu: <evolution-list@gnome.org> > Datum: 03.07.2017 19:22 > Předmět: Re: [Evolution] EWS NTLM auth not working > Hi Milan, thanks for your input. Yes, I do have ntlm_auth binary. But I've already tried to rename it, even purge winbind from the system, which provides it. The behavior was still the same. Well, I will try libsoup list then. Thanks Hi,> does your system contain>/usr/bin/ntlm_auth> binary, please? libsoup uses it when it's available, otherwise it does> some NTLM computation on its own. I would try to either move it away> (rename it is enough) or install it, depending on the current system> state, whether it'll change anything.> > Otherwise this is a question on libsoup, eventually the Samba folks> (whom provide that ntlm_auth binary).> Bye,> Milan ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
Hello, in case some other desperate soul crosses over this topic, I still wasn't able to resolve this issue. It just looks Evolution / libsoup / ntlm_auth is not for some reason sending NTLMv2, but just NTLMv1. I asked in libsoup mailing list as well, but it is rather dead or had no luck. j2ev __ Od: <j...@centrum.cz> Komu: <evolution-list@gnome.org> Datum: 03.07.2017 19:22 Předmět: Re: [Evolution] EWS NTLM auth not working Hi Milan, thanks for your input. Yes, I do have ntlm_auth binary. But I've already tried to rename it, even purge winbind from the system, which provides it. The behavior was still the same. Well, I will try libsoup list then. Thanks Hi,> does your system contain>/usr/bin/ntlm_auth> binary, please? libsoup uses it when it's available, otherwise it does> some NTLM computation on its own. I would try to either move it away> (rename it is enough) or install it, depending on the current system> state, whether it'll change anything.> > Otherwise this is a question on libsoup, eventually the Samba folks> (whom provide that ntlm_auth binary).> Bye,> Milan ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
Hi Milan, thanks for your input. Yes, I do have ntlm_auth binary. But I've already tried to rename it, even purge winbind from the system, which provides it. The behavior was still the same. Well, I will try libsoup list then. Thanks Hi,> does your system contain>/usr/bin/ntlm_auth> binary, please? libsoup uses it when it's available, otherwise it does> some NTLM computation on its own. I would try to either move it away> (rename it is enough) or install it, depending on the current system> state, whether it'll change anything.> > Otherwise this is a question on libsoup, eventually the Samba folks> (whom provide that ntlm_auth binary).> Bye,> Milan ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
Re: [Evolution] EWS NTLM auth not working
On Sun, 2017-07-02 at 14:40 +0200, j...@centrum.cz wrote: > ever since we forced the use of NTLMv2 in our domain, NTLM auth in > Evolution EWS fails. I am able to successfully authenticate through > browser and even curl with use of NTLM against the webservice. > Keberos auth works also. Could anybody give me a hint, please? Hi, does your system contain /usr/bin/ntlm_auth binary, please? libsoup uses it when it's available, otherwise it does some NTLM computation on its own. I would try to either move it away (rename it is enough) or install it, depending on the current system state, whether it'll change anything. Otherwise this is a question on libsoup, eventually the Samba folks (whom provide that ntlm_auth binary). Bye, Milan ___ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
[Evolution] EWS NTLM auth not working
Hello, ever since we forced the use of NTLMv2 in our domain, NTLM auth in Evolution EWS fails. I am able to successfully authenticate through browser and even curl with use of NTLM against the webservice. Keberos auth works also. Could anybody give me a hint, please? evolution 3.22.6-1 amd64 libsoup2.4-1 2.56.0-2 amd64 EWS_DEBUG=2 evolution (evolution:5512): Gtk-WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Method "RegisterClient" with signature "ss" on interface "org.xfce.Session.Manager" doesn't exist > POST /EWS/Exchange.asmx HTTP/1.1 > Soup-Debug-Timestamp: 1498993712 > Soup-Debug: SoupSessionAsync 1 (0x5644342e3c40), ESoapMessage 1 > (0x564434fdaa90), SoupSocket 1 (0x7f6e8c0036c0) > Host: exchange.company.com > User-Agent: Evolution/3.22.6 > Connection: Keep-Alive > Content-Type: text/xml; charset=utf-8 > Authorization: NTLM <56 chars> > > > http://schemas.xmlsoap.org/soap/envelope/; > xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; > xmlns:xsd="http://www.w3.org/2001/XMLSchema; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;> xmlns:types="http://schemas.microsoft.com/exchange/services/2006/types; > Version="Exchange2007_SP1"/> xmlns:messages="http://schemas.microsoft.com/exchange/services/2006/messages;> > xmlns="http://schemas.microsoft.com/exchange/services/2006/types;>AllProperties < HTTP/1.1 401 Unauthorized < Soup-Debug-Timestamp: 1498993712 < Soup-Debug: ESoapMessage 1 (0x564434fdaa90) < Server: Microsoft-IIS/8.5 < request-id: 36559bae-06bd-400f-992f-79f7a199e145 < Set-Cookie: ClientId=RUOD0ONYYBAOFBTG; expires=Mon, 02-Jul-2018 11:08:32 GMT; path=/; HttpOnly < WWW-Authenticate: NTLM <256 chars> < WWW-Authenticate: Negotiate < X-Powered-By: ASP.NET < X-FEServer: EXCHANGE < Date: Sun, 02 Jul 2017 11:08:32 GMT < Content-Length: 0 > POST /EWS/Exchange.asmx HTTP/1.1 > Soup-Debug-Timestamp: 1498993713 > Soup-Debug: SoupSessionAsync 1 (0x5644342e3d60), ESoapMessage 1 > (0x564434fdac20), SoupSocket 1 (0x7f6ef4003460) > Host: exchange.company.com > User-Agent: Evolution/3.22.6 > Connection: Keep-Alive > Content-Type: text/xml; charset=utf-8 > Authorization: NTLM <56 chars> > > > http://schemas.xmlsoap.org/soap/envelope/; > xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; > xmlns:xsd="http://www.w3.org/2001/XMLSchema; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;> xmlns:types="http://schemas.microsoft.com/exchange/services/2006/types; > Version="Exchange2007_SP1"/> xmlns:messages="http://schemas.microsoft.com/exchange/services/2006/messages;> > xmlns="http://schemas.microsoft.com/exchange/services/2006/types;>AllProperties < HTTP/1.1 401 Unauthorized < Soup-Debug-Timestamp: 1498993713 < Soup-Debug: ESoapMessage 1 (0x564434fdac20) < Server: Microsoft-IIS/8.5 < request-id: a1289cd0-549d-4a2e-9f41-6523e50b4fd5 < Set-Cookie: ClientId=WTDUZJXO0GDCOUSIGG; expires=Mon, 02-Jul-2018 11:08:32 GMT; path=/; HttpOnly < WWW-Authenticate: NTLM <256 chars> < WWW-Authenticate: Negotiate < X-Powered-By: ASP.NET < X-FEServer: EXCHANGE < Date: Sun, 02 Jul 2017 11:08:32 GMT < Content-Length: 0 > POST /EWS/Exchange.asmx HTTP/1.1 > Soup-Debug-Timestamp: 1498993713 > Soup-Debug: SoupSessionAsync 1 (0x5644342e3d60), ESoapMessage 1 > (0x564434fdac20), SoupSocket 1 (0x7f6ef4003460), restarted > Host: exchange.company.com > User-Agent: Evolution/3.22.6 > Connection: Keep-Alive > Content-Type: text/xml; charset=utf-8 > Content-Length: 792 > Authorization: NTLM <56 chars> > > > http://schemas.xmlsoap.org/soap/envelope/; > xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; > xmlns:xsd="http://www.w3.org/2001/XMLSchema; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;> xmlns:types="http://schemas.microsoft.com/exchange/services/2006/types; > Version="Exchange2007_SP1"/> xmlns:messages="http://schemas.microsoft.com/exchange/services/2006/messages;> > xmlns="http://schemas.microsoft.com/exchange/services/2006/types;>AllProperties < HTTP/1.1 401 Unauthorized < Soup-Debug-Timestamp: 1498993713 < Soup-Debug: ESoapMessage 1 (0x564434fdac20) < Server: Microsoft-IIS/8.5 < request-id: 66f88679-8c59-42d5-b1d7-277b8aca79aa < WWW-Authenticate: NTLM <256 chars> < WWW-Authenticate: Negotiate < X-Powered-By: ASP.NET < X-FEServer: EXCHANGE < Date: Sun, 02 Jul 2017 11:08:32 GMT < Content-Length: 0 > POST /EWS/Exchange.asmx HTTP/1.1 > Soup-Debug-Timestamp: 1498993713 > Soup-Debug: SoupSessionAsync 1 (0x5644342e3d60), ESoapMessage 1 > (0x564434fdac20), SoupSocket 1 (0x7f6ef4003460), restarted > Host: exchange.company.com > User-Agent: Evolution/3.22.6 > Connection: Keep-Alive > Content-Type: text/xml; charset=utf-8 > Content-Length: 792 > Cookie: ClientId=WTDUZJXO0GDCOUSIGG > Authorization: NTLM <176 chars> > > > http://schemas.xmlsoap.org/soap/envelope/; > xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; > xmlns:xsd="http://www.w3.org/2001/XMLSchema; >
