[Dovecot] Concerned about Dovecot's new NTLM code

Andrew Bartlett abartlet at samba.org
Sun Sep 26 02:14:50 EEST 2004


I'm pleased to see another project increasing compatibility with windows
clients, by the addition of NTLM login support, but I'm a bit worried
about a few implementation details, and hope to offer an alternate
approach.

I mean no disrespect to those who have implemented to the code so far,
but I feel that the idea of 'everybody re-implement NTLM' is prone to
failure.

Firstly, to bugs I've noticed by casual inspection of your
implementation:

 - Unicode support is by 'null padding' - there is no real support for
non-ascii characters.
 - NTLM2 (a negotiated scheme to avoid sending the LM response) is
unsupported
 - NTLMSSP is NDR, not 'C struct pushed to the wire', it needs to be
correctly marshaled and unmarshaled.

There are other missing features, some of which are rumoured to become
mandatory flags in future, but more importantly, because the
implementation is standalone, it has no ability to integrate into an
NT/Win2k/Samba domain.

As part of the Samba team, I have worked with other projects - Squid in
particular, to deliver server-side (and client-side) NTLMSSP
authentication, without the need to re-implement the NTLMSSP protocol.  

This is done by a callout to 'ntlm_auth', a Samba 3.0 utility designed
for this purpose, which in turn can contact domain controllers, allowing
for seamless single sign on.

http://samba.org/samba/docs/man/ntlm_auth.1.html

I have recently completed reworking mod_ntlm_winbind for a similar
purpose, and have patches for cyrus-sasl in my 'lorikeet' subversion
repository.  These should serve as good examples for the simple
fork()/exec() modal that is used, and also show the support for
GSS-SPNEGO (aka HTTP Negotiate) that ntlm_auth also provides.

http://download.samba.org/ftp/unpacked/lorikeet/trunk/

My hope is that I can tempt a Dovecot developer to take on the challenge
of modifying the dovecot to use ntlm_auth, and am most willing to answer
any questions (here, by private mail or on the samba-technical list)
that you may have on the issue.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040926/c05f2bef/attachment.pgp


More information about the dovecot mailing list